I am writing anti cheat software for a video game. Using CreateToolhelp32Snapshot I can get a list of open processes. From there I would like to find the address of each process and read through its .exe file. While this works for most processes, protected processes deny access to methods such as OpenProcess or GetModuleFileNameEx. Assuming my application is being run as administrator, is there a work around to finding protected processes addresses?
Cheat Engine is not a Protected Process and neither are 99.9% of cheats. You can check the certificate for the exe in Process Hacker and you will see it only has Code Signing and no Protected Process designation.
If you cannot access a cheat's memory it's because they're protecting it with a kernel driver. You must also be running in kernel if you want to touch the process. If they have somehow created a PP then you need to be in kernel.
There are many usermode methods they can use to protect themselves as well, they can simply hook OpenProcess() in every running process including yours and return 0 when you're trying to open their process.
You would need to get a copy of the cheat and reverse engineer it to figure out how it's protecting itself, then you can start removing or bypassing these protections.
Related
I'm trying to write a utility that allows me to read the memory from a process that is currently running in windows. I have used CreateToolhelp32Snapshot to build a current PID list for all programs running on the computer and I open a handle via OpenProcess with the vm_read flags without any issues. The roadblock I am running into is the readprocessmemory function of the windows API fails to read anything if the base address given is not currently readable. That being said what method can I use to determine the readable sections of a process.
My only idea on the matter is that I could iterate over the readprocessmemory function starting at the midway point of (size of process in memory)/2 and continue until I find the specific location that will allow me to read but I believe this would be terribly inefficient for large processes (o(n/2)), and even if it is the only user-mode option how would I even find the total size of the process in memory?
If this question is not meant for stackoverflow let me know and I will close it, please do not down-vote me I have been attempting to solve my problem myself for several hours now.
You can call VirtualQueryEx for each range of pages in the address space to find out if the address is in use. If the other process is not suspended then there will obviously be a chance that a pages status changes between your query and read operations.
I noticed that DebugActiveProcess let your process be a debugger to another process.
I saw that this function let you know the following events of the debuggee : Exception, Createthread, CreateProcess, ExitThread, ExitProces, LoadDll, UnloadDll, OutputDebugString.
My question is if we can write to the memory of the debuggee process without WriteProcessMemory? Is the debugger exists in the context memory of the debuggee?
Thanks!
A debugger exists in a different process from its debuggee. So you will need to use ReadProcessMemory and WriteProcessMemory to access the debuggee's address space.
Unless you inject code into the process you're interested in, those are two different processes: one is the debugger and one is the debuggee.
You can either launch the debuggee via CreateProcess(cfr. process creation flags) or attach your debugger to an existing one but they remain two different entities anyway and you'll have to use WriteProcessMemory to write to it.
It's the operating system which provides the API to operate your debugging on the target process (and you should make sure you have privileges to do that).
Lets take an example here which is known everywhere in the IT world:
We have a game, for example solitaire, and someone makes and releases a trainer for it that your moves are always '0'.
How do I programatically determine which adresses and what values that "hack" changes?
What way would be the best, if this is possible?
From within the game [injecting/loading my own dll?]
By intercepting traffic between the hack and target process with my own process?
I ask this question because of 2 things:
Protect an application from being "hacked" (at least by the script kiddies)
Reverse engineer a trainer (so you don't have to reinvent the wheel / avoid NIH syndrome)
You can't. Some broken attempts may be setting two addresses and then comparing them (they will find the other address though). Or they can simply remove your compare call.
They can alter any protection function that you use to "programatically determine" to always return false results. They can do anything to your executable, so there is no way.
Unless you hook the kernel functions that open your process to modify the memory. But that is also breakable and if I am not wrong you need to get your "protection kernel driver" digitally signed now.
There is another way in which you load a DLL in every running and newly spawned processes (which will probably alert antiviruses about your program being a virus), with that DLL you hook OpenProcess (and if there is another alternative to it, that too) functions in each process and check if its targeted at your program, and prevent it if so. Search about function hooking. I believe there was something called "MS Detour" or something for it.
And still, the game will not even be close to safe.
