• Visit Rebornbuddy
  • Visit Panda Profiles
  • Visit LLamamMagic
  • Agent.exe - what it really does

    Discussion in 'Honorbuddy Forum' started by roboto, Jun 25, 2015.

    1. roboto

      roboto Well-Known Member Buddy Store Developer

      Joined:
      May 25, 2013
      Messages:
      1,937
      Likes Received:
      50
      Trophy Points:
      48
      so, we've had a few posts in the ban section of ppl claiming that it's agent.exe which is scanning your system, for reasons unknown, these ppl post in the ban section where no one can respond.
      whatever, let's get down to it:
      i took the time to monitor agent.exe for about 4 hours today on a system which was running wow.exe in 32bit mode, these are the results:


      TL/DR; it does NOT scan your system for bots e.g.


      What is Agent.exe
      Size: roughly 400KB
      Type: EXE
      Description: Blizzard File Switcher
      Digitally signed, issuer Twawte Code Signing CA
      This file is downloaded by battle.net client


      Where is Agent.exe located?
      The Binary lies within %ProgramData%\Battle.net\Agent
      Each downloaded agent-version is locate din a Folder named "Agent.BUILD", in my case it's Agent.4150


      What does Agent.exe does by runtime?
      2 things

      1.) It opens wow.exe and checks it's version:
      [​IMG]
      This call is made to determine the version of your wow.exe

