06-23-2012, 12:45 AM
If you'd customize your client you could have it enumerate dlls in client process and check for injection.dll or search for patterns of it by scanning the client process memory. Injection injects itself to the client process and that'd be fairly easy to detect with custom client. Detecting EUO is more complicated because you'd need admin privs to get access to processes that aren't child processes of your program. It used to work without privs in XP but since Vista and it's UAC it's been a pain. Still, for every method of detection there is a way around it. In the end, it would be just endless game fo hide and seek and a huge waste of time for everyone.
I haven't checked if packet order would give it away but I doubt there is any clearly different patterns. I did have a program that monitored UO packets at one time but didn't test any 3rd party programs with it. Noticed something interesting though... Back on INX where everyone tried to hide when they were casting by spam and running around a packet logger could easily determine if someone was casting or not. The packet about playing the casting animation was always sent even though the animation itself never was seen and the power words from casting a spell and using .wop were identical. Doesn't even matter anymore since spam was removed.
I haven't checked if packet order would give it away but I doubt there is any clearly different patterns. I did have a program that monitored UO packets at one time but didn't test any 3rd party programs with it. Noticed something interesting though... Back on INX where everyone tried to hide when they were casting by spam and running around a packet logger could easily determine if someone was casting or not. The packet about playing the casting animation was always sent even though the animation itself never was seen and the power words from casting a spell and using .wop were identical. Doesn't even matter anymore since spam was removed.