Sign in to follow this  
dutchmeat

[VB 6.0] detect injections

Recommended Posts

Hello, I'm currently working on an anticheat program for RTCW. This program is written in Visual Basic 6.0. I would like to know if anyone knows a way to detect injections or 'hooks' to a progress(like a game for example). I've already tried to enum all the modules, but that's too slow, because when I finaly get the (complete) modulelist, an hook can already be injected. Also I've tried to check every description of each process running if it's matching a description of a cheat, however, it doesn't get the FileDescription value out of the VersionInformation string(atleast not of the cheat processes). Would it be wise to check every module of the game executable(rtcw) if it's owner is Microsoft, or the game's publisher? With kind regards, Eamon

Share this post


Link to post
Share on other sites
Reversing: Secrets of Reverse Engineering by Eldad Eilam
Exploiting Online Games: Cheating Massively Distributed Systems by Greg Hoglund, Gary McGraw
gamedeception forums
woodmann forums

the practical answer for the dumber hacks is to enumerate the process module list, but an injected module can remove itself from that list. its a problem of escalation - you come up with an antihack, they come up with a better hack. sooner or later you are both writing kernel drivers.

Quote:
Would it be wise to check every module of the game executable(rtcw) if it's owner is Microsoft, or the game's publisher?

Probably not, because the module (or hooked kernel) can always lie. You might call EnumModules or whatever the api is, but the malicious module might have already hooked it, so you might want to traverse the data structure manually, but they might have modified the contents of the structure, ...

There's some good documentation on how punkbuster works on the game deception forums, if you can tolerate noise the script kiddies.

Share this post


Link to post
Share on other sites
I think this is one of the places where C++ is actually better. Not because of the usual ideological debate, but because for the task at hand, direct pointer manipulation, writing DLL hooks and possibly even raw performance are useful.

It's not exactly my area of expertise, but can control a process through a debugging hook. That allows you to pause an application and gives you time to scan its memory at will. Some copy protections won't like this.

Another hook provided by the Windows API will allow you to monitor when a process loads DLLs, so you could theoretically compile a list of all libraries loaded by an unmodified game and detect when something out of the usual is loaded.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this