      On this Request the following DLLs are loaded:
      Code:
      Agent.exe	0xed0000	0x5a0000	C:\ProgramData\Battle.net\Agent\Agent.4150\Agent.exe	Blizzard Entertainment	1.20.2.4150	19.06.2015 20:19:20
      DevDispItemProvider.dll	0x63140000	0x1a000	C:\Windows\SysWOW64\DevDispItemProvider.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:02:53
      sfc_os.DLL	0x63210000	0xf000	C:\Windows\SysWOW64\sfc_os.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:00:27
      AcLayers.DLL	0x63220000	0x277000	C:\Windows\AppPatch\AcLayers.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:23:44
      sfc.dll	0x6d100000	0x3000	C:\Windows\SysWOW64\sfc.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	22.08.2013 06:13:28
      LINKINFO.dll	0x6d110000	0xb000	C:\Windows\SysWOW64\LINKINFO.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:56:41
      actxprxy.dll	0x6f2e0000	0x103000	C:\Windows\SysWOW64\actxprxy.dll	Microsoft Corporation	6.3.9600.17840 (winblue_r11.150522-0826)	23.05.2015 04:28:10
      MLANG.dll	0x6f4f0000	0x33000	C:\Windows\SysWOW64\MLANG.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:57:40
      apphelp.dll	0x71280000	0xa0000	C:\Windows\SysWOW64\apphelp.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 04:00:11
      urlmon.dll	0x72730000	0x14a000	C:\Windows\SysWOW64\urlmon.dll	Microsoft Corporation	11.00.9600.16384 (winblue_rtm.130821-1623)	23.05.2015 04:16:32
      WINHTTP.dll	0x72880000	0x9f000	C:\Windows\SysWOW64\WINHTTP.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:56:15
      dwmapi.dll	0x72ee0000	0x1a000	C:\Windows\SysWOW64\dwmapi.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:58:22
      PlayToDevice.dll	0x73440000	0x39000	C:\Windows\SysWOW64\PlayToDevice.dll	Microsoft Corporation	12.0.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:30:14
      iertutil.dll	0x73480000	0x232000	C:\Windows\SysWOW64\iertutil.dll	Microsoft Corporation	11.00.9600.16384 (winblue_rtm.130821-1623)	23.05.2015 05:10:32
      WININET.dll	0x736f0000	0x1e4000	C:\Windows\SysWOW64\WININET.dll	Microsoft Corporation	11.00.9600.16384 (winblue_rtm.130821-1623)	23.05.2015 04:20:17
      uxtheme.dll	0x738e0000	0xed000	C:\Windows\SysWOW64\uxtheme.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:48:23
      comctl32.dll	0x739e0000	0x206000	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0\comctl32.dll	Microsoft Corporation	6.10 (winblue_rtm.130821-1623)	25.04.2015 04:34:19
      dlnashext.dll	0x73ca0000	0x6e000	C:\Windows\SysWOW64\dlnashext.dll	Microsoft Corporation	12.0.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:29:03
      dhcpcsvc6.DLL	0x73f10000	0x13000	C:\Windows\SysWOW64\dhcpcsvc6.DLL	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:03
      MPR.dll	0x74090000	0x16000	C:\Windows\SysWOW64\MPR.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:32
      rasadhlp.dll	0x74100000	0x8000	C:\Windows\SysWOW64\rasadhlp.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:05:32
      fwpuclnt.dll	0x74110000	0x46000	C:\Windows\SysWOW64\fwpuclnt.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:56:29
      DNSAPI.dll	0x74160000	0x7e000	C:\Windows\SysWOW64\DNSAPI.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:23
      mswsock.dll	0x741e0000	0x4b000	C:\Windows\SysWOW64\mswsock.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:15
      fastprox.dll	0x74230000	0xc4000	C:\Windows\SysWOW64\wbem\fastprox.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 02:59:19
      wbemsvc.dll	0x74300000	0x11000	C:\Windows\SysWOW64\wbem\wbemsvc.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:05:13
      wbemcomn.dll	0x74320000	0x66000	C:\Windows\SysWOW64\wbemcomn.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:00:21
      wbemprox.dll	0x74390000	0xd000	C:\Windows\SysWOW64\wbem\wbemprox.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 02:59:38
      dhcpcsvc.DLL	0x743a0000	0x14000	C:\Windows\SysWOW64\dhcpcsvc.DLL	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:05:51
      WINNSI.DLL	0x743c0000	0x8000	C:\Windows\SysWOW64\WINNSI.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:17
      IPHLPAPI.DLL	0x743d0000	0x20000	C:\Windows\SysWOW64\IPHLPAPI.DLL	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:09
      Secur32.dll	0x74460000	0xa000	C:\Windows\SysWOW64\Secur32.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:19
      PROPSYS.dll	0x74470000	0x13a000	C:\Windows\SysWOW64\PROPSYS.dll	Microsoft Corporation	7.00.9600.17031 (winblue_gdr.140221-1952)	29.10.2014 04:02:22
      SHCORE.dll	0x745b0000	0x8b000	C:\Windows\SysWOW64\SHCORE.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	23.01.2015 04:47:03
