1

What are the most effective methods to detect bot application presence/activity?

1 Considering the user can grant any access for the anti-cheat system in Windows (XP/7) OS.

2 Not taking in account potential amorality or illegality of methods.

3 Neglecting user-behaviour detections (like checking time between user actions or smoothness of mouse moves or using CAPTCHAs to detect bot or whatever).

Thus far I can think of:

  • Checking INJECTED flags for mouse/keyboard events.

  • Scanning processes list, detecting potentially "bad" processes.

  • Checking integrity of application to avoid direct injeсtions.

  • Checking if the environment is a virtual machine (to avoid false negatives of above checks).

Cœur
  • 37,241
  • 25
  • 195
  • 267
sander
  • 388
  • 1
  • 3
  • 10
  • Unless you install the equivalent of a rootkit on the user's computer like some companies (e.g. Blizzard) do, there is no way you'll catch much of a cheater. And even then, it's not precisely easy or realiable. Server-side data mining is much more reliable in many cases (and less trouble, too). – Damon Dec 10 '13 at 09:38
  • I read a lot about server-side methods of detecting bots (pure statistics compairsion mostly), but I know not so much about client-side checks. I think a rootkit-like solution is the one I need (that's why I mentioned #2 in my list), but i still have almost no idea what to do. – sander Dec 12 '13 at 06:19

1 Answers1

1

Here's a good post on this subject: How to prevent cheating in our (multiplayer) games?

My thoughts on your list:

  • KbDllHookStruct Injected Flag - You'll get false positives for users with virtual devices. This is also easy to fake using several undocumented methods.
  • Scanning processes - Also prone to false positives and potential legal issues.
  • Detecting injection - Many legitimate applications inject themselves into other processes (e.g. DisplayFusion, dxtory, fraps)
  • Checking for VM - Playing a game in a virtual machine doesn't mean the player is cheating.

A few suggestions:

  • In your process, scan and compute the hashes of loaded modules (including your own) and disconnect/ban if malicious assemblies are detected. Requires a store of known hashes.
  • Check for the presence of a debugger.
  • Check for memory/hardware breakpoints.
  • Server/client-side vector checks for speed and teleport detection.
  • Server-side checks are easier to implement, maintain and as Damon commented above, are much more reliable. Anything on the client can be subverted.
Community
  • 1
  • 1
hyru
  • 189
  • 6
  • Thank you for the article. I somehow missed it when searched the answer.I kno – sander Dec 12 '13 at 06:25
  • w that my suggested methods are not very effective and that's why I'm asking. As mentioned before, I am aware of the fact that server-side checks can be more effective and any client-side solutions can be abused. – sander Dec 12 '13 at 06:32
  • "Playing a game in a virtual machine doesn't mean the player is cheating." Yes, but the other checks are not trustworthy in case of VM presence. – sander Dec 12 '13 at 11:45