Isn't the whole point that accessing the rendered image is blocked in the first place? (after all, a bot could look at it and determine what to do based on that)

I doubt it. The bots that work off imagery require not only the color buffer but the depth buffer also.

L. Spiro

Assuming the target of your client is a game protected by X-Trap, one way is to write a kernel driver that hooks SwapContext() so that when any thread belonging to X-Trap is started you set back the memory you modified (or vise-versa—when the game’s thread is activated you set the modified memory back, and put the original back when it is deactivated).

As of Windows Vista (64-bit, anyway), your driver needs to be signed by Microsoft or equivalent authority in order to be loaded outside safe mode. I am not sure if it is possible to bypass the signing policy without the user's consent, but in any case doing that is flat out illegal. I am not sure how dedicated WerWoolf is, though :p

Or you could just take a screenshot without modifying the game’s memory…
http://msdn.microsoft.com/en-us/library/dd144947%28VS.85%29.aspx
http://msdn.microsoft.com/en-us/library/dd183370%28VS.85%29.aspx

This worked great up to XP, but with the new WDDM model the cost involved in retrieving the frontbuffer is extremely high (at least with Aero enabled), so I don't think this will give the realtime performance expected of a screen recording application (but again, maybe this is good enough). Perhaps Windows 8 has changed that, though.

DarkByte (author of CheatEngine) bypassed the signing procedure last I heard.

But I haven’t been in the hacking scene or working on MHS in years.

L. Spiro