This bot can be detected
Closed this issue ยท 13 comments
First of all this seems great work, good job!
I just registered here to inform you that this bot can be detected from keypress input.
Windows 10 has added security feature to allow programs see the source of keystroke / event. Basically wow process sees that event is not coming from hardware but from user land application.
I think this can be work around by using externally controlled hardware to be used as proxy to send the keystrokes. One example:
https://randomnerdtutorials.com/raspberry-pi-zero-usb-keyboard-hid/
I'm trying to modify the code so that everything related to wow process is removed.
What security feature you're talking about? When it was introduced. I guess if it's from Microsoft then it is well documented as well. Can you provide more details please ?
Do u have proof of Blizzard acting based on this? Because apps which allows multi-boxing does similar things. Also what about apps for keyboards / Razar stuff where you can create macros and such - how do they do it?
I just got a 7 Days ban last night.
I've never used it for longer than 1h and I was 90% of the time near the computer, so it has been detected due movements or keypress.
@olaims was it on classic on retail? Where u area with other people ( someone could report you)? It's important to decide if it was automatically detected or not. I have experience using modified https://github.com/UltimateFishbot/UltimateFishbot on classic - but never for long time farming. Always a 1 hour top. I would think in total around 10 hours.
@petrvecera it was on classic.
There were no other people. In the message from Blizzard they mention "after we have analyzed some information we have detected the use of 3d party programs", so it is not due to persons or reports.
I can only think about:
- Key sending detection
- Mouse movement not "real/human" enough
Because it was not an instant ban and I haven't used it for longer than 1h. People reporting is not possible because I was never far from the laptop, so I would have checked the wisphsor them jumping or something before me.
You can detect if key press comes from software and not hardware using windows 8+ security API. all auto-it scripts etc can be relatively easily detected using that API. One workaround is to write custom driver but that is non trivial.
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getcurrentinputmessagesource
@Nenuvah do u have any links to the forums discussing this problem more? I wonder if there is something new they added and are detecting from where the key inputs are going. Or they have different things in place already and the bot I linked before is avoiding them.
The bot I linked has completely different approach to searching for the bobber. Has several anti-afk mechanics and in general acts more like real life person but still anyone seeing it in person would know it's a bot.
I have re-written the API layer it uses to interact with the wow process.
https://github.com/petrvecera/FishingFun/pull/1/files
I removed the PostMessage Win API call. And move back to
keybd_event https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-keybd_event
and
mouse_event https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-mouse_event
The biggest down-side of these functions is the they require the wow window to be in focus. So before doing keyboard clicks/mouse clicks we need to re-focus the wow window (using SetForegroundWindow). I expect that it's probably still gonna be detected by GetCurrentInputMessageSource but at least we are not artificially sending messages to the process window which is not in focus at all! Any inputs for the window which wouldn't be in focus is definitely raising red flags.
Future improvements which could be considered which are totally missing in this project and I have seen in others:
- Moving the mouse on the screen from the last location to the new location
- Random mouse movements
- Random character movements
Update:
I got the following email from Blizzard after appealing my suspension:
I have looked into this for you - I am confident in the outcome of the investigation in that we have evidence showing that this account behaved in Battlegrounds and Arenas in a way that detracts from the in-game integrity of World of Warcraft.
So, I was banned because one guy reported me in a battleground because of not being fighting (that time I was fishing but not using the bot). He asked the whole BG to report me... even when I chatted with him.
Therefore I was not suspended because of using this bot... or maybe not directly. Maybe after the Battleground report they took a deeper look into my account and they found some "strange" behaviour.
I have thought about how detectable the bot is, but after 6 months I haven't been banned, but that doesn't mean I won't be.
The code in the following repo is interesting, it identifies the source and origin of a mouse move, click or keyboard event via cpp. https://github.com/microsoft/Windows-classic-samples/tree/master/Samples/IdentifyInputSource
Taking a look at the changes @petrvecera made (keybd_event & mouse_event) in his fork, they seem to be more obvious as the origin is 'Injected'. I think postmessage with its less obvious 'Unavailable' is better. The code I used is here: https://github.com/julianperrott/FishingFun/tree/master/IdentifyInputSource
| Description | Source of action | Source | Origin |
|---|---|---|---|
| Mouse move | System.Windows.Forms.Cursor.Position | Unavailable | System |
| Mouse move | SetCursorPos | Unavailable | System |
| Mouse click | PostMessage | Unavailable | Unavailable |
| Mouse click | mouse_event | Mouse | Injected |
| Key press | PostMessage | Unavailable | Unavailable |
| Key press | keybd_event (down) | Unavailable | Unavailable |
| Key press | keybd_event (up) | Keyboard | injected |
| Mouse move / click | Human | Mouse | Hardware |
| Key press | Human (down) | Unavailable | Unavailable |
| Key press | Human (up) | Keyboard | Hardware |
This post also talks about detecting of pixel type bots, I have tried to add a manifest file, but couldn't get it to work and wasn't willing to spend a lot of time on it.
https://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-bots-questions-requests/796265-why-pixel-botting-detected.html
@julianperrott I agree with you on the PostMessage. The reason I went with mouse_event is that the other bot I have been using for years (also on non-official servers). Was using this event and I've never got banned. I got scared by olaimed, but as we know now, he wasn't banned because of the bot.
So my changes to that file were unnecessary ๐คฆโโ
Btw I added more things to my fork. I don't think they are "mergable" to you as I didn't care about the code quality. But if u want you can be inspired. I solved the problem with resizing the window. Now you can have it anywhere. https://github.com/petrvecera/FishingFun/blob/master/Source/FishingFunBot/Platform/WowScreen.cs
However when u have your window resized you need to tweak the parameters for triggering.
Also the bot were often missing very slight bobber triggers (a lot when the window is resized). I noticed a pattern in the chart it creates and created a new classifier for it, I have almost 100% correct trigger rate now https://github.com/petrvecera/FishingFun/blob/master/Source/FishingFunBot/Bot/PositionBiteWatcher.cs#L57
Also added lure applying