| View previous topic :: View next topic |
| Author |
Message |
cleiton
Newbie cheater
![]() Reputation: 0
Joined: 05 Mar 2014
Posts: 21
|
 Posted: Wed May 28, 2014 10:09 am Post subject: Please help with CreateThread |
 |
|
Hi, I'm anti hack developer and I'm with a big problem that has a little solution. Usually game cheaters are injecting .dll into my process that DLL's uses CreateThread to open Form's and these forms can do everything with the game memory.
They usually use that in their DLL's:
| Code: |
library gamecheat;
uses
SysUtils,
Classes,
Windows,
Forms,
Dialogs,
MainUnit in 'MainUnit.pas' {MainForm};
{$R *.res}
var
ThreadId : Cardinal;
procedure FormShow;
begin
Application.Initialize;
Application.CreateForm(TMainForm, MainForm);
Application.Run;
end;
procedure DllMain(reason: integer) ;
begin
case reason of
DLL_PROCESS_ATTACH:
begin
end;
DLL_PROCESS_DETACH:
begin
end;
DLL_THREAD_ATTACH:
begin
end;
DLL_THREAD_DETACH:
end;
end;
begin
DllProc := @DllMain;
DllProc(DLL_PROCESS_ATTACH);
CreateThread(nil,0,@FormShow,nil,0,ThreadID);
end. |
How to prevent CreateThread?
Note: I don't want to prevend DLL Injection and the game I'm doing antihack uses CreateThread.
Thank you very much.
|
|
| Back to top |
|
 |
dlpb
Advanced Cheater
![]() Reputation: 0
Joined: 11 Dec 2013
Posts: 78
|
| Posted: Wed May 28, 2014 12:44 pm Post subject: |
|
|
If they want to cheat a game, there really isn't much you can do about it. They will either use Cheat Engine itself, or other memory hacker, or a few of the tools I will be releasing soon. Can't answer your question though, sorry 
|
|
| Back to top |
|
|
cleiton
Newbie cheater
![]() Reputation: 0
Joined: 05 Mar 2014
Posts: 21
|
| Posted: Thu May 29, 2014 8:44 am Post subject: |
|
|
| I've already blocked all of these kinds of cheat. I just want to do that what I asked in the main post
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 893
|
| Posted: Fri May 30, 2014 12:02 am Post subject: |
|
|
Haha, I've got $5 on Wiccan!
_________________
A nagy kapu mellett, mindig van egy kis kapu.
----------------------
Come on... |
|
| Back to top |
|
|
cleiton
Newbie cheater
![]() Reputation: 0
Joined: 05 Mar 2014
Posts: 21
|
| Posted: Tue Jun 03, 2014 1:50 pm Post subject: |
|
|
| Please, someone help me to do what I've asked first.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25823
Location: The netherlands
|
| Posted: Tue Jun 03, 2014 3:24 pm Post subject: |
|
|
do a hook on createThread and in there check the callstack to see if the call originated from the game's exe, or a module the game has marked as trusted.
If it's not from a trusted module, deny.
it won't block createThread calls done from a code injection in a often called location of the game(e.g. peekmessage) which gets restored back to normal as soon as the thread has been created, or createRemoteThread from an injector
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
cleiton
Newbie cheater
![]() Reputation: 0
Joined: 05 Mar 2014
Posts: 21
|
| Posted: Sun Jun 15, 2014 2:13 pm Post subject: |
|
|
| Dark Byte wrote: | do a hook on createThread and in there check the callstack to see if the call originated from the game's exe, or a module the game has marked as trusted.
If it's not from a trusted module, deny.
it won't block createThread calls done from a code injection in a often called location of the game(e.g. peekmessage) which gets restored back to normal as soon as the thread has been created, or createRemoteThread from an injector |
I don't know how to check the callstack, that's the problem.
|
|
| Back to top |
|
|
Rissorr
Master Cheater
![]() Reputation: 3
Joined: 17 Sep 2013
Posts: 273
Location: Israel!
|
| Posted: Mon Jun 16, 2014 7:03 am Post subject: |
|
|
HAHHAHAH THE MOST FUNNY QUESTION ON THIS FORUM:
Asking in a hackers forum how to block hacking.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25823
Location: The netherlands
|
| Posted: Mon Jun 16, 2014 8:25 am Post subject: |
|
|
Do you know how to hook an API ? Because that's step 1 when making an anti hack
Now, inside your CreateThread hook get the address of lpThreadAttributes, and decrease it with 4 to get the address of the return address of the current function call
you could also look into the stackwalk64 function and related functions to make a full stacktrace for you
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
cleiton
Newbie cheater
![]() Reputation: 0
Joined: 05 Mar 2014
Posts: 21
|
| Posted: Thu Jun 19, 2014 7:10 am Post subject: |
|
|
I'm not a programmer, i'm learning a little bit about how cheats works, for example i found on the internet an API that REDIRECT CreateThread to my own function, I think that's what I am looking for, so now I need to do a filter and only allow my .EXE to use that.
How?
Thank you guys
|
|
| Back to top |
|
|
cashd
Cheater
![]() Reputation: 0
Joined: 25 Nov 2012
Posts: 25
|
| Posted: Thu Jun 19, 2014 1:26 pm Post subject: |
|
|
you can use detours of windows to do hooks on windows 32 bit ( for 64 bit cost money)
or use old version of madChook(for free)
they got nice reference how to use the library for detours.
madchook got nice reference too but the new versions cost money
(when it was free much malwares used that to perform hooks so they decided to take money)
p.s
you said you are anti hack developer and on the last post you said your not a programmer, so i got confused
|
|
| Back to top |
|
|
cleiton
Newbie cheater
![]() Reputation: 0
Joined: 05 Mar 2014
Posts: 21
|
| Posted: Sat Jun 21, 2014 10:37 am Post subject: |
|
|
Yes, I'm a programmer but not a good one that's what I wanted to say.
I'm the owner of a Game, and I'm proggraming a simple anticheat, because in my game aren't good cheaters, only shit cheaters that all they use is old cheats, that can be easily be patched.
@cashd: Yes, I can easy hook any api I want with a million functions posted in google, but there's just a problem: my game use CreateThread after the user enter in the game server (30 seconds after login) if I use a Timer with 30 seconds of interval anyone can easily auto inject a DLL and create how many threads they want. So the solution is: do a filter that only allow my game to use CreateThread. I did som progress, I did a redirect in the original CreateThread function to my own CreateThread function, now I need to create a filter that only allow my game to use the original function. That's what I didnt got.
Any help would be appreciated. 
|
|
| Back to top |
|
|
cashd
Cheater
![]() Reputation: 0
Joined: 25 Nov 2012
Posts: 25
|
| Posted: Sat Jun 21, 2014 3:22 pm Post subject: |
|
|
there is one problem with your solution
if you hook CreateThread
they will hook ntCreateThread 
or they can kill your hook and insert other jmp to what they want...
if you really want prevent cheats on your game
and your game is an online game
you should calculate checksums and check things on the server
one of the solutions games should do is calculate the average of all the players.
if one player got too much above the average it may be a cheater.
and you can prevent from cheat engine to load up.
you just need calculate checksum of the file(not really all the file) but enough you take checksum of 7 functions things darkbyte cant edit
and you won the noobs...
but cause we talking about cheaters and some of thems know how to reverse engineer pretty good, they may defeat it too.
but if you want better solution use Themida or other VM protection
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
