ReadProcessMemory() detectable by Ring3?

**SailorMars** · 08-17-2018

Just a general technical question, but most likely applicable to wow.
is it possible for a ring3 AC knows some other processes are doing ReadProcessMemory() on its client process?

2 techniques I heard of: a) trap pages as used in wow/OW, b) hooking the suspicious process's ReadProcessMemory() directly (nProtect Gameguard?). Apart from these, are there any other possibilities?

**DrD** · 08-23-2018

Yes, there are many ways they could detect you.

They could hook NtReadVirtualMemory, or just enumerate all handles and the access they have to the wow process, for example.

Now just having an open handle isn't immediate grounds for a ban, but it could trigger a closer inspection by other scans to the process opening the handle.

**SailorMars** · 09-09-2018

Originally Posted by DrD

Yes, there are many ways they could detect you.

They could hook NtReadVirtualMemory, or just enumerate all handles and the access they have to the wow process, for example.

Now just having an open handle isn't immediate grounds for a ban, but it could trigger a closer inspection by other scans to the process opening the handle.

Is it possible to hook NtReadVirtualMemory() with patch guard running?

**pogob** · 09-14-2018

Originally Posted by SailorMars

Is it possible to hook NtReadVirtualMemory() with patch guard running?

Wait, is it possible for you to hook it? Or if it's possible for them to hook it? The answer to both these questions, for WoW at least, is yes (and I doubt OW is different). But WoW doesn't hook NtRVM on live at least.

**Sen66** · 09-14-2018

I guess @SailorMars meant kernelmode. In kernel you cant hook it with patchguard running. But there are opther ways to intercept syscalls such as NtXXXVirtualMemory, there is no need to hook.

**Jadd** · 09-14-2018

Just execute the syscall yourself if you're this paranoid. Keep in mind that you also need an open handle to the game for reading and Blizzard can see these from Ring3.

Blackbone/src/BlackBone/Syscalls at master . DarthTon/Blackbone . GitHub

**Seifer** · 09-26-2018

Originally Posted by Jadd

Just execute the syscall yourself if you're this paranoid. Keep in mind that you also need an open handle to the game for reading and Blizzard can see these from Ring3.

Blackbone/src/BlackBone/Syscalls at master . DarthTon/Blackbone . GitHub

Doesn't matter much - they usually do a bunch more stuff before flagging you as a "bad" program. You shouldn't get into trouble for just having a handle open to the process afaik.

Shout-Out

User Tag List

Thread: ReadProcessMemory() detectable by Ring3?

Thread Tools

Search Thread

ReadProcessMemory() detectable by Ring3?

Similar Threads

[Guide] Make your trojans detectable by fewer AVs

Any keyloggers that are not yet detected by antivirus

Detected by Pirox Fishing Bot ?

[Glider] File + Elite guide to reduce your chances of being detected by 80% !!!

Are race conversions detectable by Blizzard?

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino