PoEHUD - Overlay for Path of Exile (Updated for 3.0)

[xCROv]

They didn't ID several hundred thousand players by screenshots.

[TehCheat]

They didn't ID several hundred thousand players by screenshots.

Did someone say they did?

[LordKorvin]

I need just preload alert for my lab runs, it is unsafe to use poehud only for this purpose?

[xCROv]

Did someone say they did?

Not in this thread. Was just replying to the one with a more in-depth discussion about screenshots and anti-cheat going on. It's pretty common for anti-cheats to have the ability but normally it's used for a spot checking automation than detection, I'm sure you already know that though. It was probably just signature based scanning unless the exe that PoEHud generates is unique. You would know more about that than we would though. Wasn't directing my comment at you or meaning any insult by it. InfoSec is most of what I do so I enjoy the discussions and reading.

What is your opinion on all of this and what do you think the outcome will be? I'm curious what caused the major shift in GGGs stance and if you think that will affect the way PoEHud operates.

[sigeon]

So I've been running POEHud w/ Flask Manager + Autoquit with the following protections / configs in place - no warnings so far (been playing excessively the entire league), but I'm not sure how much of it is luck vs. weird environment. No GGPK mods, no autotraders/stashie/pickit/doors, no roommates or friends that could be using different settings.

-Running in Windows 10 LTSB on a KVM GPU passthrough VM (should be more-or-less the same as native, but the VFIO drivers could be confusing the anti-cheat - also used *solely* for gaming)
-Compiled POEHud "Release x64" target on a second machine using VS2017 + Dotnetfuscator (I know it doesn't change in-memory heuristics, but it'll royally mess with naming schemes and control flow within the binary, just wanted to mix it up). Changed assembly properties to mimic AV. Did this every version.
-Never visited the github page from the gaming VM to avoid DNS heuristics (browsers love to run in multiple user contexts simultaneously).
-Used ResourceHacker to change the binary properties to mimic an AV solution (original .exe name, path, internal name, version, etc.)
-Restricted PoE to a standard user, explicitly denied all of that user's rights to cports and the simulated "AV" path containing PoeHud.
-Launched PathofExile_x64 directly with --waitforpreload --nologo (shouldn't matter), and only as the restricted user.
-Used PsExec64 to launch PoEHud as NT AUTHORITY\SYSTEM from my admin account (-s -i -d -w "C:\Fake\AV\Path" C:\Fake\AV\Path\binary.exe) - again, simulating AV scanner services.

From the restricted account, all ProcessExplorer can see is an AV process that doesn't resolve to an image file (no string searches), has no path, was spawned by a non-existent parent process, and can't even determine what user started it.

That being said, this *is not* foolproof. It's entirely possible they could be doing heuristics based on how the memory interaction functions of PoeHud work with the binary (memory reads by an external thread during zone reloads/changes correlating with preload alerts or inventory sorting would jump to mind) , and in that case that'd be surprisingly effective / I'll ride the banwave. Or, if they're hooking the entire desktop window handle for screenshots, pretty much the only option would be passing WDA_MONITOR to SetWindowDisplayAffinity (SetWindowDisplayAffinity function (Windows)) for the overlay hWnd but that'd still result in black boxes. [Graphics programming isn't my strong suit]

I'm guessing the vast majority of people got warnings because the "Original EXE Name" property of PoeHUD never changes, is viewable in image properties (assuming you're running as the same user), and would be absolutely trivial to detect. That, or they were mixing with other addons/mods.

[zetk]

Guys, did you noticed this?

Exilebuddy Operations Ending

You can google full announcement, but i just wanted to point out passage, which could be interesting for us.

There's no way to know 100% how they got us. However, I still strongly believe it was a new server sided system, but it's really hard to prove. I feel like I have a convincing case now as to how they could have got us, but it's pretty complicated, and needs its own post with a lot of context for people to understand the real problem.

The short version is, I think they are now looking at skill data (that includes move actions) on the server in a way that was not possible before (most likely due to limited resources) and doing some type of analysis that allows them to differentiate bots from players. However, this system is still in the early stages, but it was good enough to trigger the targeted botting cleanup we've seen the past month. In time, I think they will develop this system further and getting away with botting will be exponentially harder than it has been in the past, but that's just my opinion.

On the client side of things, I'm positive they are making subtle client changes to detect people changing the game and it's data. I think we'll continue to see the fallout of these changes this upcoming week as bans start to roll out for people not heeding the latest cheating warning. Right now, I have a logical explanation for everything except 1 specific case of people who got the warning, but there's always that margin of error from what people say vs what people actually did. I'm sure I could verify some of these things myself, but there's no point other than for my personal entertainment.

