Standard hacking case. Hack file type injects into a started process and writes over process memory using WriteProcessMemory call. In games this is not something you would want because it can provide the hacker to change the portion of the game and give himself an advantage.
There is a possibility to force a user to run a third-party program along with the game and I would need to know what would be the best way to prevent such injection. I already tried to use a function EnumProcessModules which lists all process DLLs with no success. It seems to me that the hacks inject directly into process memory (end of stack?), therefore it is undetected. At the moment I have came down to a few options.
Create a blacklist of files, file patterns, process names and memory patterns of most known public hacks and scan them with the program. The problem with this is that I would need to maintain the blacklist and also create an update of the program to hold all avalible hacks. I also found this usefull answer Detecting memory access to a process but it could be possible that some existing DLL is already using those calls so there could be false positives.
Using ReadProcessMemory to monitor the changes in well known memory offsets (hacks usually use the same offsets to achieve something). I would need to run a few hacks, monitor the behaviour and get samples of hack behaviour when comparing to normal run.
Would it be possible to somehow rearrange the process memory after it starts? Maybe just pushing the process memory down the stack could confuse the hack.
This is an example of the hack call:
WriteProcessMemory(phandler,0xsomeoffset,&datatowrite,...);
So unless the hack is a little more smarter to search for the actual start of the process it would already be a great success. I wonder if there is a system call that could rewrite the memory to another location or somehow insert some null data in front of the stack.
So, what would be the best way to go with this? It is a really interesting and dark area of the programming so I would like to hear as much interesting ideas as possible. The goal is to either prevent the hack from working or detect it.
Best regards
Time after time compute the hash or CRC of application's image stored in memory and compare it with known hash or CRC.
Our service http://activation-cloud.com provides the ability to check integrity of application against the signature stored in database.
Related
I'm working in a C/C++ mixed project that has the following situation.
I need to have a iteration to go through very small chunks (rarely larger chunks as well) in a file one by one. Ideally, I should just read them once consecutively. I think will be a better solution in this case to read a big chunk into a buffer and consume it later, rather than read each of them instantly when I need.
The problem is, how do I balance the cache size? Is there any well-known algorithm/library that I can take advantage of?
UPDATE: (changes the title)
Thanks for you guys' replies and I understand there are different levels of caching mechanism working in our boxes. But that not enough in my case.
I think I missed something important here. Actually I'm building an application upon an existing framework, in which requesting reads to the engine frquently will cost too much for me. (Yes, i believe the engine do take advantage of OS and disk level caches.) And what I'm trying to do is indeed to build an application level pre-fetching system.
Thoughts?
in general you should try to use what the OS gives you, rather than creating your own cache (because you run the risk of caching twice). for linux, you can request OS level caching via readahead(); i don't know what the windows equivalent would be.
looking into this some more, there is also a block level (ie disk) parameter, set via blockdev --setra. it's probably not a good idea to change that on your system (unless it is dedicated to just this one task), but if the value there (blockdev --getra) is already larger than your typical chunk size then you may not need to do anything else.
[and just to address the other point mentioned in the question comments - while an OS will cache file data in free memory, i don't believe that it will pre-emptively read an otherwise unread file (apart from to meet the requirements above). but if anyone knows otherwise, please post details...]
Have you tried mmap()ing the file instead of read()ing from it? In some cases this might be more efficient, in some cases this might not. However it is usually best to let the system optimize for you, since it knows more about the hardware than an application. mmap() will let the system know that you need the whole file, so it might just be more optimal.
With my basic knowledge of C++, I've managed to whip together a simple program that reads some data from a program (using ReadProcessMemory) and sends it to my web server every five minutes, so I can see the status of said program while I'm not at home.
I found the memory addresses to read from using a program designed to hack games called "Memory Hacking Software." The problem is, the addresses change whenever I move the program to another machine.
My question is: is there a way to find a 'permanent' address that is the same on any machine? Or is this simply impossible. Excuse me if this is a dumb question, but I don't know a whole lot on the subject. Or perhaps another means to access information from a running program.
Thanks for any and all help!
There are ways to do it such as being able to recognise memory patterns around the thing you're looking for. Crackers can use this to find memory locations to patch even with software that "moves around", so to speak (as with operating systems that provide randomisation of address spaces).
For example, if you know that there are fixed character strings always located X bytes beyond the area of interest, you can scan the whole address space to find them, then calculate the area of interest from that.
However, it's not always as reliable as you might think.
I would instead be thinking of another way to achieve your ends, one that doesn't involve battling the features that are protecting such software from malicious behaviour.
Think of questions like:
Why exactly do you need access to the address space at all?
Does the program itself provide status information in a more workable manner?
If the program is yours, can you modify it to provide that information?
If you only need to know if the program is doing its job, can you simply "ping" the program (e.g., for a web page, send an HTML request and ensure you get a valid response)?
As a last resort, can you convince the OS to load your program without address space randomisation then continue using your (somewhat dubious) method?
Given your comment that:
I use the program on four machines and I have to "re-find" the addresses (8 of them) on all of them every time they update the program.
I would simply opt for automating this process. This is what some cracking software does. It scans files or in-memory code and data looking for markers that it can use for locating an area of interest.
If you can do it manually, you should be able to write a program that can do it. Have that program locate the areas of interest (by reading the process address space) and, once they're found, just read your required information from there. If the methods of finding them changes with each release (instead of just the actual locations), you'll probably need to update your locator routines with each release of their software but, unfortunately, that's the price you pay for the chosen method.
It's unlikely the program you're trying to read will be as secure as some - I've seen some move their areas of interest around as the program is running, to try and confuse crackers.
