Cheat Engine

[mgostIH]

So, a while ago I stumbled upon the whole "thing" about steam protecting games from debuggers using the infamous ThreadHideFromDebugger flag, which doesn't let any normal debugger (VEH and kernel mode based still work) from handling the game, causing a crash for EVERY Windows debugger.
So, my idea was to hook NtSetInformationThread, but the ThreadHideFromDebugger can also be setted by other functions, such as NtCreateThreadEx, so I am really sure that I am doing the right thing here.

My question was, where specifically does Steam hide the main thread of the game?
Is it a simple NtSetInformationThread inside the game or do I need to hook Steam.exe API calls themselves?

The closest thing I could find on the internet about this stuff was a DLL to inject that would automatically disable this Steam protection, but it's easy to detect for VAC games and I'd also prefer to code the stuff on my own.

With this, I could run easily ollydbg on my games without needing kernel mode plugins (such as TitanHide).

Thanks for reading.

[Dark Byte]

http://forum.cheatengine.org/viewtopic.php?p=5598917

[mgostIH]

[atom0s]

Steam games can be protected using the SteamStub DRM. When it is used it has an encrypted payload called SteamDRMP.dll inside of the exe that is packed away inside of the .bind section.

When the game starts it unpacks itself via the .bind section functionality. The SteamDRMP.dll is loaded via manual mapping and they hide threads via NtSetInformationThread.