Cheat Engine

iPromise · Posted: Wed Aug 01, 2012 6:44 am Post subject: couple questions

i'm asking some questions to clear up my confusion with anti-hacking system and how they hook a function.

when an anti-hacking system decides to do a block lets say GetAsyncKeyState within the user32.dll locally, it'll modify GetAsyncKeyState within every open application correct? how does the anti-hacking system hook a function locally and globally? and how is that bypassable with a driver?

Slugsnack · Posted: Wed Aug 01, 2012 7:55 am Post subject:

if the hook is being done in user32.dll then it means the anti-hacking system has instrumented every process. this typically requires it to inject itself into all processes. this is why at some stage, some anti-hacking systems could be bypassed by hiding your process

the hook itself is typically just a detour at the start of the function although this is not the only way of detouring execution. as discussed, a global usermode hook is simply a local hook in every process.

usermode hooks do not even require a driver to be bypassed. they can be simply trampolined. that is, make a copy of the bytes that are overwritten by the hook and execute them first then unconditionally branch to the instruction directly after the hook. it is bypassable with a driver by a similar notion. because many usermode functions interacting with the system are actually fancy 'wrappers' around some kernelmode function/s, you can invoke the kernelmode equivalent from a driver completely bypassing the usermode part of the function.