What you are asking for is impossible by design. ASLR is designed specifically to prevent this kind of snooping.
What kind of information are you getting from the remote process?
Sorry, this isn't possible. The memory layout of processes isn't going to be reliably consistent.
You can achieve your goal in a number of ways:
Add a client/server protocol that you can connect to and ask "what's your status?" (this also lends itself nicely to asking for more info).
Have the process periodically touch a file, the "monitor" can check the modification time of that file to see if the process is dead.
I am looking for a way to cure at least the symptoms of a leaky DLL i have to use. While the library (OpenCascade) claims to provides a memory manager, i have as of yet being unable to make it release any memory it allocated.
I would at least wish to put the calls to this module in a 'sandbox', in order to keep my application from not losing memory while the OCC-Module isn't even running any more.
My question is: While I realise that it would be an UGLY HACK (TM) to do so, is it possible to preallocate a stretch of memory to be used specifically by the libraries, or to build some kind of sandbox around it so i can track what areas of memory they used in order to release them myself when i am finished?
Or would that be to ugly a hack and I should try to resolve the issues otherwise?
The only reliable way is to separate use of the library into a dedicated process. You will start that process, pass data and parameters to it, run the library code, retrieve results. Once you decide the memory consumption is no longer tolerable you restart the process.
Using a library that isn't broken would probably be much easier, but if a replacement ins't available you could try intercepting the allocation calls. If the library isn't too badly 'optimized' (specifically function inlining) you could disassemble it and locate the malloc and free functions; on loading, you could replace every 4 (or 8 on p64 system) byte sequence that encodes that address with one that points to your own memory allocator. This is almost guaranteed to be a buggy, unreadable timesink, though, so don't do this if you can find a working replacement.
Edit:
Saw #sharptooth's answer, which has a much better chance of working. I'd still advise trying to find a replacement though.
You should ask Roman Lygin's opinion - he used to work at occ. He has at least one post that mentions memory management http://opencascade.blogspot.com/2009/06/developing-parallel-applications-with_23.html.
If you ask nicely, he might even write a post that explains mmgt's internals.
After asking this question (C++: Can I get out of the bounds of my app’s memory with a pointer?),
I decided to accept it isn't possible to modify other app's memory with pointers (with a modern OS).
But if this isn't possible, how do programs like ArtMoney and CheatEngine work?
Thanks
Check these functions:
ReadProcessmemory
WriteProcessmemory
It is possible to read process memory on Windows. There is a function, called ReadProcessMemory in kernel32.dll: http://msdn.microsoft.com/en-us/library/ms680553(v=VS.85).aspx
This is used by most applications that change memory of other applications. It can also be used to communicate between two processes (though mostly not recommended).
CheatEngine is a debugger with a non-traditional interface.
Just to give a plain simple explanation - dump / hot search the process memory for specified value and modify it. You can do it using some plain WinAPI functions or using some native API routines (I suppose so).
That's obviously the reason why they fail, for example, if game state is stored with some encryption. That's also the reason you would need to change your value several times and then make your search again (to avoid search collisions, because definitely different memory blocks could hold the same value).
im trying to learn to modify games in C++ not the game just the memory its using to get ammo whatnot so can someone point me to books
The most convenient way to manipulate a remote process' memory is to create a thread within the context of that program. This is usually accomplished by forcibly injecting a dll into the target process. Once you have code executing inside the target application you are free to use standard memory routines. e.g (memcpy, malloc, memset).
I can tell you right now that the most convenient and easy to implement method is the CreateRemoteThread / LoadLibrary trick.
As other people have mentioned, simple hacks can be performed by scanning memory for known values. But if you want to perform anything more advanced you will need to look into debugging and dead-list analysis. (Tools: ollydbg and IDA pro, respectively).
You have scratched the surface of a very expansive hacking topic, there is a wealth of knowledge out there..
First a few internet resources:
gamedeception.net - A community dedicated to game RE (Reverse Engineering) and hacking.
http://www.edgeofnowhere.cc/viewtopic.php?p=2483118 - An excellent tutorial on various DLL injection methods.
Openrce.org - Community for reverse code engineering.
I can also recommend a book to you - http://www.exploitingonlinegames.com/
Windows API Routines you should research (msdn.com):
CreateRemoteThread
LoadLibraryA
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
ReadProcessMemory
CreateToolhelp32Snapshot
Process32First
Process32Next
Injecting Code:
I think the best method is to modify the exe to inject code into one of the loaded modules. Check this tutorial
Short related story:
Over 10 years ago though, I do remember successfully modifying my score in solitaire in windows with a simple C++ program. I did this by starting an int * pointer at some base address and iterating through memory addresses (with a try /catch to catch exceptions).
I would look for what my current score was in one of those pointer variables, and replace it with a new integer value. I just made sure that my current score was some obscure value that wouldn't be contained in many memory addresses.
Once I found a set of memory addresses that matched my score, I would change my score manually in solitaire and only look through the memory addresses that were found in the last iteration. Usually this would narrow down to a single memory address that contained the score. At this point I had the magical simple line of code *pCode = MY_DESIRED_SCORE;
This may not be possible anymore though with new memory security models. But the method worked pretty good with a 10-20 line C++ program and it only took about a minute to modify my score.
There are enough programs available that let you modify memory of running programs. And they are often used for cheating. But be carefull using those on online games, because most cheats will be detected and you are banned without a warning.
If you like to create them yourself, just look at books that describe the windows API. You will find enough information there.
It can done using hooks on windows to access the memory space of a process.