0

The problem: A cheat/hack program that uses WinApi to load into my game, i can't find it anywhere, it hides itself very good. I tried all possible methods to detect it, but no success. I realised it uses WinApi, now my question is, is there any way to BLOCK hooking WinApi after my game is started?

I can attach a dll to load functions, but i don't have the necessary knowledge to block WinApi hooking.

I saw some program that can block/detect this, but i don't know how. So can i forbid winapi calls/hooking after loading my game? and how?

dandan78
  • 13,328
  • 13
  • 64
  • 78
Mr.Mecanik
  • 15
  • 6
  • Run your game as an elevated process, and the hooking will stop right there. Unless you granted elevated permission to the virus while installing it. – IInspectable Jan 09 '15 at 15:36
  • These hacks are programs that use the debugging features included with Windows, which include setting privileges. Although it might be possible to prevent this on your own system, it's not possible to prevent this on other systems running your game. Consider the usage of remote debugging via a second computer, often used for debugging device drivers, including code that runs at ring 0, where the remote debugging session starts during device driver load time, long before any apps are loaded. – rcgldr Jan 09 '15 at 15:36
  • In the case of multi player games that use a common server, although there's virtually nothing that can be done on the client side, the server may be able to detect certain types of cheats or hacks, and then disconnect or ban the account of the offending player, assuming there's some human verification of the hack to avoid a false accusation. If the game is "free to play", then the issue is hackers will create new or test accounts to experiment how to get around the server side checks. – rcgldr Jan 09 '15 at 15:40
  • Continuing, there have been cases where players have created their own servers, providing a mod to allow other players to use the player created server. This has been done maliciously for games that normally charge monthly fees, but it's also been done non-maliciously for "abandoned" games where the original server has been shut down, to allow players to continue playing the game as opposed to avoiding fees. – rcgldr Jan 09 '15 at 15:46

1 Answers1

2

Would you like the good news or the bad news?

Bad News:

You're not going to get an answer like "Oh, just call this function". If you really want to resolve this, it's going to get very involved.

Good News:

It's possible, and you're going to learn a lot about hooking, which is super fun!

Your question does leave a little to be desired to be able to give you a direct answer:

uses WinApi to load into my game - how? CreateRemoteThread, SetWindowsHookEx, etc?

i can't find it anywhere - what is it you're looking for, a loaded dll, code in the address space, a patched address table?

I realised it uses WinApi - what's it using, how did you find out?

Without knowing exactly what it is your cheat/hack program is doing it's not possible to tell you how to protect against it. As there are many ways to skin a cat, the cheat/hack program could be doing any number of things to achieve its goal.

I would suggest this thread is a good start. People give some good methods for hooking programs, and also some good methods for preventing programs being hooked by them.

If you want to protect against this specific cheat/hack program, you will need to find out exactly what method it's using to hook your program before you can block it.

Have fun :)

Community
  • 1
  • 1
parrowdice
  • 1,902
  • 15
  • 24
  • Thanks for answering me, well i analised as i could the cheat, i did not find any LoadLibrary functions, and i protected the main(blocked LoadLibrary) and tested, so the method use could only be winapi.. i also blocked GetWindow and it stoped the cheat, but that is not a solution... because it created a lot of problem with other programs running in players PC. – Mr.Mecanik Jan 09 '15 at 17:14
  • The reason i can`t find it because it`s not in the task manager, you can only see the thread that it`s creating in memory using a api monitor. If you would have some time, you can check out the executable, maybe you can analise it more better then me.... http://www.filedropper.com/muautoclicker – Mr.Mecanik Jan 09 '15 at 17:17