Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


hide procces

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
prexsoccer
Advanced Cheater
Reputation: 0

Joined: 22 Aug 2009
Posts: 63
Location: Philippines

PostPosted: Sat Feb 26, 2011 11:11 am    Post subject: hide procces Reply with quote

is it possible to hide process in CE v6.0?

if(yes){

how?

}else{

is there a way how to hide process?

}

_________________
show me what you got......
Back to top
View user's profile Send private message Yahoo Messenger
ipivb
Master Cheater
Reputation: 5

Joined: 29 May 2010
Posts: 256

PostPosted: Sat Feb 26, 2011 4:03 pm    Post subject: Reply with quote

Either you just said something way over my head, or your english is bad.

You mean like hide the process from task manager? I believe what you are trying to do is make a UCE. There should be tutorials for that. From what I remember of the old days, its process name was not hidden -- it was simply changed. Along with many, many other parts of the CE until it was finally undetected. Dark Byte has a very detailed thread on exactly how to do it (though I'm sure it's pretty out dated by now).
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 152

Joined: 25 Jan 2006
Posts: 7827
Location: 127.0.0.1

PostPosted: Sat Feb 26, 2011 4:48 pm    Post subject: Reply with quote

Edit CE's driver if you want to hide the process, you'll need to do it from the kernel level for any bit of security and to help ensure your alterations aren't detected as easily.

It's not a default option in CE though.

There are plenty of examples of how to do what you are asking online. Check out some sites like:
http://packetstormsecurity.org/

They have examples including source code etc. for what you want to do.

If you have trouble locating some information, then search for rootkits since that's basically what you are asking for.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
M.CORP
Grandmaster Cheater Supreme
Reputation: 28

Joined: 28 Oct 2009
Posts: 1010

PostPosted: Sun Feb 27, 2011 12:34 am    Post subject: Reply with quote

This might help:
http://www.rohitab.com/discuss/topic/23880-dkom-process-hider/
Haven't checked it, but reply if it does not work.

_________________
Shameless Self Advertising Very Happy!
Steam
Just lurking around...
Back to top
View user's profile Send private message
prexsoccer
Advanced Cheater
Reputation: 0

Joined: 22 Aug 2009
Posts: 63
Location: Philippines

PostPosted: Sun Feb 27, 2011 4:07 am    Post subject: Reply with quote

sorry about my bad english and I explain it badly ^_^

my point is, I want the CE to be undetectable for a reason that some games online have this kind of guard like MuGuard and GameGuard.

@ipivb - can you give me the link? I think its very useful. changing the process name is great but the problem is I dont know how.

@Wiccaan - ok man, I will try that one. ^^

@+=Marvin=+ - worm was detected.

_________________
show me what you got......
Back to top
View user's profile Send private message Yahoo Messenger
ipivb
Master Cheater
Reputation: 5

Joined: 29 May 2010
Posts: 256

PostPosted: Sun Feb 27, 2011 8:09 am    Post subject: Reply with quote

Well... I hate to be the bringer of bad news, and I really don't mean to disappoint you. But to make a UCE for GameGuard, you will need to do a LOT more than hide the process. And that's an understatement.
Personally, I've always wondered why you couldn't run the game in VMware, and then hook CE onto VMware and edit that way (you'd still need a bypass so gameguard doesn't detect memory edits). But I'm sure there's some reason why that's impractical.

What I am about to post will be very disappointing. If you are even remotely good enough at programming to barely understand it... then you are far better off simply programming your own "mini CE" (aka trainer) from scratch. That way you'd only need a bypass, and it wouldn't be so detected.
The tutorial I was referring to was actually Dark Byte's UCE log, which seems to have been removed from this forum. However, I found it somewhere else. It is DB's log explaining everything he had to change in order to make CE undetected, and this was way back in the day. It's even harder now.

That being said, it is still an interesting read. DB has a good sense of humor. I always giggled when I read the part where he says the paypal donation link is the most important code there is xD.