      bcrypt.dll	0x749c0000	0x1e000	C:\Windows\SysWOW64\bcrypt.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:05:46
      CRYPTSP.dll	0x74a10000	0x19000	C:\Windows\SysWOW64\CRYPTSP.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:22
      kernel.appcore.dll	0x74a30000	0x9000	C:\Windows\SysWOW64\kernel.appcore.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:04:26
      profapi.dll	0x74a40000	0xf000	C:\Windows\SysWOW64\profapi.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:11
      USERENV.dll	0x74a50000	0x1b000	C:\Windows\SysWOW64\USERENV.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:00:57
      WINSPOOL.DRV	0x74bb0000	0x65000	C:\Windows\SysWOW64\WINSPOOL.DRV	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:45:14
      VERSION.dll	0x74c20000	0x8000	C:\Windows\SysWOW64\VERSION.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:59:45
      bcryptPrimitives.dll	0x74c30000	0x54000	C:\Windows\SysWOW64\bcryptPrimitives.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:05:57
      CRYPTBASE.dll	0x74c90000	0xa000	C:\Windows\SysWOW64\CRYPTBASE.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:01:15
      SspiCli.dll	0x74ca0000	0x1e000	C:\Windows\SysWOW64\SspiCli.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:04
      SHLWAPI.dll	0x74e00000	0x45000	C:\Windows\SysWOW64\SHLWAPI.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:43:08
      ole32.dll	0x74ee0000	0x128000	C:\Windows\SysWOW64\ole32.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:47:16
      IMM32.DLL	0x75010000	0x27000	C:\Windows\SysWOW64\IMM32.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:59:48
      RPCRT4.dll	0x75080000	0xba000	C:\Windows\SysWOW64\RPCRT4.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:07:48
      CFGMGR32.dll	0x75140000	0x3c000	C:\Windows\SysWOW64\CFGMGR32.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:02
      msvcrt.dll	0x75350000	0xc3000	C:\Windows\SysWOW64\msvcrt.dll	Microsoft Corporation	7.0.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:04:30
      SETUPAPI.dll	0x75420000	0x1b1000	C:\Windows\SysWOW64\SETUPAPI.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 02:43:38
      MSCTF.dll	0x755e0000	0x112000	C:\Windows\SysWOW64\MSCTF.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	14.03.2015 02:53:05
      GDI32.dll	0x75870000	0x10e000	C:\Windows\SysWOW64\GDI32.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:10:13
      combase.dll	0x75990000	0x17d000	C:\Windows\SysWOW64\combase.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:06:12
      NSI.dll	0x75b10000	0x7000	C:\Windows\SysWOW64\NSI.dll	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 04:03:31
      PSAPI.DLL	0x75b20000	0x6000	C:\Windows\SysWOW64\PSAPI.DLL	Microsoft Corporation	6.3.9600.17415 (winblue_r4.141028-1500)	29.10.2014 03:06:26
      SHELL32.dll	0x75b30000	0x12ac000	C:\Windows\SysWOW64\SHELL32.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	12.02.2015 05:51:27
      sechost.dll	0x76de0000	0x41000	C:\Windows\SysWOW64\sechost.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	20.03.2015 05:20:59
      USER32.dll	0x76ef0000	0x153000	C:\Windows\SysWOW64\USER32.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:04:32
      KERNELBASE.dll	0x77050000	0xd7000	C:\Windows\SysWOW64\KERNELBASE.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	29.10.2014 04:03:10
      clbcatq.dll	0x77130000	0x8d000	C:\Windows\SysWOW64\clbcatq.dll	Microsoft Corporation	2001.12.10530.17415 (winblue_r4.141028-1500)	29.10.2014 02:44:51
      OLEAUT32.dll	0x771c0000	0x95000	C:\Windows\SysWOW64\OLEAUT32.dll	Microsoft Corporation	6.3.9600.17560	19.12.2014 06:49:55
      ADVAPI32.dll	0x77300000	0x7c000	C:\Windows\SysWOW64\ADVAPI32.dll	Microsoft Corporation	6.3.9600.16384 (winblue_rtm.130821-1623)	29.10.2014 03:57:48
      wow64.dll	0x773d0000	0x4b000	C:\Windows\SYSTEM32\wow64.dll	Microsoft Corporation	6.3.9600.17734 (winblue_r9.150319-1700)	20.03.2015 06:10:50
      wow64win.dll	0x77420000	0x68000	C:\Windows\system32\wow64win.dll	Microsoft Corporation	6.3.9600.16520 (winblue_gdr.140127-0329)	27.01.2014 21:53:11
      wow64cpu.dll	0x77490000	0x9000	C:\Windows\system32\wow64cpu.dll	Microsoft Corporation	6.3.9600.17734 (winblue_r9.150319-1700)	20.03.2015 06:10:52
      ntdll.dll	0x774a0000	0x16e000	C:\Windows\SysWOW64\ntdll.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	23.03.2015 00:31:30
      ntdll.dll	0x7ff92ddc0000	0x1ac000	C:\Windows\SYSTEM32\ntdll.dll	Microsoft Corporation	6.3.9600.17031 (winblue_gdr.140221-1952)	23.03.2015 00:33:26
      you can see those are all Microsoft DLLs, not any blizzard internals