To sum up, no way is good to protect your game locally. If you are storing scores or something you should create a server program and client should report every move to server.
Even then, they can create a bot to automatically respond to server. Then the best you can do is somehow verify it is a human that is playing. (maybe captcha or comparing the solving speed with human avarage?)
I have 10.000 devices and I want to control them by one c++ application. Devices are server and I can control them only by dll. Dll is written for MFC and it wasn't written by me so i cant chance anything on it.
Dll establishs the TCP/IP communication between devices and my application.Every device has different variables. I need to open a new thread for each incoming connection and load an instance of my dll. I couldn't load the different instances of a dll for each thread. everytime it is using the same dll and same data.
How can load multiple instance of a dll ?
Is there any way to do it with c++.
Thanks in Advance
If the data are static it is not possible to have more instance in the same process. You have to modify the dll to have some sort of per context data ( usually class instance would do ). As a general suggestion anyway, never starts up to 10000 thread on a process, this will kill the performance. Write a thread pool and let manage the client be served by that pool.
Your situation does not sound hopeful.
Windows will not load more than one instance of a DLL within a given process, ever. If the DLL itself doesn't have the functionality to connect to multiple servers, you would have to create a separate process for each server you need to connect to. In practice, this would be a Bad Idea.
You COULD use LoadLibrary() and UnloadLibrary() to "restart" the DLL multiple times and switch frantically between the different servers that way. Sort of a LoadLibrary()... mess with server... UnloadLibrary()... do it againandagainandagain situation. It would be painful and slow, but might work for you.
The only (ugly) way to load a dll multiple times is for every new load you make a copy of the original dll with a unique name in a location that you're in control of.
Load the copy with LoadLibrary and setup appropiate function-pointers (GetProcAddress(...)) to functions in newly loaded dll for use in your program.
After you're done with it Unload the copy with FreeLibrary and remove the copy from disk.
I don't see an easy solution to this, as previously covered, you can't create multiple instances of a DLL within an app.
There may be a horrible solution, which is to write a lightweight proxy to listen for inbound requests, and spawn a new instance of the real app on each request, and forward traffic to it - there should be a way to load a new copy of a DLL in each instance (technically you'll be re-opening the same loaded DLL, but it should have separate data spaces).
However, with 10k devices, performance will be horrible. It sounds like the best solution is either to re-implement the protocol (either use a published spec, or reverse-engineer it).
Is there a way (in C++ & windows XP) to detect if one process spawns any other processes?
for example,
write.exe in system32 spawns wordpad.exe then disappears, is there a function that tells me if the process is about to do this?
for those interested i solved the problem using this section of msdn:
http://msdn.microsoft.com/en-us/library/aa390425(v=VS.85).aspx
Nothing in the Win32 API for this. However, it is supported through WMI with the Win32_ProcessStartTrace query. You'll find some C# code that demonstrates the query in my answer in this thread. Writing WMI code in C++ is fairly painful, you'll find a link to boilerplate code you have to write in the MSDN Library article.
Do beware that this isn't particularly fast. It isn't clear to me how much help the WMI provider gets from the kernel to generate the notification but given the speed it quacks like polling. In other words, the process is likely to be well on its way by the time you get the notification. This is otherwise par for the course on a multitasking operating system.
You can enumerate over the process tree, which identifies running processes and their parents. This is the inverse of what you want (you want to identify child processes, not parent processes). But of course by keeping track of parent process IDs while enumerating, you can identify which sub-processes a given process has spawned.
To do this, call CreateToolhelp32Snapshot and then use Process32First and Process32Next to enumerate the processes. The enumeration will fill in a PROCESSENTRY32 struct that contains a th32ParentProcessID member.
This is a polling method; there may be another way of actually hooking the CreateProcess function, but I don’t have any information about that.
I think you would need to make a global hook DLL that attaches itself to every running process. DLL then finds a place where a function call to CreateProcess is mapped to actual CreateProcess from kernel32, and change a table entry to redirect the call to it's own code to "detect" the call to CreateProcess. All this assuming that some user firewall will not prevent your global hook from executing.