A different approach

[maggotboy]

I'm just about finished with my own sniffer code, which I think will be more efficient and more effective than the ones previously posted. As soon as I iron out a couple issues and document it properly, I'll post it. I write all my code with MSVC++, so it'll be up to some other motivated individual to adapt it to some other compiler should there be any incompatibilities.

The code is a DLL, injected into the system with SetWindowsHookEx using RUNDLL32.EXE. The DLL can be renamed at will, and since it is activated and deactivated with RUNDLL32.EXE, it will be horrendously difficult to detect. Since it lives in the address space of EQGAME, it doesn't suffer any "elevated priviledges" blocks the other sniffers have to circumvent or workaround in NT. It also doesn't require the toolhelp libraries, and is not subject to timing issues like the sleep() problems people have seen.

Some of the concerns I've had about the sniffers posted so far is the use of .conf files which could be scanned for, or easy-to-detect string sequences in a binary. So I've pretty-much eliminated those easy-to-see sequences and file-based configs, and went with command-line params to the RUNDLL32.EXE instead. Stealth naming of the DLL is also important so even if Verant enumerated the DLL's attached to its process space, they'd be unable to determine whether the DLL was a system DLL, a 3rd party legitimate DLL, or a hack DLL...they'd have to do a more exhaustive check on the binary's signature.

SetWindowsHookEx() is used by a lot of utilities, Logitech's mouse driver being an example of one. Their LGMOUSHK.DLL injects itself into the system this way and intercepts mouse events with the WH_MOUSE hook to provide mouse button enhancements. It is impossible to enumerate these hooks via API, or to detect when hooks are present in your application's message pumps.

Maggotboy

[RavenCT]

Sounds excellent!

I look forward to playing with this code! Being a Network dink I'm having a lot of fun playing with those VC++ 6.0 (Developer Studio) disks I copied before I left my last job last year

Rock on!

[UncleBen]

*drool*

really looking forward to this also!

[MisterSpock]

Heh! Most excellent!

I've had some discussions on this whole "detectability" topic with a friend of mine (who just so happens to be an incredible Windows programmer) over the past few days, and this was the method that ended up being considered the least likely to be detected. I'm already doing some coding to get a sniffer of this type running, although I need to do a bit of additional research.

Perhaps in a few days we can compare notes.

[maggotboy]

I'll have it posted probably in a few hours. Have a few more things to do to get it to my liking ...

Maggotboy

[high_jeeves]

Doh.. somebody found the method I have been using since the day of the patch!

Good work!

--Jeeves

[mvern]

I wonder tho, since the dll actualy is running as a module in eqgame's address space, theres no violation of privacy, etc, involved in them scanning for it. Just something to consider...

[maggotboy]

Just make sure you change the name of the DLL to something pseudo-meaningful, change the DLL entry point names, rearrange the program functions, etc.

Maggotboy

[sauron]

How would you get this to work with EQW? Here's an example of a command-line to start EQW...

X:\EverquestExtras\eqw\eqw.exe D:\everquest\eqgame.exe

I haven't tried it, but I'm wondering if the hook and EQW can both be used at the same time.

[hai_hai]

Doh.. somebody found the method I have been using since the day of the patch!

You know what Jeeves, after reading many threads with you posting and now seeing this. I have come to the conclusion your full of shit. You sit here and argue ideas with people, and when someone comes up with one that actually has some merit, you claim fame and glory of already thinking up the idea.

So instead of helping the community by contributing, you basically sat back and watched the drama. If you did think up this idea first ..Gratz! For being a prick.


If your just talking out the side of your mouth ..well, read the last word of the previous paragraph.

People like you should not be here, people like the original poster, I would like to see more of.

[Botter]

hai_hai, You nailed it. Jeeves has been the prick of pricks since day one always jumping on the newbies for not "asking the right way" or searching the "right way" now he lays claim to knowing the solution all along. Like you said either he is lying or is a super prick.

If he's lying who cares. But if he had a solution that appears to be truely a solution then imagine how far along we would be now. All these pass weeks we could of been tuning it and we would all be ahead.

