[Question] General external hack detection practices

[Jadd]

Greetings.

Today I'm wondering, what are some of the common (or even better; uncommon) methods which are used to detect external hacks? Not only by Warden, but other anti-cheats as well. For example, installing a driver to hook NtReadVirtualMemory or scanning other processes for certain strings or hashes.

I'm specifically interested in which ways it would be possible to detect a cheat which only obtains a privileged handle to the process and then reads from memory.

Any replies will be helpful.

[DarthTon]

Most obvious things that came to mind:

1. Signature match. Can be anything susceptible to hashing - strings, code section parts, initialized static data.
2. Debugger presence detection.
3. Search for open handles to current process/threads.
4. Global hook of NtRead/NtWrite VM via dll or single process hook using debugger and Debug Events.
5. Ring0 hook of NtRead/NtWrite VM or MmCopyVirtualMemory. I don't know how this is implemented in 'official' software; IIRC there are no documented callbacks for those routines and you can't simply disable PatchGuard there

As protection from NtReadVirtualMemory detection - use one of these: NtWow64ReadProcessMemory64(can be detected just like RPM itself), manual sysenter or int2E(int2E is preferable because it can't be traced by hooking KiFastSystemCallRet) in ring3 or write your own RPM implementation in ring0.

[~Unknown~]

You might want to take a look on google scholar for some academic papers on this question. Just a simple search can be seen: Here

I reasonable paper mentions the type of detection (behavioral) that honorbuddy users have been suggesting happened a bit ago: Here

While there are these methods available, I bet most here would agree that not a lot of companies employ the more "intrusive" methods for risk of false positives. However, you do see a higher proliferation in anticheat techniques since gaming is quite a popular market (Look at all the anti-cheat systems out there).

[Jadd]

You might want to take a look on google scholar for some academic papers on this question. Just a simple search can be seen: Here

I reasonable paper mentions the type of detection (behavioral) that honorbuddy users have been suggesting happened a bit ago: Here

While there are these methods available, I bet most here would agree that not a lot of companies employ the more "intrusive" methods for risk of false positives. However, you do see a higher proliferation in anticheat techniques since gaming is quite a popular market (Look at all the anti-cheat systems out there).

I'm more interested in memory-based detections rather than heuristics like this paper seems to focus on. Still an interesting read however, thanks for the link.

[sitnspinlock]

I don't know how this is implemented in 'official' software; IIRC there are no documented callbacks for those routines and you can't simply disable PatchGuard there

Windows x64 system service hooks and advanced debugging - CodeProject


patchguard 'api' in a nutshell ;p


edit -

you can also use ObCallbacks in x64

and jadd, your question is difficult to answer because you are going 2 different directions with your initial question. In the first part of your question you seem to be touching upon detection, whereas the latter half seems to suggest a more prevention based approach. you should be more descriptive so we can suite you with better answers

[Jadd]

Windows x64 system service hooks and advanced debugging - CodeProject


patchguard 'api' in a nutshell ;p


edit -

you can also use ObCallbacks in x64

and jadd, your question is difficult to answer because you are going 2 different directions with your initial question. In the first part of your question you seem to be touching upon detection, whereas the latter half seems to suggest a more prevention based approach. you should be more descriptive so we can suite you with better answers

Thanks for the read.

I think I'm being pretty clear, but to clarify; I'm looking to see which ways (used by common anti-cheats, probably nothing exceedingly intrusive) it is possible to detect these things, such as memory reads, so I can avoid using these methods.

I'm not so interested in prevention, rather avoiding detection - the reason I'm asking is I've been interested to code some external hacks for a while, which have no conflicts with the anti-cheat. That's the whole point of being external.

[DarthTon]

Windows x64 system service hooks and advanced debugging - CodeProject

Looks interesting, I should write myself a kernel debugger after all...

you can also use ObCallbacks in x64

But isn't ObRegisterCallbacks used only to filter access during process/thread handle creation and duplication? It does not provide enough information for heuristic detection I think.

[DarkLinux]

You missed the point, you can use the callback from user-mode. No need to write a kernel debugger...

[DarthTon]

Yeah, I got that. But that doesn't remove my desire to write a kernel debugger