Analysis of Ros-Bot's new Hiding Mechanism menu

User Tag List

Results 1 to 9 of 9
  1. #1
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Analysis of Ros-Bot's new Hiding Mechanism

    As some of you may know, DemonBuddy has recently reported that Warden has been updated with functionality that scans all external processes interacting with Diablo 3 and hearthstone. This includes successful detection of both TurboHud and Ros-Bot.

    As a long-time user of Ros-Bot I was immediately concerned about my future botting endeavors. Not yet clear on whether a ban would actually happen, the developers of Ros-Bot have decided to take a proactive approach and incorporate a mechanism of hiding itself from the game client.

    Unfortunately, they have been very quiet on the specifics, mentioning only that the Ros-Bot process is hidden from the game by means of injection. Naturally I wanted to know exactly what was happening since all injections end up getting banned at one point or another (see PQR, Buddy, and others).

    Knowing that there is only one realistic method of hiding a process from another, I immediately downloaded the latest version of Ros-Bot (1.1.37576) and noticed that there were no additional DLL’s in the main directory. Surly they must get their code into the client somehow. So I fired up my test account and put a breakpoint on WriteProcessMemory. Immediately following that, the breakpoint hit and I had my first few results.

    It looked like Ros-Bot dynamically generated a DLL based on certain addresses it found within the client. It probably uses an assembler to do this. Next, it allocated enough memory to store this module and in a series of six writes, it copied the entire module over, section by section, starting with the header and ending with the metadata xml. After each write the region was marked as read + execute.

    Code:
    Write Sizes
    ===========
    1: 1F8
    2: DE00
    3: 6400
    4: C00
    5: 200
    6: 200
    ===========
    153F8 Bytes
    I went ahead and dumped the resulting DLL (base64 version available here) for further analysis. Without diving in too deep I found a couple interesting things. First, the DLL appeared to make use of the MinHook library. Second the DLL did something with CreateToolhelp32Snapshot and some other functions. And third, the following string:

    Code:
    C:\Users\Baptiste\Documents\VS\AieBot\trunk\Release\Hider.pdb
    After copying the DLL, one final write was performed, consisting of 20 bytes with the code below. This code was written to a newly allocated page which was also marked as read + execute. This page was later removed before the bot actually started. Here’s a screenshot.

    Code:
    PUSH 0
    PUSH 1
    PUSH Start_of_DLL
    CALL DWORD PTR [ESP + 10]
    RET
    Obviously, the question was, did any of this actually work? With all these writes I’m a bit puzzled as to how it would work in the first place since no active code appears to be replaced. But anyhow, I went ahead and conducted a quick test. EDIT: The code above is probably written as an entry point for CreateRemoteThread, then removed to remove any evidence of it while the game is paused - perhaps through a debugger?

    I wrote a DLL which would sleep for 20 seconds and then print the PID’s and names of all processes running on the system using the CreateToolhelp32Snapshot and EnumProcesses functions. I then injected the DLL directly into Diablo 3 and started Ros-Bot. Unfortunately Ros-Bot.exe was still visible. So either the test was bad or this system just doesn’t work.

    Either way I look forward to following this more as it unfolds. In the meantime I would hold off on any botting until this is resolved. Also keep in mind that I am by no means an expert but I do my best to interpret the information I see. Please let me know if any of this information is incorrect.

    EDIT: More research revealed that this is a well known method of injecting a DLL. Here's some information with regards to detecting manual DLL injections.
    Last edited by Torpedoes; 02-14-2016 at 06:12 PM.

    Analysis of Ros-Bot's new Hiding Mechanism
  2. #2
    gumen's Avatar
    gumen
    Guest
    Hi

    Check the answer here: https://www.ros-bot.com/comment/88347#comment-88347
    If you wanna have some sort of a technical discussion, send me a message.

    Cheers

  3. #3
    WiNiFiX's Avatar Banned
    Reputation
    242
    Join Date
    Jun 2008
    Posts
    447
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I noticed something that the Ros-Bot team may want to look into - when Ros-Bot starts and attaches to Diablo then api-ms-win-core-synch-l1-2-0.DLL starts aswell - this may be nothing to worry about but it only occurs with RosBot - Demonbuddy does not have this issue.
    I was however not able to see the EXE listed under the running modules like Torpedoes, but I may have been looking at it funny

    Code:
            void EnumProcessModules(uint procId)  // Diablo III process Id
            {
                var snapshot = CreateToolhelp32Snapshot(SnapshotFlags.Module | SnapshotFlags.Module32, procId);
                MODULEENTRY32 mod = new MODULEENTRY32() { dwSize = (uint)Marshal.SizeOf(typeof(MODULEENTRY32)) };
                if (!Module32First(snapshot, ref mod))
                    return;
    
                List<string> modules = new List<string>();
                do
                {
                    log.AppendText(mod.szModule + Environment.NewLine);  // List all processes in Diablo 3.
                    modules.Add(mod.szModule);
                }
                while (Module32Next(snapshot, ref mod));
            }
    Full Code @ https://codeshare.io/winifix
    Last edited by WiNiFiX; 02-14-2016 at 02:20 PM.

  4. #4
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by WiNiFiX View Post
    I was however not able to see the EXE listed under the running modules like Torpedoes, but I may have been looking at it funny
    I can't guarantee that my test was conducted correctly. It could work, but perhaps not in the way I was testing.

