| View previous topic :: View next topic |
| Author |
Message |
BeansOfLight
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2015
Posts: 9
|
 Posted: Wed Sep 09, 2015 8:13 am Post subject: List of malicious programs |
 |
|
Hi.
I'm just coding some basic anti cheat protection for a game and I was wondering if anybody has a list of malicious window titles and exe names.
Last edited by BeansOfLight on Wed Sep 09, 2015 8:44 am; edited 1 time in total |
|
| Back to top |
|
 |
aikoncwd
Grandmaster Cheater
 Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Wed Sep 09, 2015 8:28 am Post subject: Re: List of malicious programs |
|
|
| BeansOfLight wrote: | H.
I'm just coding some basic anti cheat protection for a game and I was wondering if anybody has a list of malicious window titles and exe names. |
I search for strings like cheat, engine, debugger, memoryview, etc... But any protection implemented at ring3 can be defeat EASY with API hooking or similar. Don't waste much time coding anti-debug/cheat functions, since every protection will be easy to bypass
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
BeansOfLight
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2015
Posts: 9
|
| Posted: Wed Sep 09, 2015 8:42 am Post subject: Re: List of malicious programs |
|
|
| AikonCWD wrote: | | BeansOfLight wrote: | H.
I'm just coding some basic anti cheat protection for a game and I was wondering if anybody has a list of malicious window titles and exe names. |
I search for strings like cheat, engine, debugger, memoryview, etc... But any protection implemented at ring3 can be defeat EASY with API hooking or similar. Don't waste much time coding anti-debug/cheat functions, since every protection will be easy to bypass |
Thank you for the advice. I will perhaps see what the windows contain rather than checking them against a list to save some time researching. Only problem though is it might take a little longer to process the check.
It is only a small online game, the window list is hashed and sent to the server on request, then checked against malicious names purely for logging rather than kicking. If the data is not received a log is made, and if the data doesn't contain the clients window title a log is also made.
|
|
| Back to top |
|
|
aikoncwd
Grandmaster Cheater
Reputation: 23
Joined: 21 Dec 2012
Posts: 591
Location: Spain (Barcelona)
|
| Posted: Wed Sep 09, 2015 8:49 am Post subject: Re: List of malicious programs |
|
|
| BeansOfLight wrote: | | AikonCWD wrote: | | BeansOfLight wrote: | H.
I'm just coding some basic anti cheat protection for a game and I was wondering if anybody has a list of malicious window titles and exe names. |
I search for strings like cheat, engine, debugger, memoryview, etc... But any protection implemented at ring3 can be defeat EASY with API hooking or similar. Don't waste much time coding anti-debug/cheat functions, since every protection will be easy to bypass |
Thank you for the advice. I will perhaps see what the windows contain rather than checking them against a list to save some time researching. Only problem though is it might take a little longer to process the check.
It is only a small online game, the window list is hashed and sent to the server on request, then checked against malicious names purely for logging rather than kicking. If the data is not received a log is made, and if the data doesn't contain the clients window title a log is also made. |
Ok, so the check is made at server side, but power users can edit your client.exe, hook the API GetWindowText and return 0 on certains values, so your server won't detect the banned WindowCaption.
If you wanna go deeper, I coded some stupids functions to prevent/detect cheat engine:
ScanFileName()
Check filenames under %programfiles% dir to detect cheatengine filenames.
ScanRunningProcess()
Check running process names and compare with a ban list
ScanRegeditKeys()
Same as above but with some registry keys
SearchWinDbg()
Three methods to detect WindowDebuggers
SearchVEHDbg()
Check if the game is being debugged with VEH engine
SearchKrnDbg()
Check if kernel DBVM is installed and/or running
GetTickCount()
Timming routine that can detecta debugger (VEH detected too)
TimeGetTime()
Timming routine that can detecta debugger (VEH detected too)
QueryPerformance()
Timming routine that can detecta debugger (VEH detected too)
ScanInstalledSoft()
List all installed software and compares with a ban list
GetWindowText()
List all windows and compares the caption with a ban list
And here a PoC to show how those functions work with CE:
this is a screenshot of the tool running on a system with CE installed but not running CE:
Functions like scanfilenames and scaninstalledsoft detect the presence of CE. Let's go more deep...
This image show how StandardDebugger is detected. Only functions of VEH and DBVM return false. Lets see what happen with VEH enabled:
The tool chan detect if the process/game is debugged with VEH engine. Also the timming methods can detect regular debuggers and VEH. Lets see kerneldbg (DBVM):
Kernel Debug is detected and tells if the driver is running or not. Timming methods got bypassed (nice!). WindowText is detected too
Source code is here (coded in VB6/VBS). Easy to export to a real programming languaje: http://pastebin.com/t26ALskY
_________________
Hey Hitler
Test here your skill with CheatEngine, I coded a challenge for you. Try to beat it!
HERE |
|
| Back to top |
|
|
BeansOfLight
How do I cheat?
![]() Reputation: 0
Joined: 09 Sep 2015
Posts: 9
|
| Posted: Wed Sep 09, 2015 8:59 am Post subject: |
|
|
| Great stuff. Will check it out, thanks.
|
|
| Back to top |
|
|
Rydian
Grandmaster Cheater Supreme
 Reputation: 31
Joined: 17 Sep 2012
Posts: 1358
|
| Posted: Wed Sep 09, 2015 9:37 pm Post subject: |
|
|
Can the game be run in a sandbox? If so, then it can't look at any other windows or programs through basic checks.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