Not to worry I am old in real life and Jeeves makes the mistake of being an expert in one area and being a condecending greater than thou butthead. What he fails to know yet (must be a young) is that no one can be an expert at everything and he will get his due.

One of these days he will need help in some area ( a real important one ) like medical or automoblie and he will have the pleaseure of running into one of like counterparts. He will not ask the "right way" or search the "right way" and he will get the ol 2x4 between the eyes and a dose of reality. Beauty is..it will happen.... then he will finally realize how big aprick he really has been to newbs.

The old addage "What goes around comes around" is true as the sun coming up....I am old in real life and seen the circle take 20 years but EVERY prick I ever met like Jeeves, Ihave had the pleasure of watching them drop to their knees and beg for help or information in some area (again one that really matters not something as frivolous as SEQ ).

Trust me he will get his own medicine in the end

[Kimbler]

Maggotboy,

I am not a coder but thank you being the first to offer a glimmer of hope to those not gifted in the world of programming. We know we have SEQ by the grace and generousity of programmers willing to share there intellectual property.

I have read almost every post for months and pretty much figured I would use SEQ for the rest of my EQ life with grey dots but maybe not now.

Thanks

[high_jeeves]

You sit here and argue ideas with people, and when someone comes up with one that actually has some merit, you claim fame and glory of already thinking up the idea.

I never claimed fame for thinking of the idea, lots of people can come up with the same idea, I dont take anything away from maggotboy for that. He doesnt seem to have a problem with my post, only you. I also note that you only quoted half of my post, not the part where I tell him he did a good job. Maybe you are a bit sensitive?

I didnt post this method here, because I didnt want it to be mass produced, and therefore scanned for. Feel free to call me a prick, I was simply congratulating maggotboy on finding a better solution to the problem. If he wants to post it, more power to him, I however didnt want to post it, as is my right. I never claimed credit for maggotboy's find, as a matter of fact, I wont even claim credit for my find, since I found the information by searching the web for similar systems.

Why is it always the people with 1, and 4 posts that complain about other peoples contributions to the project? Have I seen either one of you guys in IRC working on things, helping people write their keysniffers, or get stuff working? No. Dont like the fact that I didnt do all your research for your, like maggotboy is doing? Tough.

Ihave had the pleasure of watching them drop to their knees and beg for help or information in some area (again one that really matters not something as frivolous as SEQ ).

Ask anyone who knows me, and they will tell you that I am the first to ask somebody for information when I dont know it. However, I spend time on my own looking for information, and trying to solve problems before I run around whining that nobody is doing everything for me.

Again, if you dont contribute in any way to this project, you have no right to bitch about the people that do. I applaud maggotboy, mvern, HoiHoi, and all the other people that have provided keysniffers to the community. I dont agree with them, but that doesnt really matter... I chose not to post mine, and then congratulated maggotboy, and you guys run around like I have commited some personal insult to you.

So, in short:

MaggotBoy: Good work finding an alternative solution.
Everyone else: provide something to the project, or FUCK OFF.

--Jeeves

[maggotboy]

I'm not too concerned about who did what first, personally. I've been coding on the Windows platform for 10 years now, and make quite a decent living at it -- so I'm comfortable enough not to get my hairs ruffled if someone says they've done it sooner, faster or cleaner than me. If there's one thing I've learned about coding its that SOMEONE IS ALWAYS BETTER THAN YOU! It's just a fact of life and one must live with it if one is to succeed in this profession.

For the record ... This hook method I actually developed for EQ back in August of 2000 when I was writing a handy utility to update our guild website with the in-zone location and in-game status of our guildies. Although it used the logfile generated by EQ and didn't in any way touch or interfere with the game, I set it aside because I didn't want to risk injecting a DLL into the game and put the members in jeopardy.

I was looking for a way (at the time) to intercept the winsock functions so I could send instant messages from the chat window in EQ by injecting a passphrase ... Intercepting the function calls was easy, but I chickened out and decided not to attempt anything that'd risk my account.

Maggotboy

[Mongo222]

high jeeves, weren't you the guy who created the showeq alternate project branch after ratt decided not to release the new libEQ.a after luclin came out?