Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Evade anti cheat detection by altering system dll

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris
PostPosted: Fri Jun 10, 2016 10:24 am    Post subject: Evade anti cheat detection by altering system dll Reply with quote
Hello, I am wondering if a valid method to evade anti cheat system detections is to alter certain dll APIs such as Process32First /Next etc.
I imagine this would interfere with many programs including Cheat engine itself but what if I replace the native dll whenever I am done, would that work ? (ie assuming the anti cheat uses a process anpshot to detect cheat oriented program, assuming the dll is correctly edited (no stack msitake / return value mistake etc)
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
PostPosted: Fri Jun 10, 2016 1:51 pm    Post subject: Reply with quote
You could hook Process32First/Next (assuming they don't detect the hooks) and fake the return when it gets to your module. Instead of returning your modules information, skip over it and just call Process32Next again etc.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
ulysse31
Master Cheater
Reputation: 2

Joined: 19 Mar 2015
Posts: 324
Location: Paris
PostPosted: Fri Jun 10, 2016 2:54 pm    Post subject: Reply with quote
atom0s wrote:
You could hook Process32First/Next (assuming they don't detect the hooks) and fake the return when it gets to your module. Instead of returning your modules information, skip over it and just call Process32Next again etc.

For now however I cant even attach a decent RE tool to the process, they all get detected. For this reason I have started coding my own tool but meanwhile i was wondering if I alter the DLL holding Process32 on the harddrive which is the kernel32.dll.
Then the anti cheat would load an altered kernel32.dll from the harddrive, would that do the trick ? (the dll would indeed fake the return call but there would be no run time hooking involved).
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
PostPosted: Fri Jun 10, 2016 11:05 pm    Post subject: Reply with quote
ulysse3131 wrote:
atom0s wrote:
You could hook Process32First/Next (assuming they don't detect the hooks) and fake the return when it gets to your module. Instead of returning your modules information, skip over it and just call Process32Next again etc.

For now however I cant even attach a decent RE tool to the process, they all get detected. For this reason I have started coding my own tool but meanwhile i was wondering if I alter the DLL holding Process32 on the harddrive which is the kernel32.dll.
Then the anti cheat would load an altered kernel32.dll from the harddrive, would that do the trick ? (the dll would indeed fake the return call but there would be no run time hooking involved).


That's a bit overkill to do and would require messing with Windows a bit to ensure that it does not try to override your altered kernel32.dll file. You'd also be limited to Windows Updates if you have it turned on since an update is bound to overwrite your edited kernel32.dll and so on. You are better off figuring out how it is detecting you and bypassing that.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
crashoverride93
Advanced Cheater
Reputation: 0

Joined: 04 Aug 2015
Posts: 61
PostPosted: Fri Jul 22, 2016 2:26 am    Post subject: Reply with quote
If you running windows xp you can copy that dll into the program directory and make your modifacations and it will work without causing problems in windows.
Back to top
View user's profile Send private message
kantoboy69
Advanced Cheater
Reputation: 2

Joined: 31 Mar 2010
Posts: 71
Location: Manila
PostPosted: Fri Aug 05, 2016 2:14 am    Post subject: Reply with quote
You could also try windows kernel hooking ulysse3131
No need to modify dll's
Unless that anticheat/antidebugger is some sort of advance antivirus
Then it would suffice
_________________
Cheater always prosper Hitler
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites