[Tutorial] Hide Any Program From the Anti-Cheat

**gurud** · 01-21-2015

Introduction:

This tutorial and it's tools have the purpose to hide any program from being found by the PoE Anti-Cheat.

It uses a few methods to hide a program from view of any program looking, because of that it is detected by most Anti Virus as a potentially risky software.

I recommend that before trying any of these steps you read thought all the topic, so you can decide if you actually want to do this.

Because it can hide any program i'll use Cheat Engine 6.3 as an example.

Also the PoE Anti-Cheat, can still find out if you changed the game memory, so you will be able to use the PoeHUD, Multiscript and Bots or any other program as long as it does not change memory like a maphack would.

All the programs have a readme text inside that should be read before using it.

If you decide to follow these steps i'm not responsible if anything bad happens in your computer.

Step 1 - Disabling UAC:

CLICK HERE

Step 2 - Changing the Window Name:

Fist Download the file at the end of this post and extract it.
Go to Window Renamer and open Window Renamer.exe.
Chose the window you want to rename and change it.

Step 3 - Hiding the Process

For this there are 2 methods i'll be teaching one for x32 users and one for x64 users.

Method for users using Vista and Windows 7 x32:

This is not 100% undetected but it should be fine for the current detection of PoE.

Go to HideToolz x32 paste.
If you are a Vista user run the shutdown_fix_vista_only.reg and restart computer.
Run the program HideToolz.exe. It should appear "Driver Loaded" if not restart your computer and try again.
Once the driver is loaded find cheatengine.exe and click Hide.

Method for users using Vista and Windows 7 x64:

This method is 100% undetected no game would ever find as it hides the program in kernel ring0 level.

Go to Signature Scanner Overrider paste.
Run dseo13b.exe.
Check "Enable Test Mode" and click next.
Check "Exit" and click next and Restart your computer.
Go to Disable PathGuard paste.
**Important. This next step will create a new boot option "PatchGuard Disabled v3" which allows for loading of unsigned x64 bit drivers.
Run mk_bcdentry.cmd and follow directions on screen.
A patcher will start, you must press "Patch" then "Exit" before continuing with mk_bcdentry.cmd.
Next steps should be done every time you want to hide a program.
Restart and boot on "PatchGuard Disabled v3" option.
Go to hidecon x64 paste.
Start cmd as administrator (LINK)
Inside cmd navigate to hidecon x64 paste (see image bellow)
Confirm you are at the correct paste by typing hidecon
Type "hidecon -ld" to load the driver.
Type "hidecon -l" to display process list and save the ProcessId of the program you wanna hide.
Type "hidecon -ph ProcessId" to hide the program.
Type "hidecon -ud" to unload the driver (to leave no traces).

Credits:
Fyyre - For most of the tools.
binary modifications, etc - by Fyyre

Download:

Hide.rar | Mediafire

**Deathnugget** · 01-22-2015

Thanks for the guide. Will test it out this afternoon!

**scharush** · 01-22-2015

Thanks for that. I have windows 8 tho, does that mean I can't use this guide?

Also, I've heared the program "Spyshelter" should make any kind of hacks undetectable with the creation of rules. Is that true? If so, why not use it instead?

**tvinki** · 01-22-2015

but still need way to use zoom, fulbright, suspend particles without ban )

**doragon** · 01-22-2015

lol u found Fyyre )) it was coolest site in time when l2j c5 was developed (more then 9 years ago), nostalgia.

**magicneo** · 01-22-2015

Hey,

Im stuck at point 6.

I run Mk_bcdentry then i got this

After that i boot on PatchGuard Disabled but it fail to launch window so nothing appens then i get back to boot menu

**ocslappy** · 01-22-2015

Originally Posted by magicneo

Hey,

Im stuck at point 6.

I run Mk_bcdentry then i got this

After that i boot on PatchGuard Disabled but it fail to launch window so nothing appens then i get back to boot menu

It's probably your anti-cheat software that deletes the files ntkrnlmp.exe & osload.exe before you even restarted and thats why PatchGuard Disabled boot wont load.

**SpaceGuy119** · 01-22-2015

Gurud, how do you feel about the accusations that your pot script is causing bans?

**datz** · 01-23-2015

this seems way to complicated.

**snier** · 01-23-2015

what the point of all of this if we cant use any hack? Need only zoom and bright and if i understand correct that tools not allow us to use them

**gurud** · 01-23-2015

Originally Posted by SpaceGuy119

Gurud, how do you feel about the accusations that your pot script is causing bans?

