Cheat Engine

heyimyuuta · Newbie cheater Reputation: 0 Joined: 14 Sep 2023 Posts: 12

I am currently in the process of reverse engineering various Anticheats to get some insight into their methods of detecting programs like Cheat Engine.
One particular Anticheat that has caught my attention is Xigncode.

Even without loading any Cheat Engine related drivers or opening handles to other games (attaching ce to a process), Xigncode is able to detect Cheat Engine within just one minute.

In my attempts to understand how Xigncode is able to detect it, I have experimented with different approaches.
For example, I have tried suspending the Cheat Engine thread / freezing Cheat Engine, overwriting the entire process memory of Cheat Engine with zeros, closing all handles, and unloading all modules, renaming all Cheat Engine related strings, disableing the output for outputdebugstring...
Despite all of that Xigncode still detects it.

I am aware of the following detection methods such as:
signature/pattern detection,
process/window name detection,
window class and text name detection,
enumerating modules for each process and checking for modules similar to Cheat Engine,
intercepting OutputDebugString calls and searching for blacklisted strings,
ReadDirectoryChangesW.

However, I am curious if there are any other detection vectors that could explain Xigncode's method to detect Cheat Engine even when it is idle, without being attached to any process or performing any actions.

Micke · How do I cheat? Reputation: 0 Joined: 30 Apr 2016 Posts: 4

filename ?

LeFiXER · Posted: Wed Jan 24, 2024 6:22 pm Post subject:

It's possible that the anti-cheat could detect the installation of Cheat Engine also.