PoEHUD - Overlay for Path of Exile (Updated for 3.0)

[Cush]

I wish I had known about this app from the beginning. I use TurboHud for Diablo 3 and this seems to do a million times more.

A few things:

I don't think that they will ban people for using this overlay. Yes, I will test it on a second account myself. This feels like an empty threat to me because the notification is so vague and they have made no statements with specifics as to what they will allow and not allow.

Secondly, there is a way to run the app that should make it undetectable to GGG. Here are the instructions ([HOW TO] Protect against Warden)to do it with TurboHUD for Diablo 3.

Only people caught using detected cheats were flagged for warning I believe, and many people including myself who ONLY used the HUD and nothing else sketchy got it which means continued use will likely result in a ban until we find out more. The last banwave years ago also included PoEHUD as well so...

I won't claim to be an expert but I'd beware trusting the running as non-admin method, would be interested if anyone more experienced in that kinda thing would be able to confirm if this should be safe technically, assuming that GGG's anticheat is fairly rudimentary (Which it seems to be, I would imagine it's just scanning against a blacklist of known cheat signatures or something) and doesn't involve any kind of driver or being forced to run at a higher level, whether or not there is any feasible way it could still pick this up.

I'm assuming it would still be able to see what processes have open handles, but curious if the limited priviledges would prevent it from being able to get enough information from this to identify a known cheat.

There are some people also claiming that they have run absolutely nothing third party in any way that interacts with POE and have still gotten the warning, so curious as to how this whole thing pans out

[swangjang]

Just a question, what if we run steam and (or just) PoE in a sandbox environment?
Running a program in a sandbox is used to check for any potential malicious exe files that can't be checked through antivirus/antimalware and will run the program in an isolated environment where the real PC will never get affected by the program.
So what if we run PoE in a sandbox so it will never be able to "extend" beyond the boundaries and check for running processes?
Or does that also mean that poehud can't read any data from the game client?

[Cush]

Just a question, what if we run steam and (or just) PoE in a sandbox environment?
Running a program in a sandbox is used to check for any potential malicious exe files that can't be checked through antivirus/antimalware and will run the program in an isolated environment where the real PC will never get affected by the program.
So what if we run PoE in a sandbox so it will never be able to "extend" beyond the boundaries and check for running processes?
Or does that also mean that poehud can't read any data from the game client?

I think with applications like Sandboxie if you set it up, it's possible to give access to sandboxed applications/files from outside the sandbox and vice versa actually.

As per a few posts ago you can also create a standard Windows user which has limited permissions, deny it all access to POEHuD folder just in case, then use cmd to open POE+Steam under this username's permissions. Due to how Windows permissions work POE then cannot access any applications running as admin, as I said though I'm not sure if it's still possible to at least get some identifying information that could be used to identify cheats based on how POEHud is being accessed/read.



I had a poke around the POE executable as I can't see anything else that runs in the background that looks like an anticheat and found a couple of strings in there that look related to cheat detection. I also spent a good hour monitoring API calls from POE as well checking for common methods of scanning other processes combined with checking through the executable imports for anything that looks suspicious but nothing came up suggesting that the application was scanning/checking any other processes in memory. Not sure if this means it currently isn't scanning or if they are using some different method but gonna have another look tomorrow.

[Sychotix]

I had a poke around the POE executable as I can't see anything else that runs in the background that looks like an anticheat and found a couple of strings in there that look related to cheat detection. I also spent a good hour monitoring API calls from POE as well checking for common methods of scanning other processes combined with checking through the executable imports for anything that looks suspicious but nothing came up suggesting that the application was scanning/checking any other processes in memory. Not sure if this means it currently isn't scanning or if they are using some different method but gonna have another look tomorrow.

I'm not even sure that the anti-cheat is in the client at the moment. Some people were trying to get detected and were having issues. GGG may have patched in (or simply armed) the anti-cheat, sent any detections to their server (quietly), removed/disarmed the anti-cheat, then given out warnings.

We won't know until they re-enable it for the bans "in a few days" as they said.

[Forumuser1000]

Chris has said previously that they just arm/disarm their cheat detection and collect players over time, then just ban them all in a giant wave a bit down the line. I imagine they'll probably start arming the ant-cheat randomly every few days over the next couple of weeks, then hit them all with a giant ban-wave right before they roll out the end of season races and competitive races - which is really what all this is about.

I can almost guarantee there are races or multiple really short term races coming that have money and prizes invested in them way more than usual & as such, GGG want map-hacking in particular gone for them. It's basically so they can protect the streamers and major players from getting beaten by those using cheats/hacks/map-hacks, etc.....

[Quasar420]

Right on! Thanks for taking the time to write in detail some of the various research you have done since the recent update regarding anti cheat. Without individuals digging around and sharing their findings, none of what we do would ever be possible. Collectively, either working alongside or around the detection, we have a chance to safely get back at least some of what we had before. None of us want a war of cheat and anti-cheat, or grey areas. Everyone wants answers, and in this case, just asking or probing a little isn't sufficient.

Sometimes when you suck at coding or are downright lazy like me, you have to find another way to contribute in a timely manner. For now, I will be that one motivational speech guy who says thank you a lot.

Thank you all

[Cush]

I'm not even sure that the anti-cheat is in the client at the moment. Some people were trying to get detected and were having issues. GGG may have patched in (or simply armed) the anti-cheat, sent any detections to their server (quietly), removed/disarmed the anti-cheat, then given out warnings.

We won't know until they re-enable it for the bans "in a few days" as they said.