I don't think they are banning people for using multiscript, i've only see people saying they got the warning when they run PoeHUD or the trainer.
but it should be detected right now (if GGG wants to detect it), but i'm working on making it undetected right now.

Originally Posted by snier

what the point of all of this if we cant use any hack? Need only zoom and bright and if i understand correct that tools not allow us to use them

It can make PoeHUD (without client hacks), Multiscript and any Bot's undetected.

**HvC** · 01-23-2015

Originally Posted by gurud

I don't think they are banning people for using multiscript, i've only see people saying they got the warning when they run PoeHUD or the trainer.
but it should be detected right now (if GGG wants to detect it), but i'm working on making it undetected right now.

It can make PoeHUD, Multiscript and any Bot's undetected.

It can make the exe undetected but not what they do aka if you do that to a maphack it'll still be detected because the Poe ac thread will look for the pattern and flag you if it did find something.

**~~Kapsel498~~** · 01-24-2015

I just want to know that gurud, right now your multicript is writing memory for e.g. auto quit option, so this could be detected?

**immor** · 01-25-2015

Another way to hide a process from the Task-Manager is to use hyde.dll. This 'can' be easily integrated into an AutoHotkey Script. Using this dll also got the advantage that you dont need to disable UAC or use any unsigned drivers, Sadly there is also quite a huge disadvantage,,, This does only work if you are using a x64 bit OS and the 64 bit version of AutoHotkey or if you're using a x86 bit OS and the 32 bit version of AutoHotkey. This does not work if you have a x64 bit OS but use 32 bit AHK (and/or vice versa)!

Nevertheless maybe someone may have some use for this.

Code:

/*
		hyde.dll hides a process from the Task-Manager on Windows2k/Windows7 (x86/x64 bit)!

		Your process can inject it into other processes however you like.  The example uses
		SetWindowsHookEx with a CBT hook (the dll  exports a CBTProc) to inject it into all
		running processes.

		Press Esc to exit the script.

		Note: if you do not compile the  script, AutoHotKey.exe gets hidden.  Otherwise the
		the name of the .exe gets hidden.

		Important: This does only work if you are using a x64 bit OS and the 64 bit version
		of AutoHotkey or if you're using a x86 bit OS and the 32 bit version of AutoHotkey.
		This does not work if you have a x64 bit OS but use 32 bit AHK (and/or vice versa)!
*/

#NoEnv
SetWorkingDir %A_ScriptDir%

OnExit, ExitSub

RunAsAdmin()

if ((A_Is64bitOS=1) && (A_PtrSize!=4))
	hMod := DllCall("LoadLibrary", Str, "hyde64.dll", Ptr)
else if ((A_Is32bitOS=1) && (A_PtrSize=4))
	hMod := DllCall("LoadLibrary", Str, "hyde.dll", Ptr)
Else
{
	MsgBox, Mixed Versions detected!`nOS Version and AHK Version need to be the same (x86 & AHK32 or x64 & AHK64).`n`nScript will now terminate!
	ExitApp
}

if (hMod)
{
	hHook := DllCall("SetWindowsHookEx", Int, 5, Ptr, DllCall("GetProcAddress", Ptr, hMod, AStr, "CBProc", ptr), Ptr, hMod, Ptr, 0, Ptr)
	if (!hHook)
	{
		MsgBox, SetWindowsHookEx failed!`nScript will now terminate!
		ExitApp
	}
}
else
{
	MsgBox, LoadLibrary failed!`nScript will now terminate!
	ExitApp
}

MsgBox, % "Process ('" . A_ScriptName . "') hidden!"
Return

Esc::ExitApp

RunAsAdmin()
{
	Global 0
	IfEqual, A_IsAdmin, 1, Return 0
	
	Loop, %0%
		params .= A_Space . %A_Index%
	
	DllCall("shell32\ShellExecute" (A_IsUnicode ? "":"A"),uint,0,str,"RunAs",str,(A_IsCompiled ? A_ScriptFullPath : A_AhkPath),str,(A_IsCompiled ? "": """" . A_ScriptFullPath . """" . A_Space) params,str,A_WorkingDir,int,1)
	ExitApp
}

ExitSub:
	if (hHook)
	{
		DllCall("UnhookWindowsHookEx", Ptr, hHook)
		MsgBox, % "Process unhooked!"
	}
	if (hMod)
	{
		DllCall("FreeLibrary", Ptr, hMod)
		MsgBox, % "Library unloaded"
	}
ExitApp

I have included this script aswell as both dll's into the rar file found in the attachment,