top | item 34909431

(no title)

HHad3 | 3 years ago

(Wrote anti-cheat software in the past.)

There are multiple ways to detect this. Hardware breakpoints were already mentioned, but they only work per thread, so if one is sniffing on your memory from another process or the kernel then these won't help.

The most stealthy and evil way I found was to allocate a page but never actually use it.

Windows lazily allocates physical memory for fresh memory pages when they are first used.

The detection is to periodically poll the page map from your process and check your canary pages via NtQueryVirtualMemory. If your unused page suddenly is backed by some physical memory then something happened to read from it! Bonus-points for putting such canary pages into places previously used for real game data.

This method is not foolproof: Anti-virus programs can read memory of all programs (but don't, Overwatch e.g. does not like this and crashes randomly due to this exact protection method). A bug in the program could also read from the page accidentally (e.g. out-of-bounds array read). But it's a /very/ good indicator that something is wrong when other cheat detection mechanisms also trigger.

Once you know how this works it's pretty easy to defeat unfortunately: Read the page map first, then avoid reading pages that have no backing physical memory, because those contain no useful data at best and are canary pages at worst.

discuss

sprite|3 years ago

Love this topic. I remember Everquest used to checksum areas of memory that were commonly modified from cheats. World of Warcraft used to (possibly still does, it has been forever since I looked at this) inject anti cheat code at runtime.

Obfuscation and deobfuscation is also super interesting. I think overall reverse engineering and figuring out how things work is one of the most interesting things in computer science.

https://github.com/obfuscator-llvm/obfuscator/tree/llvm-4.0/...

https://blog.quarkslab.com/deobfuscation-recovering-an-ollvm...

mabbo|3 years ago

World of Warcraft did something that I've always found delightful: hidden stenographic watermarking on all screenshots.

It took like a decade before anyone noticed, but all screenshots were very very very slightly modified to hide (in plain sight) a blob of data that gave the account name, date, time, server, etc.

Just in case a screenshot ever got posted and they really needed to know who took it and when.

rcoveson|3 years ago

Kind of sad but funny to imagine like two or three nerds who got banned because they had messed with their kernel page fault readahead settings which just so happened to fault a sentinel page.

pixl97|3 years ago

Hmm, this sounds like you should always run your cheat tools with the executable name/faked exe information of anti-virus application.

rogers18445|3 years ago

I used to work on an anti-cheat briefly, and migrated away form relying on Windows API to do this as the parent comment suggested, instead we used cache timing "attacks".

Antivirus was a concern but easily solved by the fact that cheats access memory many times a second, antivirus does it rarely if ever.

HHad3|3 years ago

Oldest trick in the book, good luck faking the PE signature to match the vendor's certificate ;-)

(Jokes aside, the kernel does not provide any information about which application reads a canary page. It's best to just use this as necessary condition and take it with a good pinch of salt.)

steakscience|3 years ago

How do they filter out false positives from antiviruses reading the files?