Access Control Lists (ACLs)

[Fatty]

Read a thread about that Verant has implemented ACL like 2 patches ago.

Was wondering if they can detect if you read EQs memory with readmemoryprocess with SACL?

On MSDN:
"A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. In future releases, a SACL will also be able to raise an alarm when an unauthorized user attempts to gain access to an object. For more information about SACLs, see Audit Generation and SACL Access Right."

Also. read a post by MisterSpock that its better to use an ACL maneuver, or running the application as SYSTEM instead of entering debug mode. Anyone care to give some more information on this?

As it is now I have made a program to give debug privilegies to my program and scan all Private memory blocks of EQ. Its not for sniffing the key, more for making a Windows version of ShowEQ(Private).

Last but not least, what should we look for in the updated files from verant for 'keys' to if they are checking for memory reads?

Thanks.

[throx]

They can detect the OpenProcess() using a SACL if they feel like parsing the event log to find it. Of course with admin access to your own machine you can remove those entries from the event log if you like and in any case they wouldn't be conclusive enough to show anything.

You have to remember there's essentially no difference in behaviour from the OS's point of view between Magelo and an SEQ sniffer.

Of course, if you want to avoid all that nastiness then just use LostInSpace's device driver which bypasses any and all OS protections and detection mechanisms.

There's no good way to determine if they have put "detection" code into the EQ client other than running it in a debugger and observing it's behaviour almost to the point of reverse engineering it completely. While it's technically and legally possible to detect all forms of sniffing and ban you for them, the effort required on Sony's part to do this is just insane - especially for device driver based sniffers so if you plan to use SEQ, just get the best sniffer you can and use it.

[MisterSpock]

If you twiddle the SACL and don't twiddle it back, it could be detected. SeDebugPrivilege does not trip IsDebuggerPresent, so that isn't an issue.

If you're going to use the ReadProcessMemory-style of sniffer, I recommend using the SeDebugPrivilege-based method.

[Joolz]

Even if it does, just Hook all calls to IsDebuggerPresent and return false.

Talking of which has anybody done the 'ForceLoadLibrary' approach to hooking that is usually used in Half-Life cheating?