Hello, I'm currently working on an anticheat program for RTCW. This program is written in Visual Basic 6.0. I would like to know if anyone knows a way to detect injections or 'hooks' to a progress(like a game for example). I've already tried to enum all the modules, but that's too slow, because when I finaly get the (complete) modulelist, an hook can already be injected. Also I've tried to check every description of each process running if it's matching a description of a cheat, however, it doesn't get the FileDescription value out of the VersionInformation string(atleast not of the cheat processes). Would it be wise to check every module of the game executable(rtcw) if it's owner is Microsoft, or the game's publisher? With kind regards, Eamon

Reversing: Secrets of Reverse Engineering by Eldad Eilam
Exploiting Online Games: Cheating Massively Distributed Systems by Greg Hoglund, Gary McGraw
gamedeception forums
woodmann forums

the practical answer for the dumber hacks is to enumerate the process module list, but an injected module can remove itself from that list. its a problem of escalation - you come up with an antihack, they come up with a better hack. sooner or later you are both writing kernel drivers.

Quote:Would it be wise to check every module of the game executable(rtcw) if it's owner is Microsoft, or the game's publisher?

Probably not, because the module (or hooked kernel) can always lie. You might call EnumModules or whatever the api is, but the malicious module might have already hooked it, so you might want to traverse the data structure manually, but they might have modified the contents of the structure, ...

There's some good documentation on how punkbuster works on the game deception forums, if you can tolerate noise the script kiddies.

Alright, thanks for the info.

One more thing,

Do you think/know if C(++) is more efficient to program an anticheat client than VB?