| View previous topic :: View next topic |
| Author |
Message |
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
 Posted: Fri Jun 10, 2016 10:24 am Post subject: Evade anti cheat detection by altering system dll |
 |
|
Hello, I am wondering if a valid method to evade anti cheat system detections is to alter certain dll APIs such as Process32First /Next etc.
I imagine this would interfere with many programs including Cheat engine itself but what if I replace the native dll whenever I am done, would that work ? (ie assuming the anti cheat uses a process anpshot to detect cheat oriented program, assuming the dll is correctly edited (no stack msitake / return value mistake etc)
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
|
| Posted: Fri Jun 10, 2016 1:51 pm Post subject: |
|
|
You could hook Process32First/Next (assuming they don't detect the hooks) and fake the return when it gets to your module. Instead of returning your modules information, skip over it and just call Process32Next again etc.
_________________
- Retired. |
|
| Back to top |
|
|
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Fri Jun 10, 2016 2:54 pm Post subject: |
|
|
| atom0s wrote: | | You could hook Process32First/Next (assuming they don't detect the hooks) and fake the return when it gets to your module. Instead of returning your modules information, skip over it and just call Process32Next again etc. |
For now however I cant even attach a decent RE tool to the process, they all get detected. For this reason I have started coding my own tool but meanwhile i was wondering if I alter the DLL holding Process32 on the harddrive which is the kernel32.dll.
Then the anti cheat would load an altered kernel32.dll from the harddrive, would that do the trick ? (the dll would indeed fake the return call but there would be no run time hooking involved).
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
|
| Posted: Fri Jun 10, 2016 11:05 pm Post subject: |
|
|
| ulysse3131 wrote: | | atom0s wrote: | | You could hook Process32First/Next (assuming they don't detect the hooks) and fake the return when it gets to your module. Instead of returning your modules information, skip over it and just call Process32Next again etc. |
For now however I cant even attach a decent RE tool to the process, they all get detected. For this reason I have started coding my own tool but meanwhile i was wondering if I alter the DLL holding Process32 on the harddrive which is the kernel32.dll.
Then the anti cheat would load an altered kernel32.dll from the harddrive, would that do the trick ? (the dll would indeed fake the return call but there would be no run time hooking involved). |
That's a bit overkill to do and would require messing with Windows a bit to ensure that it does not try to override your altered kernel32.dll file. You'd also be limited to Windows Updates if you have it turned on since an update is bound to overwrite your edited kernel32.dll and so on. You are better off figuring out how it is detecting you and bypassing that.
_________________
- Retired. |
|
| Back to top |
|
|
crashoverride93
Advanced Cheater
![]() Reputation: 0
Joined: 04 Aug 2015
Posts: 61
|
| Posted: Fri Jul 22, 2016 2:26 am Post subject: |
|
|
| If you running windows xp you can copy that dll into the program directory and make your modifacations and it will work without causing problems in windows.
|
|
| Back to top |
|
|
kantoboy69
Advanced Cheater
![]() Reputation: 2
Joined: 31 Mar 2010
Posts: 71
Location: Manila
|
| Posted: Fri Aug 05, 2016 2:14 am Post subject: |
|
|
You could also try windows kernel hooking ulysse3131
No need to modify dll's
Unless that anticheat/antidebugger is some sort of advance antivirus
Then it would suffice
_________________
Cheater always prosper Hitler |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
