Apparently unsafe memory reading and/or input implementation menu

These ads disappear when you log in.

User Tag List

Page 2 of 2 FirstFirst 12
Results 16 to 19 of 19
  1. #16
    king48488's Avatar ★ Elder ★


    Reputation
    1355
    Join Date
    Nov 2008
    Posts
    791
    Thanks G/R
    33/410
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Unbaar View Post
    Where did you learn that they're scanning device drivers?
    They can, they do and they will extend that in future for sure. Don't even think about being safe just because you wrote your own driver and working in kernel mode. There are several ways (with some limitations of course) to detect them. Same for working with hypervisors

    These ads disappear when you log in.

  2. #17
    Hazzbazzy's Avatar wannabe hackerlol Authenticator enabled
    Reputation
    1278
    Join Date
    Aug 2011
    Posts
    1,043
    Thanks G/R
    161/450
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Blizzard can/could tell (assuming you're using Windows 10) what type of input you're sending to the process.
    GetCurrentInputMessageSource function (winuser.h) - Win32 apps | Microsoft Docs

    PostMessage, SendMessage, SendInput (self-signed, or unsigned) all come up as injected.
    "HOLY TIME MACHINE BATMAN! it's 1973!"
    https://youtube.com/Hazzbazzy

  3. #18
    zakkord's Avatar Member
    Reputation
    2
    Join Date
    Mar 2008
    Posts
    18
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Skavi View Post
    @zakkord I bet there are "detections", remember the latest times of hb when you could run the bot for 5 min then close it and then get a ban some weeks later.
    HB detections were all targeted.

    Blizzard has never banned anyone for simply sending inputs, and they never had "LCP detection".

  4. #19
    SailorMars's Avatar Member
    Reputation
    2
    Join Date
    Oct 2015
    Posts
    25
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by xalcon View Post
    As long as you dont do any special counter measures, all of your listed win32 api calls are easily detected.

    * OpenHandle: You can easily get a list of open handles to a process. While this is not an immediate give-away (a lot of services open handles to other processes), its a starting point for blizzard.
    * Read/WriteProcessMemory: Not as easy to detect, but not really hard either. Still a candidate for False-Positives since genuine apps might use this to inject their payload into running processes.
    Just wondering how an anti-cheat detect RPM in general. I know that it is possible to detect i) open handle ii) trap pages (pages not yet allocated at first but being allocated after a RPM). Are there any other methods to indicate an external process is specifically doing RPM? Assuming it is careful enough not to touch the trap pages.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Memory reading and editing?
    By Seminko in forum Hearthstone: Heroes of Warcraft
    Replies: 0
    Last Post: 03-29-2017, 10:35 AM
  2. Replies: 2
    Last Post: 04-08-2012, 12:03 AM
  3. Replies: 10
    Last Post: 02-26-2012, 05:39 PM
  4. Replies: 0
    Last Post: 02-23-2012, 04:55 PM
  5. Looking for a C# Programmer (memory reading and writing)
    By Vanguards in forum WoW Memory Editing
    Replies: 2
    Last Post: 02-05-2012, 12:31 PM
All times are GMT -5. The time now is 10:48 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search