Yeah seems this is likely the case, it looks like the anticheat functionality is within the client itself and they are just arming it remotely and providing it with a list of signatures to scan or something.

Been doing a lot of reading up and honestly I believe that since their anticheat seems to be fairly simple and there are no drivers or services or anything involved that using the Windows user method to make sure POE is running as a restricted process while running PoEHUD as an elevated process should mean that the absolute most information they can get through standard means is the file name, size and path of the process.

Would love if someone that knew more about this could prove me wrong.

[zetk]

the absolute most information they can get through standard means is the file name, size and path of the process.

Honestly, i doubt it.

I'm very cautious person and from very first time i've used PoeHUD, first thing what i was do, was not just simply renaming original exe (even if i know it renames itself), but i always, literally always, when i've downloaded new version of PoEHUD, i've modified PoeHUD.exe to be bigger, so it haved different filesize and CRC.

Hell, i've even put it in program files directory and masked it as Logitech drivers, with same directory structure as mine old mouse drivers had.

I know nothing about programming and what i was doing was just simply messing with hexadecimal editor, but i have feeling, like they can maybe checking what's rendered or not, i mean, i think it could be maybe something with graphics card rendering, what gives them positive info about PoeHUD or they just checking if something is reading some specific informations from memory, which should be hidden to a player (like when entering area), but i could be wrong, that's just mine amateur idea what could be happening.

Sorry for my english, as u see, im not native speaker at all.

Edit: I've probably forgot to say, i've got warning too, so mine cautiousness was useless.

[Cush]

Honestly, i doubt it.

I'm very cautious person and from very first time i've used PoeHUD, first thing what i was do, was not just simply renaming original exe (even if i know it renames itself), but i always, literally always, when i've downloaded new version of PoEHUD, i've modified PoeHUD.exe to be bigger, so it haved different filesize and CRC.

Hell, i've even put it in program files directory and masked it as Logitech drivers, with same directory structure as mine old mouse drivers had.

I know nothing about programming and what i was doing was just simply messing with hexadecimal editor, but i have feeling, like they can maybe checking what's rendered or not, i mean, i think it could be maybe something with graphics card rendering, what gives them positive info about PoeHUD or they just checking if something is reading some specific informations from memory, which should be hidden to a player (like when entering area), but i could be wrong, that's just mine amateur idea what could be happening.

Sorry for my english, as u see, im not native speaker at all.

Edit: I've probably forgot to say, i've got warning too, so mine cautiousness was useless.

Short of taking screenshots of your PC without your consent and sending them I don't believe they can 'know' what is being rendered on your screen aside from searching through open applications for specific patterns (signature scanning), which is why your carefulness didn't pay off because it doesn't matter if the .exe is different or is in a different place as they are looking for specific things which are going to turn up in the memory of everyone using it.

The user/sandbox method would prevent poe from being able to access the .exe or the process of poehud to scan for patterns, and even if it knows poehud has an open handle for reading memory this isn't a malicious thing in itself as lots of processes (Such as antivirus) might open handles to a program so no anticheat would ban for it straight up.

Assuming this is the case what happens here is anyone's guess. I believe if you tried to use this method on say VAC it would boot you from the game for an authentication error or something but not ban you, each time it thought something was suspicious but was being refused access to look at it. Best case scenario would be they didn't care or action this or they are just scanning everything in memory and don't consider some things being inaccessible suspicious.

This is all just speculation ofc and I wouldn't recommend risking your main account using this method until it's confirmed but I'm just basing this on what I understand and know regarding anticheats in general. The fact that they use no external processes, drivers, services etc means that they would be limited to only what the application is capable of.

On top of the user restriction I also tested sandboxing POE with permissions set up and the client has zero access/visibility of PoEHUD but the hud works fine still.

[bartekai95]

I just get banned no warning like others so i keep using hud... and boom its over.

I notice some weird thing before that. My game in the bar blink/flashes every few minutes like some1 refreshing my windows or something.

[Killabeat]

I did the thing where I'm running PoE from a standard guest account with denied access to poehud. How safe is this actually? Not feeling like actually enabling the hud again until I'm sure GGG can't detect it that way.

[Sychotix]

I did the thing where I'm running PoE from a standard guest account with denied access to poehud. How safe is this actually? Not feeling like actually enabling the hud again until I'm sure GGG can't detect it that way.

Unless someone RE's the anti-cheat and makes the knowledge public, we won't know if this is a safe approach until someone gets banned using this method. If you are worried about your account, do not use PoeHUD until the devs declare that it is safe enough.

[lawpocket]

just wait a month and you'll see if its safe or not

[GameHelper]

I just get banned no warning like others so i keep using hud... and boom its over.

I notice some weird thing before that. My game in the bar blink/flashes every few minutes like some1 refreshing my windows or something.

which bar are you talking about? maybe they are taking screenshots and sending to their server or something...that would be noob and weird thing to do...for proof maybe.

[TehCheat]

Early revisions of the anti-cheat had the ability to take screenshots. I'd be shocked if they took that capability away. It's a fairly easy way to see if someone is hooking directx and doing some drawing (wall hacks in a shooter are a great example of this).

I'm not even sure that the anti-cheat is in the client at the moment. Some people were trying to get detected and were having issues. GGG may have patched in (or simply armed) the anti-cheat, sent any detections to their server (quietly), removed/disarmed the anti-cheat, then given out warnings.

We won't know until they re-enable it for the bans "in a few days" as they said.

Do you know how to decrypt strings? Because if you don't, of course it doesn't look like the anti-cheat is in there, it's hiding.