      2.) it does connect o a local port and sends data
      this call is made from [::1]:1120 -> [::1]:11791
      this is just a TCP/IP Connection with the following metadata:
      Code:
      Length:	619
      startime:	4532013
      endtime:	4532013
      seqnum:	0
      connid:	0

      Now for the funny part and why this is all such bogus:
      Abour every hour, Agent.exe does the following things:


      Query the Registry at HKLM\System\CurrentControlSet\Tcpip\Parameters\
      This Squence finds a connected LAN Adapter. (followed by a few checks on dhcp and such stuff)

      It then goes for REGISTRY: HKCU\Software\Microsft\Windows\CurrentVersion\InternetSettings\Connections
      This obtains the winhttp settings such as connection type and proxy
      After this the Registry Thread is closed and a new one's opened.

      Now Agent.exe opens a remote connection to a US-IP(mine was strating with 12.0.0.0) at port 1119
      This is infact a blizzard IP and a blizzard port, ref in Battle.Net FAQ
      Yes, you may need to open an additional port (1119) to log in to World of Warcraft using a Battle.net account.

      The agent creates a new File (LOGFILE [sic!]) in %ProgramData%\Battle.net\Agent\Agent.BUILD\Logs
      You can now open these logs for yourself.

      After this, the following happens:
      battlenet dir in Programdata is being queried, files are read and checked for creation date and version (self-update)
      battlent installation dir is parsed
      battlenet installation logs dir is parsed
      all files in battl.net are checked for outdated/non original stuff
      This data is now transmitted

      Now agent.exe parses your WoW Directory
      Yes, you've heard right.


      The following files and folders are check in that manner:
      \WoW.exe (for several times)
      \Cache\* (ALL files in cache!)
      \Data\* (ALL FILES IN DATA - CASC Database)
      \Errors\*
      \Interface\* (Yes, your addons as well!)
      \Logs\*
      \*.dll (dlls in wow root)
      \Screenshot\*
      \Utils\*
      \WTF\*

      These are just basic QueryOpenFile and QuerySecurityFile Operations, nothing to worry about. I guess the updater is just checking if all files are in place.
      Followed, now \Data\data\<int>.idx and \Data\data\data.<int> and \Data\indices\<hash> files are scanned, all the same QuerySecuritfyFile & CloseFile crap again.
      after a last open of wow.exe, agent.exe is finished and does not touch ANY OTHER DIR


      So, what did we just saw here - well, let's look into the LOG Agent.exe did because it's such a nice application:

      There are 4 logfiles:

      Agent-*.log
      AgentNGDP-*.log
      curl*.log
      Queue*.Log

      Important: i've masked out many lines since these logs contain confidential information!


      Agent*.log:
      This is basicly a logfile of obtaining the latest wow version from battlenet cdn servers:

      Code:
      16:24:33.3000 New versioner created - battle.net.
      16:24:33.3035 Agent::Product::LaunchGameSession() - Begin Waiting
      16:24:33.3037 Agent::Product::LaunchGameSession() - End Waiting
      16:24:33.4176 Launched J:/Battle.net/Battle.net.exe as PID: XXXX with --switcherall
      **********************************************
      16:24:33.5217 Firing Event: "database flush event"
      16:24:33.5220 Handle Event: "database flush event"
      16:24:33.5221 Request POST /gamesession
      ...
      