Dark Byte wrote:
decided to make a uce and make a log for it so you guys may learn the method I use. (it's slow, takes a lot of time and patience, but eventually works)
I start out with a half uce. (this is starting from a old ce version, even before the 5.3 release, I had to add loadbinary to it seperatly)

note:
When I add a unit I remove uses from he list that haven't officially been added yet to prevent them from being compiled. That means I then have to comment out the procedures that use stuff of those units that aren't included anymore)

note2: Please understand that I don't type flawless so don't just copy/paste names and hope they work. You need a IQ of above 30 to be able to figure out what the real name should be)


day 1:
removed all files from the dpr except main and commented out all code and slightly resized the main window. (using (* *) to comment)
CE undetected

adding some files back
MainUnit , ProcessWindowUnit , formsettingsunit ,UndoChanges , HotkeyHandler , MainUnit2, NewKernelHandler , AddAddress,
CEFuncProc, (commented basicly all code, and only for each function uncomment the needed functions)
SyncObjs2,
Debugger,
symbolhandler ,
disassembler ,
frmautoinjectunit ,
autoassembler
hypermode
Assemblerunit
AdvancedOptionsUnit
CommentsUnit
frmProcessWatcherUnit
debugger2
Filehandler

added aboutunit.pas. CAUSED DETECTION
commented out all code in aboutunit.pas, UNDETECTED.
Meaning, detection is inside the code
put the code back , except link to forum and link to paypal donation
uncommented paypal (most important piece of code there is) UNDETECTED, meaning that the link to the forum is detected.
Note, link to the mainsite was already commented, likely to be detected as well.

added units:
plugin
pluginexport
memorybrowser HACK ATTAMPT DETECTED
commented ALL code: hack detected. means GUI or unitname stuff
renaming unitname to mbu
noticed foundcodeis used, removed it. :DETECTED
removed mbu.pas from project: UNDETECTED
added mbu.pas back, and wiped the uses list DETECTED
changed object name from TMemoryBrowser TMB caption to Mem View
UNDETECTED
Caption or objectname is detected
Resetting objectname to TMemoryBrower (hoping this isnt' detected else i'll have to do some replacing)
DETECTED (crap) Time to use ASR to replace it. (or manually if needed)
Renaming to MB to test it's not a fluke: UNDETECTED
Time to re-add some code
(for people using replace tools, first replace all MemoryBrowserFormUnit to mbu and then replace all MemoryBrowser to mb)

uncommented Pastefromclipboard1Click and stringtobytes (cefuncproc)


adding units:
valuechange (DETECTED)
changing name of ValueChangeFrom to VCF
HACK DETECTED, changing name back for now and comment code
commenting out all code DETECTED
also changing name DETECTED
changed caption of window to "homo" DETECTED
changed vartype to "VRTP" DETECTED
resized window DETECTED
changed combobox item values from:
1 Byte
2 Bytes
4 Bytes
8 Bytes
Float
Double
Text
Array of Bytes

to:one
two
three
four
five
six
seven
eight

DETECTED

changed valuetext to vinput DETECTED
commented out the private and public parts of the class DETECTED
changed cbUnicode to cbu DETECTED
rename valuechange.* to vsu.* DETECTED
renmove vsu.pas... UNDETECTED

adding reinit.pas UNDETECTED
adding typepopup DETECTED (perhaps detected because of form count?)
created a new form (empty) UNDETECTED
gave it the propeties + components of VSU DETECTED
renamed button1 and button2 to bx and by DETECTED
setting bordericons to default DETECTED
setting borderstyle to default : bsSizeable DETECTED
changing valuetext to vltext (seems I only changed the caption) DETECTED
resizing and moving every object UNDETECTED WTF?
removed temp forum, readded vsu.pad changed width of buttons DETECTED
changed position of buttons to the extremes DETECTED
changed WIDTHS of objects UNDETECTED
only changed the width of the combobox with items UNDETECTED
width=120=UNDETECTED
width=121=DETECTED (LOL, thats a manually set value, so for people reading this, try to set all sizes devidable by 2 (or better devidable by 8, thats delphi's default anyhow, so just jugling the width will fix it)

restored valuechange to original except width=120 DETECTED
commenting code DETECTED
changing vartype to vrt UNDETECTED (good old vartype detection I see)
comented code (but proterties and functionnames intact) DETECTED
changed the caption UNDETECTED