  5. #5
    WiNiFiX's Avatar Banned
    Reputation
    242
    Join Date
    Jun 2008
    Posts
    447
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Torpedoes View Post
    I can't guarantee that my test was conducted correctly. It could work, but perhaps not in the way I was testing.
    Would you please share your code because I think it may be a mistake on my part, when i use "Sys-internals Process Explorer" it does find Ros-Bot.exe running as/under Diablo III.exe

    Last edited by WiNiFiX; 02-14-2016 at 02:17 PM.

  6. #6
    KillerJohn's Avatar TurboHUD HUDmaster CoreCoins Purchaser Authenticator enabled
    Reputation
    3695
    Join Date
    Jul 2012
    Posts
    2,532
    Thanks G/R
    46/3337
    Trade Feedback
    0 (0%)
    Mentioned
    16 Post(s)
    Tagged
    0 Thread(s)
    Based on the past 15 years, fighting against Warden is kinda pointless. This is only my subjective opinion though
    Do not send me private messages unless it is absolutely necessary or the content is sensitive or when I ask you to do that...

  7. Thanks Valois (1 members gave Thanks to KillerJohn for this useful post)
  8. #7
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by KillerJohn View Post
    Based on the past 15 years, fighting against Warden is kinda pointless. This is only my subjective opinion though :)
    Hey KillerJohn, thanks for all the great work you've put into TurboHUD. And you're also right about Warden.

    Originally Posted by WiNiFiX View Post
    Would you please share your code because I think it may be a mistake on my part.
    Sure. Here's the source code for the DLL I wrote which, when injected into Diablo 3, prints out the processes returned by both CreateToolhelp32Snapshot and EnumProcesses. The actual console printing functions have been removed and replaced with comments for simpler understanding and integration into your own framework. Plus I don't want to share my console code :-P

    Code:
    #include <Windows.h>
    #include <tlhelp32.h>
    #include <Psapi.h>
    static HINSTANCE gInst;
    
    void PerformFunction (void)
    {
        HANDLE snap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);
    
        if (snap == INVALID_HANDLE_VALUE)
            return;
    
        PROCESSENTRY32 pe32;
        pe32.dwSize = sizeof
            (PROCESSENTRY32);
    
        if (!Process32First (snap, &pe32))
            { CloseHandle (snap); return; }
    
        do
        {
            // OUTPUT: pe32.th32ProcessID
            // OUTPUT: pe32.szExeFile
    
        } while (Process32Next (snap, &pe32));
    
        CloseHandle (snap);
    
        DWORD list[4096], size = 0;
        if (!EnumProcesses (list, sizeof (list), &size))
            return;
    
        DWORD count = size / sizeof (DWORD);
        for (DWORD i = 0; i < count; ++i) {
            // OUTPUT: list[i]
        }
    }
    
    DWORD WINAPI Entry (LPVOID param)
    {
        Sleep (20000); PerformFunction();
    
        while (true)
        {
            Sleep (10);
            if (GetAsyncKeyState (VK_F12))
                break;
        }
    
        FreeLibraryAndExitThread (gInst, 0);
        return 0;
    }
    
    BOOL WINAPI DllMain (HINSTANCE inst,
          DWORD reason, LPVOID reserved)
    {
        if (reason == DLL_PROCESS_ATTACH)
        {
            gInst = inst;
            CreateThread (NULL, NULL, Entry,
                          NULL, NULL, NULL);
        }
    
        return TRUE;
    }

  9. #8
    bastiflew's Avatar Active Member
    Reputation
    41
    Join Date
    Aug 2012
    Posts
    98
    Thanks G/R
    1/4
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Don't inject anything in diablo 3 process unless you know what you are doing. Warden scans modules, and you will be banned doing this.
    This is a bad idea to inject the above code.

  10. #9
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by bastiflew View Post
    Don't inject anything in diablo 3 process unless you know what you are doing. Warden scans modules, and you will be banned doing this.
    This is a bad idea to inject the above code.
    You do realize that the code above is for research purposes only, right? intended for people that know what they're doing... But either way you probably wouldn't get banned cause it's not doing anything anyways. There are plenty of legitimate tools that inject themselves into games, like Steam Overlay. You won't get banned for just loading a DLL.

Similar Threads

  1. [NEW] Ros Bot 1.03f Released !
    By interpap in forum Diablo 3 Bots and Programs
    Replies: 3
    Last Post: 10-10-2014, 06:26 AM
  2. Attention Bot Creators, New and Existing
    By sspamfilter in forum Diablo 3 Bots and Programs
    Replies: 33
    Last Post: 07-21-2012, 03:22 PM
  3. Immortal Bot - Something new?
    By Kayuke in forum Diablo 3 General
    Replies: 3
    Last Post: 07-03-2012, 11:30 AM
  4. current bots and new developments
    By DaSoul in forum WoW Bots Questions & Requests
    Replies: 5
    Last Post: 05-07-2010, 07:43 AM
  5. [WSG] A quite cool new hiding spot in the alliance base.
    By eloivanelst in forum World of Warcraft Exploits
    Replies: 19
    Last Post: 03-27-2010, 05:44 PM
All times are GMT -5. The time now is 01:37 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search