      	"uid" : "battle.net"
      }
      Response 200 (XXX ms): {
      	"response_uri" : "/gamesession/battle.net"
      }
      16:24:33.5290 Request GET /version/battle.net
      Response 200 (1.0408 ms): {
      	"state" : XXX,
      	"local_version" : "1.2.9.5942",
      	"playable" : true,
      	"needs_rebase" : false,
      	"current_version" : XXX,
      	"build" : XXX,
      	"patch_application_complete" : true,
      	"download_complete" : true,
      	"background_download_available" : false,
      	"background_download_complete" : true,
      	"loose_file_patching_complete" : true,
      	"baseline" : ""
      }
      16:24:33.5345 Request GET /gamesession/wow_engb
      Response 200 (0.0943 ms): {
      	"1" : {
      		"request_id" : XXX,
      		"pid" : XXX,
      		"pid_path" : "",
      		"binary_type" : "game"
      	}
      }
      16:24:34.0195 GameProcessManager - UPDATE:
      	 Stored was - uid:battle.net, pid:XXX, parent pid:XXX, pid path:.
      	 Updating to - uid:battle.net, pid:XXX, parent pid:XXX, pid path:X:\Battle.net\Battle.net.XXXX\Battle.net.exe.
      16:24:34.1622 Firing Event: "database flush event"
      16:24:34.1624 Handle Event: "database flush event"
      16:24:34.1626 Request GET /agent
      Response 200 (XXX ms): {
      	"update" : {},
      	"install" : {},
      	"backfill" : {},
      	"pid" : XXX,
      	"user_id" : "XXX",
      	"state" : XXX,
      	"playable" : true,
      	"patch_application_complete" : true,
      	"download_complete" : true,
      	"installed" : true,
      	"version" : "XXX",
      	"region" : "eu",
      	"type" : "retail",
      	"opt_in_feedback" : true,
      	"session" : "XXX",
      	"authorization" : "XXX"
      }
      16:24:34.1685 Request POST /agent
      {
      	"opt_in_feedback" : true
      }
      Response 200 (0.0115 ms): {}
      16:24:34.1726 Request POST /game/battle.net
      {
      	"opt_in_feedback" : true
      }
      Response 200 (0.0926 ms): {}
      16:24:34.1765 Request Issued to non-existent Uri: POST - /game/client
      16:24:34.1801 Request GET /gamesession
      Response 200 (0.1925 ms): {
      	"wow_dede" : {
      		"1" : {
      			"request_id" : XXX,
      			"pid" : XXX,
      			"pid_path" : "",
      			"binary_type" : "game"
      		}
      	},
      	"battle.net" : {
      		"1" : {
      			"request_id" : XXX,
      			"pid" : XXX,
      			"pid_path" : "",
      			"binary_type" : "game"
      		},
      		"2" : {
      			"request_id" : XXX,
      			"pid" : XXX,
      			"pid_path" : "X:\\Battle.net\\Battle.net.XXX\\Battle.net.exe",
      			"binary_type" : "game"
      		}
      	}
      }
      
      This log goes on and on for a very long time, basicly you're just watching battlenet looking for an update


      AgentNGDP-*.log
      This is a short long and tbh i got no ida what use it serves ;)
      You can see some blizz IPs and the windows version

      Code:
      16:24:42.7291 {d50} INF: Add new Host addr=YYY, port=80, name=dist.blizzard.com.edgesuite.net, proxy=false
      16:24:42.7294 {d50} INF: Add new Host addr=YYY, port=80, name=dist.blizzard.com.edgesuite.net, proxy=false
      16:24:43.4174 {139c} INF: Initialization step - FETCHING_BUILD_CONFIG
      16:24:43.4177 {139c} INF: Initialization step - FETCHING_PATCH_MANIFEST
      16:24:43.4181 {139c} INF: Initialization step - FETCHING_ENCODING_TABLE
      16:24:43.4778 {139c} WRN: unrecognized tag 'Windows'
      16:24:43.4869 {139c} WRN: invalid tag in tag query 'Windows x86_32 x86_64 EU? brBR speech?:Windows x86_32 x86_64 EU? brBR text?:Windows x86_32 x86_64 EU? zhCN speech?:Windows x86_32 x86_64 EU? zhCN text?'
      16:24:43.8336 {15b4} INF: NGDP initialization - (archive: false, cache: true, Async: true)
      
