Has anyone successfully used a sniffer that does *not* require debugging priv's since the patch?

I've been using "senseheading" on both a 98SE and WinXP box without issue. Postpatch, the 98SE box worked fine after adding the new offset, while the XP version started giving an "error 5", suggesting that it could not attach to the process in question.

I'm suddenly very reluctant to have to go and get debugging privs to access eqgame.exe, primarily because such an action can be detected. Perhaps *this* is how they will catch us.

Any comments? Has anyone been able to get the non-debug-priv's version of senseheading.c (or any other sniffer) to work under 2k/xp postpatch?

I succesfully compiled and used (in release, not debug) maggotboy's CPP V2 "Super Stealth" code on Windows XP SP1 last night...

No problems compiling or running it... Oh, and I used Visual Studio 6 w/o any service packs... just the basic install.

His code uses debug privs.

his "release" code just doesn't use *his* debugging code. It still uses debugging Priv's from an application standpoint, unless I'm mistaken.

This is detectable.

My code doesn't use the debug privs seen elsewhere. It isn't necessary because my program isn't a separate application. It's running inside the address space of EQ. Therefore, I don't have to call OpenProcess or ReadProcessMemory -- my code can read the memory directly.

Maggotboy

How do you figue that using debug privs is detectable, btw?

I'm fairly certain they could just use the call IsDebuggerPresent() to detect any sniffer that is using debug privs.

maggotboy, My mistake. :)

You're mistaken. Hit the search button if you want to find the previous discussion on IsDebuggerPresent

Nope...

From an earlier post I made, IsDebuggerPresent does NOT detect setting debug privs. I even included a code snippet to prove the point.

Debug privs are different than attaching to a process with a debugger.

Also, Debug privs are granted to YOUR application. They do not alter anything on the target application. Look at the code that was posted on here to enable debug privs. The function requires no input, does not require, nor use, any globals. Its work is all done on the current process (your program).

IsDebuggerPresent WILL detect if you attempt to attach with Win32dasm in debug mode, for example.

-

Originally posted by RavenCT
I succesfully compiled and used (in release, not debug) maggotboy's CPP V2 "Super Stealth" code on Windows XP SP1 last night...

No problems compiling or running it... Oh, and I used Visual Studio 6 w/o any service packs... just the basic install.
Add me to that list, except I haven't tried V2 yet.... I'm still using v1 without any problems. Using VS6 the same as RavenCT