[bartekai95]

which bar are you talking about? maybe they are taking screenshots and sending to their server or something...that would be noob and weird thing to do...for proof maybe.

Im using second monitor and mostly while playing i press windows key to get mouse on the second one, then the windows bar is visible with path of exile, sometime i watch something on second monitor so i see path of exile on winodws bar all the time and lately i notice that wierd flick/blink once for a while even when i was afk/ waiting for trades. That wasn't the case before the last weird updates with fixes 800+mb each this league 3 times in a row..

[TehCheat]

Im using second monitor and mostly while playing i press windows key to get mouse on the second one, then the windows bar is visible with path of exile, sometime i watch something on second monitor so i see path of exile on winodws bar all the time and lately i notice that wierd flick/blink once for a while even when i was afk/ waiting for trades. That wasn't the case before the last weird updates with fixes 800+mb each this league 3 times in a row..

I noticed the same thing yesterday. Taskbar icons disappear and then it redraws all the icons within a very short period of time (a frame or two). It was doing this fairly often from what I could tell.

[noneyatemp]

If they are taking "Screenshots" there should be a process that starts it. I noticed with other hacks that can detect this and it will turn off the hack until the screenshot is completed. The Division hack by CheatAutomation.com is one example.

[BasserFax]

Would it be possible to run path of exile within a virtual environment and use PoE HUD outside that environment?
Like, using overlays on top the virtual environment. PoE would not see any external program, even PoE taking screenshots would not show anything suspicious.

[xCROv]

Im using second monitor and mostly while playing i press windows key to get mouse on the second one, then the windows bar is visible with path of exile, sometime i watch something on second monitor so i see path of exile on winodws bar all the time and lately i notice that wierd flick/blink once for a while even when i was afk/ waiting for trades. That wasn't the case before the last weird updates with fixes 800+mb each this league 3 times in a row..

That does sound like it taking screenshots. I mean surely they didn't identify players based on screenshots right? That would be a massive amount of data to analyze. Maybe with the purchase by Tencent they can do such hand analysis now?

[elkond]

That does sound like it taking screenshots. I mean surely they didn't identify players based on screenshots right? That would be a massive amount of data to analyze. Maybe with the purchase by Tencent they can do such hand analysis now?

ML image recognition is a thing these days, and since HUD has static elements, this would be trivial to do

breaking out of process bounds to read other processes itself could be construed as privacy breach. while taking screenshots has that force that extra umpfs, i very much doubt they care

[Cush]

Guys, did you noticed this?


You can google full announcement, but i just wanted to point out passage, which could be interesting for us.

This will only pertain to botting at least for now and is probably the most effective way they will ever combat botting - By using heuristic analysis and probably eventually or possibly even now machine learning to identify botting behaviors. You can play cat and mouse with an anticheat but it's a whole lot harder to play cat and mouse with a system that will hone in on bot-like behavior with a high degree of accuracy.

That does sound like it taking screenshots. I mean surely they didn't identify players based on screenshots right? That would be a massive amount of data to analyze. Maybe with the purchase by Tencent they can do such hand analysis now?

Again it's highly unlikely they are taking screenshots in order to detect PoEHUD at least.

For starters they would need to be screenshotting your entire screen including your desktop and anything else visible, taking a screenshot of just the game client isn't going to cut it because the overlay is a separate program running over the top on a transparent window.

This would be privacy nightmare, probably illegal, and the pitchforks would be out if they were doing this because they could potentially capture all kinds of sensitive information and I'd bet that this is not covered by their T&Cs.
When you think of other games/anticheats taking screenshots, it's normally because they are looking for cheats that have been injected into the game process and are directly drawing through the game which would show on an in-game screenshot, so they can just capture a screenshot of the game output itself.

Would it be possible to run path of exile within a virtual environment and use PoE HUD outside that environment?
Like, using overlays on top the virtual environment. PoE would not see any external program, even PoE taking screenshots would not show anything suspicious.

VM would probably not be possible or incredibly difficult, but it is possible to run POE in sandboxie and have the HUD outside interacting with it but I'm not sure this offers any more protections over running POE under a non-admin user account and POE under an admin account.

[xCROv]

VM would probably not be possible or incredibly difficult, but it is possible to run POE in sandboxie and have the HUD outside interacting with it but I'm not sure this offers any more protections over running POE under a non-admin user account and POE under an admin account.

Sandboxie would run the same as a VM would if configured correctly. Just need to allow only communication in and not out. Until someone actually takes the time to reverse engineer the anti-cheat we probably wont know what it's doing though. I would assume that it's going to be server sided heuristics though.

[noneyatemp]

ML image recognition is a thing these days, and since HUD has static elements, this would be trivial to do

100% Agree.