Day 2:

added unit:
addressparser
APIhooktemplatesettingsfrm
changeoffsetunit
changetimers
ConfigUnrandomizerFrm
dissectcodethread
dissectcodeunit uncommenting getexecutablememoryregionsfromregion

driverlist
ExtraTrainerComponents
findwindowunit
firstscanhandler
formAddressChangeUnit
formAddToCodeList
formChangedAddresses
FormDebugStringsUnit
formDifferentBitSizeUnit
formFoundcodeListExtraUnit
formHotkeyunit
formMemoryModifier
DETECTED (ok, this isn't a important one, but just for fun trying to make undetected)
changed caption to TM : DETECTED
changed objectname from frmMemoryModifier to MM DETECTED
changed Generate Trainer to GenTrain : DETECTED
changed "List of items in the trainer" to "doh" :DETECTED
changed widths of all objects to dividable by 5: DETECTED
ren "formMemoryModifier.*" mmu.* :DETECTED
change caption of ALL objects except memo with text cheatengine.org :DETECTED
also change memo: UNDETECTED (i'm a retard sometimes)
restored formMemoryModifier and only change memo

added units:
formMemoryTrainerAddEntry
MemoryTrainerDesignUnit
memoryregionsunit
formMemoryTrainerUnit
formPatcher*
formPointerOrPointeeUnit
formProcessInfo
formScanningUnit
foundcodeunit
frmBreakpointlistunit
frmBreakThreadUnit
injectedpointerscanunit
SaveFirstScan

uncommented some code in mainunit (Hotkey2)

added hotkeys.pas uncommented ConvertKeyComboToString DETECTED
comment out ConvertKeyComboToString DETECTED
removed hotkeys.pas to make sure it is detected UNDETECTED
commented code :detected
changed odd widths of some objects to normal widths: UNDETECTED

uncomment ConvertKeyComboToString (and the code in hotkeys.pas that uses it)
uncomment TMainForm.hotkey (+MainForm.enable/disablecheat)
uncomment TMainForm.freedebugger and TMainForm.CheckIfSaved
added PasteTableentryFRM
uncomment TMainform.Paste1Click + TMainform.paste
uncomment TMainform.Copy1Click + copySelectedRecords
uncomment freezethem + setbit

uncomment reinterpretaddresses

added InjectedpointerscanornotFRM
uncomment Findoutwhataccessesthisaddress1Click+SetReadWriteBreakpoint
uncomment Browsethismemoryregion1Click,ValueClick+changevalue
uncomment SortByTypeButtonClick+SortByValueButtonClick+Sc4nvalueoldKeyPress+checkpaste

uncomment Calculatenewvaluepart21Click :DETECTED (what a surpise, same as always)
pinpointed the detected code to the code in "if err>0 then" behind the val call

changed =-1 to not xxx>=0 UNDETECTED
of course, since it's not a very important piece of code you could just comment it out as well


uncomment code of V4rTypeChange+VarToBytes + ByteStringTo*
uncommented some more mainunit code and undetected
added pointerscannerfrm
uncommented newscan + uncomment GetMemoryRangesAndScanValue2+GetMemoryRanges2+closefiles
uncommented NextScanButtonClick

uncommented TypeClick+Deletethisrecord1Click+SortByFrozenButtonClick+SortByDescriptionButtonClick+SortByDescriptionButtonClick+deletegroups
uncommented ScanTypeChange+ScanTypeChange
uncommented DosClick +windowsclick+SpeedButton2Click
(note that 80000000 was already edited)

