Warden Anticheat - Official Testing Branch

In order to channel the development of the Warden Anticheat feature towards a proper implementation i created a branch that contains a port of TOM_RUS patch (direct core integration, no external daemon) from Mangos forums.

To answer the most pressing question right away: Yes, this branch is aiming towards an integration in the main repository.

(If you have the urge to break down another huge and pointless discussion about this - please do it in another thread/on IRC)

And the second question: No, Warden cannot be abused to execute arbitrary code on client side. The only thing that can be done is checking various parameters on client side and have it report back.

As i don’t wanna roam around reading potential abandoned patches/branches of other warden ports, please use this thread/the testing branch to contribute to an official implementation.

If you do have a branch/patch that is still maintained and contains code worth reading, you are free to link it here, but keep in mind that changes for the official implementation should be done on the official testing branch, preferably via pull requests.

Developers that like to contribute preferably contact me on IRC, so we can see that we can push things ahead.

Official testing branch:


Current state:

A current issue is that clients getting kicked because they exceeded the maximum response delay (default 90sec by config option) on medium sized servers and above.

General TODOs:

[ul][li]Mac client implementation[/li]
[li]Documentation about checks (Targets of checks, False positives, etc.)[/li]
[li]Obtain new checks[/li]
[li]Implement process checking[/li]

Worth reading:


Howto use that brach:

Since people still having trouble with branches:

Method 1 - Merging the warden branch into yours:

[CODE]# Change to your local TC clone
cd yourlocalrepo

Add the warden branch as remote

git remote add warden git://github.com/leak/TrinityCore.git

Use these two commands to update/merge the warden branch into your local repo

git fetch warden
git merge warden/warden[/CODE]

Method 2 - Diff out a .patch file

[CODE]# Clone the warden branch into a separate folder
git clone git://github.com/leak/TrinityCore.git warden

Add and fetch the TC main repo as remote branch

cd warden
git remote add trinitycore git://github.com/TrinityCore/TrinityCore.git
git fetch trinitycore

Create a patch that should be applicable on all TC clones

git diff trinitycore/master…warden > warden.patch

Hi Leak,

i dont know if liberate allready paste this crash towards you guy, but since there is now a official thread about the branch ^^ i post here 1 crah i had after running this patch for 2,5 weeks.

i dont know if since this is not official in main repro you want a crashdump related to warden in the tracker…


Also i found out that there is 1 false positive. at least maybe not a real false positive, correct me if im wrong.

When you have nasty unwanted software on your pc ( keyloggers and such ) normally on blizz you get a box when you want to login that you have keylogger on your pc and that you need to check a certain website.

On this warden that option is not present, so its either ban/kick/log or nothing, there is no seperation in that part.

So when you have it to ban it will ban the account.

the check is ID: 438 ( failed Warden check 438 )

So i emptied that table leaving only the ID in it, so basicly it checks nothing now, but seems more save at this point…

Adding a mutex to RequestData fixed this crash for me.

might share the code so that leak or another dev can take a look at it and see if its possible to inplement it?


Documentation about checks (Targets of checks, False positives, etc.)

check 209 and 385 is related to WoWemuhacker, tested it multiple times.

Didnt find if there is a check responsible for WPE-pro unfortunatly.

there might be a new check for lua protection disabler.

INSERT INTO `warden_data_result` (`check`,`data`,`str`,`address`,`length`,`result`,`comment`) VALUES(243,'','',5345728,2,'558B','Lua Protection Remover';taken from this thread… http://www.trinitycore.org/f/topic/3476-wardensystem-for-trinity/page__view__findpost__p__24005 remember the database part is not called warden_data_result in this branch, so you might check that.I havent checked above insert if it really does what its supposed to do.

Is this crash from another port/branch or is it from this very branch? I don’t intend to support other ports.

I already added the LUA check into the provided SQL (sql/warden), only lacks documentation in form of a comment atm.

The crash is from the original TOM_RUS warden.

proposed fix


Please test if that crash is reproducible on the testing branch above.

@ Leak the crash i mentioned is from warden3.patch, then you know enough ^^ as mentioned i was tested this patch with liberate, so its the original patch that you inserted to your repro.

also i see in your repro less checks then i got form the patch i got before… i think i had 802.

whats the difference?

These checks are identical … see http://getmangos.com/community/post/136599/#p136599

Maybe one of the driver checks

i might as well inport the new table from Leak then, since the old warden patch for trinity has indeed duplicates then, not that it does matter i think…


warden3.patch is way outdated, fixed a couple of things meanwhile

The checks are from TOM_RUS implementation, i cleaned the duplicates (see mangos forum thread) and added the LUA check.

thanks leak, as mentioned i will test the new table a.s.a.p.

for now it works great also with the old warden3.patch checks, but there are indeed dupes then.

Also i saw that .reload command for the warden table works, wich was not in the older patch. great job.

we can now on the fly reload it when there is a new check…

For some reason, the warden system doesn’t work for me. This is my config:



Description: Enable Warden anticheat system.

Default: 0 - (Disabled)

1 - (Enabled)

Warden.Enabled = 1


Description: Debug log file for Warden, ClientCheckFailAction will be sent to regular

server log.

Default: “” - (Disabled)

“Warden.log” - (Enabled)

Warden.DebugLogFile = “Warden.log”


Description: Time (in seconds) before client is getting disconnecting for not responding.

Default: 90 - (90 Seconds)

0 - (Disabled, client won’t be kicked)

Warden.ClientResponseDelay = 90


Description: Time (in seconds) +/- 5 seconds between sending check requests to the client.

A low number increases traffic and load on client and server side.

Default: 30 - (25-35 seconds)

Warden.ClientCheckPeriod = 5



Default: 0 - (Disabled, Logging only)

1 - (Kick)

2 - (Ban)

Warden.ClientCheckFailAction = 0


Description: Time (in seconds) an account will be banned if ClientCheckFailAction is set

to ban.

Default: 86400 - (24 hours)

0 - (Permanent ban)

Warden.BanDuration = 86400

Worldserver looks correct.

2011-08-10 13:01:31 Loading Warden Checks…2011-08-10 13:01:31 >> Loaded 780 warden checks.

But it seems that the server doesn’t send any warden data packets.

And you can tell this how?

Since I dont get banned while I have all my cheats on ?

K I changed it to

Warden.ClientCheckFailAction = 1

Yet I don’t get kicked =/

i suggest you also check your logs, and then i mean your server log, since there you can filter on warden and see if there is something logged related to warden.

Warden anticheat patch from TOM_RUS and leak for TC


to apply (in unix) unpack to TrinityCore directory and run command:

patch -p1 <warden_anticheat_leak_tom-rus_for_tc_e671021527829d50abd9.diff

in TrinityCore directory