Zlitz, the creator of the pay2use StarCraft II Advanced Maphack, gave me the source code for the anti-signature scan code. Simple Warden protection. You hook VirtualQueryEx in the kernelbase module. He also hooks GetModuleHandle in kernelbase to detect if Warden is scanning in kernelbase. If Warden is scanning, exit. It also seems like the same Warden protection code is used in slitz version of the hack found here. Blizzard! You can now detect two used hacks lmao!

Code:

Code:
	Game.dwkernelBaseModule = GetModuleHandle( "kernelbase.dll" );
	if( Game.dwkernelBaseModule == NULL )
		return false;


	Game.dwGetModuleHandleA = ( DWORD )GetProcAddress( Game.dwkernelBaseModule, "GetModuleHandleA" );
	if( Game.dwGetModuleHandleA == NULL )
		return false;


	Game.dwGetModuleHandleABack = Game.dwGetModuleHandleA + 5;


	Game.dwVirtualQueryEx = ( DWORD )GetProcAddress( Game.dwkernelBaseModule, "VirtualQueryEx" );
	if( Game.dwVirtualQueryEx == NULL )
		return false;


	Game.dwVirtualQueryExBack = Game.dwVirtualQueryEx + 5;

Code:
SIZE_T CGame::CWarden::VirtualQueryEx_Hook( HANDLE hProcess, LPCVOID lpAddress, PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength )
{
	Game.Warden.hookedVirtualQueryEx = true;


	if( lpBuffer != NULL )
	{
		if( lpAddress >= Core.dllModule && lpAddress < Core.dllModule + Core.dllModuleSize )
		{
			lpBuffer->AllocationBase = 0;
			lpBuffer->AllocationProtect = 0;
			lpBuffer->State = MEM_FREE;
			lpBuffer->Protect = PAGE_NOACCESS;
			lpBuffer->Type = 0;
		}
	}
	
	_asm jmp Game.dwVirtualQueryExBack
}
Code:
DWORD tempBase;
HMODULE CGame::CWarden::GetModuleHandleA_Hook( LPCTSTR lpModuleName )
{
	Game.Warden.hookedGetModuleHandleA = true;


	_asm pushad
	if( !lstrcmpi( lpModuleName, "kernelbase.dll" ) )		//kernelbase.dll
	{
		_asm mov ecx, dword ptr ds:[esp]
		_asm mov eax, dword ptr ds:[ecx]
		_asm mov tempBase, eax
		if( *( DWORD *)( tempBase+1 )== 0x65786540 )
			ExitProcess( 0 );
	}
	_asm popad
	_asm jmp Game.dwGetModuleHandleABack
}