uncommented SpeedButton3Click+Selectallitems1Click+Freezealladdresses2Click
included opensave
uncomment actOpenExecute
uncomment actSaveExecute, hmm remember, this STARTED out as a uce, a clean ce might get detected here

add units:
frmhotkeyconfigunit
frmExcludeHideUnit
ModuleSafetyUnit

uncommented TformSettings.Button1Click
uncommented all formsettings code
uncommented all mainunit2 code
uncommented all undochanges code
uncommenting code of newkernelhandler undetected... again, remember I started out as a old uce, usually this is detected (especially the order the functions are loaded)

test inbetween: enable kernelmode read/write processmemory
DETECTED
turn off option in settings and restart uce
UNDETECTED
this indicates that the DLL is detected

uncommented all code of addaddress
added addressparser
added frmstacktraceunit
added frmThreadlistunit
added frmCreatedProcessListUnit
uncommented all code in debug
added APIhooktemplatesettingsfrm

uncommenting all code of frautoinject+AddAutoAssembleScript
added frmDissectwindowUnit, frmCapturedTimersUnit and frmDirectXUnit
added frmFindCodeInFileUnit and standaloneunit
uncommenting all advancedoptions code
uncommenting all frmProcessWatcherUnit code
uncommenting all debug2 code
uncommenting frmModifyRegistersUnit code
uncommented getathreadid
uncommented pluginexports
uncommented plugin
uncommented formscanning+FillListIfPossible

uncommented loadptr and loadv6 (opensave.pas)
uncommented findwindow

uncommented valuechange code

for those wondering how I find my commented code back, I do a file search for "(*" since it's used nowhere else in the code

added unit frmEnumerateDLLsUnit
frmFindstaticsUnit
savedisassemblyfrm
frmSaveMemoryRegionUnit
frmLoadMemoryunit
-
frmFillMemoryUnit
frmCodecaveScannerUnit
symbolconfigunit
Structuresfrm
-
frmDisassemblyscanunit,driverlist and ServiceDescriptorTables

uncommented create and show in memorybrowser
uncommented ALL code in memorybrowser, stil undected.

UCE GUI IS UNDETECTED and fully operational

Next step, making the dll undetected:

day3:
making the dll undetected (dbk32 folder)
first off, rename dbk32* to wii128* (and make the same adjustment in ce's newkernelhandler.pas)
change that also in the dpr of the dll and unitname of wii128functions.pas
in gui enable settings->extra->read/write processmemory
Driver doesn't have to be present, this will just load the dll
DETECTED
removing all exports UNDETECTED

uncommenting exports
VQE,OP,OT,NOP,RPM,WPM and VAE
UNDETECTED

uncommenting exports
CreateRemoteAPC
ReadPhysicalMemory
WritePhysicalMemory
GetPhysicalAddress
GetPEProcess
GetPEThread

DETECTED
comment back

uncomment
CreateRemoteAPC
ReadPhysicalMemory
WritePhysicalMemory
UNDETECTED

uncomment
GetPhysicalAddress
GetPEProcess
GetPEThread
DETECTED
recomment

uncomment GetPhysicalAddress
uncomment GetPEProcess DETECTED
commenting code of peprocess DETECTED
renaming function from GetPEProcess to GPEP (and adjust it in newkernelhandler.pas)
UNDETECTED
uncommenting code of GPEP UNDETECTED (obviously)

uncomment GetPEThread
uncomment
ProtectMe
UnprotectMe
IsValidHandle

uncomment
GetCR4
GetCR3
SetCR3

uncommented all other functions
UNDETECTED

one extra thing, changed the iocontrol input sizes a little bit. e.g readproxcessmemory cna do with a lot smaller input, and writeprocessmemory can do with a lot smaller output (as a extra precaution since I heard combinations of parameters where blocked)