      not interesting at all

      curl*.log
      Code:
      16:24:29.7998 Queue Request for http://enGB.patch.battle.net:XXX/patch : handle - XXX, index - 0, running - 0
      16:24:29.8309 Queue Request for http://iir.blizzard.com:XXX/submit/BNET_APP : handle - XXX, index - 1, running - 0
      16:24:30.1047 OnComplete: handle - 0x007defd0, result - 0, running - 2, request - found
      16:24:30.1056 Queue Request for http://public-test.patch.battle.net:1119/patch : handle - XXX, index - 2, running - 0
      16:24:30.4631 OnComplete: handle - 0x00762330, result - 0, running - 2, request - found
      16:24:30.6931 OnComplete: handle - 0x007defd0, result - 0, running - 1, request - found
      just curl minding his own business, still not fancy - well let's hope the Queue Log proves this big conspiracy theory...

      Queue-*.log
      Code:
      16:24:41.9744 Queuing /update/wow_brbr
      16:24:41.9746 Insert to Queue at HEAD
      16:24:41.9770 Start Queued Task 'Update wow_brbr'
      16:25:49.9526 Remove /update/wow_brbr from Queue
      16:25:49.9527 Remove (stop) Task Update wow_brbr
      16:25:49.9531 Removed HEAD item from Queue
      Bummer.




      Conculsion: i've just wasted 10 minutes of your life telling and showing you that Agent.exe is nothing tricky to scan your system.
      Thanks for your time.
      If you like to prove me wrong grab ProcessExplorer from sysinternals and monitor it for yourself.

      Have fun!


      PS: NIIIINJA PATCH!!!
      [​IMG]
       
      Last edited: Jun 25, 2015
      mrandy, D4rkx, Xume and 2 others like this.
    2. klepp0906

      klepp0906 Banned

      Joined:
      Apr 25, 2013
      Messages:
      1,352
      Likes Received:
      8
      Trophy Points:
      38
      Fortunately, those of us who don't keep tinfoil handy and are blessed with uncommon sense, figured as much.

      I'd thank you for taking the time to do this but....

      Well if for nothing other than stopping bogus threads and the dissemination of more misinformation.
       
    3. IGG

      IGG Member

      Joined:
      Aug 26, 2012
      Messages:
      453
      Likes Received:
      1
      Trophy Points:
      18
      Thanks for the research! Interesting information.

      Is agent.exe involved in sending crashreport?
       
    4. roboto

      roboto Well-Known Member Buddy Store Developer

      Joined:
      May 25, 2013
      Messages:
      1,937
      Likes Received:
      50
      Trophy Points:
      48
      nope, it's not.
      the file handling this is located in the same folder ;)

      %ProgramData%\Battle.net\Agent\BlizzardError.exe
       
      Last edited: Jun 25, 2015
    5. dmann1986

      dmann1986 New Member

      Joined:
      Jan 15, 2010
      Messages:
      51
      Likes Received:
      1
      Trophy Points:
      0
      Well if it scans your screenshots.....hopefully people dont have any screenshots of the HB overlay, which Im not sure if that even show up on a screenshot, though it would make sense that it does. And if they are looking at your screenshots and thats there...then boom they know your botting. Thats the only thing I can think of.
       
    6. roboto

      roboto Well-Known Member Buddy Store Developer

      Joined:
      May 25, 2013
      Messages:
      1,937
      Likes Received:
      50
      Trophy Points:
      48
      It just iterates through tge directory, i havnt been able to seen it read any actual data

      /edit: On my System i got about 1k screenshots and all of them were parsed within 0.5 seconds, thats way to fast to "look" at the images
       
      Last edited: Jun 25, 2015
    7. wowbot2

      wowbot2 New Member

      Joined:
      Jun 27, 2013
      Messages:
      26
      Likes Received:
      2
      Trophy Points:
      3
      Thanks for the clarification, you rock!

      better to be asking question that to be sorry and ignorant :)
       
    8. thatwouldbestealing

      thatwouldbestealing Member

      Joined:
      Oct 22, 2012
      Messages:
      510
      Likes Received:
      11
      Trophy Points:
      18
      Mate, that was fascinating!

