Apparently unsafe memory reading and/or input implementation

[doityourself]

Where did you learn that they're scanning device drivers?

They can, they do and they will extend that in future for sure. Don't even think about being safe just because you wrote your own driver and working in kernel mode. There are several ways (with some limitations of course) to detect them. Same for working with hypervisors

[Hazzbazzy]

Blizzard can/could tell (assuming you're using Windows 10) what type of input you're sending to the process.
GetCurrentInputMessageSource function (winuser.h) - Win32 apps | Microsoft Docs

PostMessage, SendMessage, SendInput (self-signed, or unsigned) all come up as injected.

[zakkord]

@zakkord I bet there are "detections", remember the latest times of hb when you could run the bot for 5 min then close it and then get a ban some weeks later.

HB detections were all targeted.

Blizzard has never banned anyone for simply sending inputs, and they never had "LCP detection".

[SailorMars]

As long as you dont do any special counter measures, all of your listed win32 api calls are easily detected.

* OpenHandle: You can easily get a list of open handles to a process. While this is not an immediate give-away (a lot of services open handles to other processes), its a starting point for blizzard.
* Read/WriteProcessMemory: Not as easy to detect, but not really hard either. Still a candidate for False-Positives since genuine apps might use this to inject their payload into running processes.

Just wondering how an anti-cheat detect RPM in general. I know that it is possible to detect i) open handle ii) trap pages (pages not yet allocated at first but being allocated after a RPM). Are there any other methods to indicate an external process is specifically doing RPM? Assuming it is careful enough not to touch the trap pages.