GUI and DLL are undetected now

----------------------------------
making the driver undetected:
edit sources.ce and only leave dbkdrvr.c
comment out MSJDispatchIoctl completly
comment out MSJUnloadDriver completly ( till //unhook to unload still works)
comment out createremoteapc
comment out AddressOfInterrupt1Handler=interrupt1; (because I need to add that source file)
and comment out the code for "//determine if PAE is used"
comment out AddSystemServices
still DETECTED , so keep on continuing commenting out code
commented hideme routine (shouldn't matter since it's not used so not compiled)
commented out some more(especially dbgprints) and moved the folder from dbkdrvr to nvid888 and now UNDETECTED (not sure it's the folder, just doing this to be sure...)


time to re-add the code and see what's detected

uncomment setting of AddressOfKeAttachProcess in driverentry
uncomment case IOCTL_CE_OPENPROCESS:
uncomment case IOCTL_CE_OPENTHREAD:

uncomment IOCTL_CE_GETPEPROCESS:, IOCTL_CE_READPHYSICALMEMORY, IOCTL_CE_WRITEPHYSICALMEMORY
uncomment IOCTL_CE_GETPHYSICALADDRESS
uncomment IOCTL_CE_DONTPROTECTME,IOCTL_CE_SETSDTADDRESS, IOCTL_CE_GETSDTADDRESS, IOCTL_CE_GETCR3, IOCTL_CE_SETCR3
uncomment IOCTL_CE_GETSDT, IOCTL_CE_ISUSINGALTERNATEMETHOD
uncomment IOCTL_CE_GETPROCADDRESS, IOCTL_CE_ALLOCATEMEM_NONPAGED

added dbkfunc.c to the sources
uncomment IOCTL_CE_GETCR4
uncomment IOCTL_CE_GETIDT, IOCTL_CE_HOOKINTS
uncomment IOCTL_CE_USEALTERNATEMETHOD, IOCTL_CE_STOPDEBUGGING, IOCTL_CE_STOP_DEBUGPROCESS_CHANGEREG
uncomment IOCTL_CE_RETRIEVEDEBUGDATA,IOCTL_CE_DEBUGPROCESS,IOCTL_CE_DEBUGPROCESS_CHANGEREG

added processlist.c and rootkit.c to the sources file
commented out GetThreadData
uncomment IOCTL_CE_STARTPROCESSWATCH,IOCTL_CE_GETPROCESSEVENTS,IOCTL_CE_GETTHREADEVENTS
uncomment IOCTL_CE_CREATEAPC

added memscan.c to sources.ce
comment out WriteProcessMemory,GetMemoryRegionData, ReadProcessMemory and any other function not compilable due to keattachprocess2 (fixed by adding jumper.c)

added threads.c and jumper.c to sources.ce
all sourcefiles are back. Now uncomment commented out code till detected

uncomment IOCTL_CE_READMEMORY and IOCTL_CE_WRITEMEMORY
uncomment IOCTL_CE_MAKEWRITABLE, IOCTL_CE_QUERY_VIRTUAL_MEMORY
uncomment IOCTL_CE_GETPETHREAD,IOCTL_CE_PROTECTME
uncomment IOCTL_CE_SUSPENDTHREAD, IOCTL_CE_RESUMETHREAD, IOCTL_CE_SUSPENDPROCESS, IOCTL_CE_RESUMEPROCESS, IOCTL_CE_ALLOCATEMEM,

uncommented getshadowtable of the intializer ioctl
completly uncomment MSJUnloadDriver, unhook and AddSystemServices (exception of the dbgprint lines)
DETECTED
commented back addsystemservices and unhook DETECTED
comment back MSJUnloadDriver DETECTED
commented back getshadowtable UNDETECTED (is addressafe is called in there)
again completly uncomment MSJUnloadDriver, unhook and AddSystemServices (exception of the dbgprint lines) UNDETECTED

commented out isaddressafe
uncommented the getshadowtable code UNDETECTED
uncomment isaddresssafe from start till "UINT_PTR PTE,PDE;" UNDETECTED
uncommenting isaddresssafe completly
adding to dbkfunc.h "UINT_PTR pagedirstart;"
in driver entry add the code :
pagedirstart = 0xc0000000;
__asm { nop };
if (pagedirstart != 0xc0000000)
return FALSE; //zomfg, stack is messed
(that stupid if just to make sure it's not optimized to a static var)
replace 0xc0000000 with pagedirstart in IsAddressSafe