      Very informative read, thanks for sharing without being patronising!
       
    9. EdwinOnline

      EdwinOnline Banned

      Joined:
      Jun 25, 2015
      Messages:
      221
      Likes Received:
      1
      Trophy Points:
      0
      thanks alot roboto, awesome!
       
    10. Myminime

      Myminime New Member

      Joined:
      Oct 8, 2012
      Messages:
      268
      Likes Received:
      0
      Trophy Points:
      0
      thanks roboto! Is very interesting your report ;)
       
    11. WTB A Noob

      WTB A Noob Member

      Joined:
      Oct 23, 2012
      Messages:
      135
      Likes Received:
      7
      Trophy Points:
      18
      A suspicious mind is a healthy mind!
       
    12. MrPewterSchmidt

      MrPewterSchmidt New Member

      Joined:
      Nov 9, 2013
      Messages:
      258
      Likes Received:
      1
      Trophy Points:
      0
      Domo arigato, Mr. Roboto.
       
    13. Touch

      Touch Moderator Moderator

      Joined:
      Sep 19, 2011
      Messages:
      4,498
      Likes Received:
      19
      Trophy Points:
      38
      Thanks for that, roboto.
       
    14. tomcruise

      tomcruise Banned

      Joined:
      Jan 15, 2011
      Messages:
      345
      Likes Received:
      2
      Trophy Points:
      18
      pretty funny that anyone thought this was a big discovery and that the hb guys could miss something as obvious as a separate process, it's like an insult to their ability
       
    15. McWeiss

      McWeiss New Member

      Joined:
      Dec 14, 2012
      Messages:
      109
      Likes Received:
      0
      Trophy Points:
      0
      well this is what the agent exe does now! ;-)
       
    16. dmann1986

      dmann1986 New Member

      Joined:
      Jan 15, 2010
      Messages:
      51
      Likes Received:
      1
      Trophy Points:
      0
      Awesome! You are correct that is pretty quick to be able to see any screenshots, that would have been my only worry about that, I mean unless they have a way to extract those images to a directory as they get parsed, then it shouldn't be a problem. Everyone who knows code knows mostly anything is possible with the right coding :p. But 0.5 seconds isnt a lot of time to recover any actual viewable images.
       
    17. eStaKooZa

      eStaKooZa Member

      Joined:
      Aug 15, 2012
      Messages:
      137
      Likes Received:
      1
      Trophy Points:
      18
      Roboto , can you please tell us about the thing in the processes named: wow proxy?
      appreciate your help

      ps: amazing efforts and amazing topic cheers <3
       
    18. roboto

      roboto Well-Known Member Buddy Store Developer

      Joined:
      May 25, 2013
      Messages:
      1,937
      Likes Received:
      50
      Trophy Points:
      48
      will do
       
    19. starlite68

      starlite68 Member

      Joined:
      Oct 30, 2013
      Messages:
      307
      Likes Received:
      5
      Trophy Points:
      18
      well, we've always known what it is, it's the part of blizzard launcher that allows p2p downloads of your new games and updates.

      still it's kind of upsetting it scans interface and wtf folders, hope it's not sending back any info about them. certainly some bots use one or both of addons and macros.
       
    20. daviddillon

      daviddillon New Member

      Joined:
      Jan 2, 2012
      Messages:
      12
      Likes Received:
      0
      Trophy Points:
      0
      Thanks Roboto... this Was also a concern of mine.
       

    Share This Page