Earlier today I came across an interesting packet handler, which can potentially result in the client performing a bot scan and displaying the message below. The opcode for this packet is 0xD6.
I've never seen one of these packets received, but, based on the code in the handler, I believe the packet can result in different types of scans being performed. Possible scan types seem to be for specific module or process names, window class names, child window names, and possibly byte checks on module or process memory. Thus, the packet will likely contain the type of scan to perform and the specifics of what to look for, such as a module or window class name to detect. This means, for example, the server can arbitrarily initiate a check for any known 'bad' module at any time. After the scan, the client will send a 32 byte response to the server, though I don't know exactly what it contains. Below is a closer look at some of the code involved in the bot scan.
This is the top part of the main scan procedure. I believe the switch function at the top determines what type of scan to perform based on a setting in the packet. It appears to have registry, pipe, and event access, though I'm not sure when or what these are used for. Note towards the bottom we can see two main sub calls which are used to check remote process and modules and the current process and modules.
Inside the ScanRemoteProcesses function looks something like this:
FunctionTop / FunctionBottom
And inside the ScanCurrentProcess looks something similar:
And finally here's the second part of the main scan procedure. It's going to enumerate windows and child windows checking their name and class, format an unknown 32 byte response, send it to the server, and optionally show the 'Bot Detected' message.
Overall this protection is very easy to detect and bypass, though it's efficient enough to bite you if you're not prepared for it
Credits Beau, (clockwork) Joel (Guffy) @ 0x33.org
mail: [email protected]
I've never seen one of these packets received, but, based on the code in the handler, I believe the packet can result in different types of scans being performed. Possible scan types seem to be for specific module or process names, window class names, child window names, and possibly byte checks on module or process memory. Thus, the packet will likely contain the type of scan to perform and the specifics of what to look for, such as a module or window class name to detect. This means, for example, the server can arbitrarily initiate a check for any known 'bad' module at any time. After the scan, the client will send a 32 byte response to the server, though I don't know exactly what it contains. Below is a closer look at some of the code involved in the bot scan.
This is the top part of the main scan procedure. I believe the switch function at the top determines what type of scan to perform based on a setting in the packet. It appears to have registry, pipe, and event access, though I'm not sure when or what these are used for. Note towards the bottom we can see two main sub calls which are used to check remote process and modules and the current process and modules.
Inside the ScanRemoteProcesses function looks something like this:
FunctionTop / FunctionBottom
Code:
ScanRemoteProcesses
{
EnumProcesses
for ( processes )
{
OpenProcess
EnumProcessModules
GetModuleBaseName
scan_type = Switch() // Maybe looking up scan type from setting
// Unknown string check, maybe module name
if (scan_type == type)
wcsicmp
// Maybe memory byte check or CRC check
if (scan_type == type)
ReadProcessMemory
UnknownAlgo
// Another unknown string check
if (scan_type == type)
wcsicmp
// Maybe memory or size check
if (scan_type == type)
GetModuleFileNameEx
fopen
fseek
ftell
}
}
Code:
ScanCurrentProcess
{
EnumProcessModules
for ( modules )
{
GetModuleBaseName
scan_type = Switch()
// Unknown string check, maybe module name
if (scan_type == type)
wcsicmp
// Maybe memory byte check or CRC check
if (scan_type == type)
ReadProcessMemory
UnknownAlgo
// Another unknown string check
if (scan_type == type)
wcsicmp
// Maybe memory or size check
if (scan_type == type)
GetModuleFileNameEx
fopen
fseek
ftell
}
}
Overall this protection is very easy to detect and bypass, though it's efficient enough to bite you if you're not prepared for it
Credits Beau, (clockwork) Joel (Guffy) @ 0x33.org
mail: [email protected]