UNDETECTED

uncomment writeprocessmemory
uncomment ReadProcessMemory
uncomment GetMemoryRegionData
uncomment mykapc+ code to detect PAE

DRIVER UNDETECTED

getting annoying crashes with the process list
copying recent source processlist.c/.h over current ones, and no crashes.


I won't bother with debug fixes, I made a separate tool for that, which will be implemented in the full ce version when done, not worth it in this example uce I quickly made

I've added the final sourcecode to this post for anyone interested.
(It's the SOURCECODE, you can't just doubleclick it and have a working ce)

I use windows DDK version 6000 , if you use a different version you may have to replace the ntifs.h with the version in the cvs (if I havn't already overwritten it) or get it from a old ce
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 373

Joined: 09 May 2003
Posts: 22009
Location: The netherlands

PostPosted: Sun Feb 27, 2011 8:15 am    Post subject: This post has 1 review(s) Reply with quote

Quote:

I've always wondered why you couldn't run the game in VMware, and then hook CE onto VMware and edit that way (you'd still need a bypass so gameguard doesn't detect memory edits). But I'm sure there's some reason why that's impractical.

and I've always wondered why people think you can't

You just have to enable mapped memory scanning in the settings of ce (it's off by default) and target the vmware image and you can look through the physical memory of the virtual machine for AOB's of code or even values. (of course, because it's physical memory it's a jigsaw puzzle of 4KB big pieces)

And if someone is bored enough he could write something to extract the pagetable physical address (cr3) of the game and then use the virtualpageduir plugin method to read it as if it's normal virtual memory
And if you're wondering how to extract the CR3 value: Do a scan for the EProcess of the game (that structure contains the exename , PID and CR3, exename and PID are known... Only problem: It's OS/service pack specific)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Seergaze3
Master Cheater
Reputation: -1

Joined: 10 Mar 2009
Posts: 347
Location: earth

PostPosted: Mon Feb 28, 2011 9:10 am    Post subject: Reply with quote

I dont think u can fool MuGuard or GameGuard by hiding the process, let alone that most of these anti cheats are used in server sided games, which means most likely u cant even cheat on those

And why would someone want to run their game on a virtalization platform?
Back to top
View user's profile Send private message
ipivb
Master Cheater
Reputation: 5

Joined: 29 May 2010
Posts: 256

PostPosted: Tue Mar 01, 2011 7:09 am    Post subject: Reply with quote

Firstly, I must pay my respects to Dark Byte. His intelligence is impeccable.

im4eversmart wrote:
I dont think u can fool MuGuard or GameGuard by hiding the process, let alone that most of these anti cheats are used in server sided games, which means most likely u cant even cheat on those

And why would someone want to run their game on a virtalization platform?


Not everything can be calculated on the server. It would take far too much processing power. I would elaborate further, however, if this relates to a multiplayer online game, its discussion is strictly prohibited.

And what is wrong with running a game on a virtual machine? It looks and functions the same way. With all the work it takes to create a UCE, it may be easier to do what DB said... which in contrast, is relatively simple compared to making CE completely undetected. And then the CRC bypass is a whole different story. Which is why I say... don't even considering hacking a GG or HS game if you think hiding the process of CE is going to cut it.
Back to top
View user's profile Send private message
wira03
Newbie cheater
Reputation: 0

Joined: 12 Aug 2011
Posts: 11

PostPosted: Sun Aug 21, 2011 11:19 am    Post subject: Reply with quote

I've tried to change their suit my tutorials, ternayata successful, now I get into my games mainunit according to track it from there .. could give clues whether the master .... Wink
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites