Jump to content
Logo
Your Metin2 zone for C++, Python, Lua.

AntiCheat ClientSide Source


Grzyb

Recommended Posts

A client-sided anti-cheat developed during a freelance project to "plug-in" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more.

*Memory Integrity Check

Gathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages).
 

*Thread Blocking

Hooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called "image-only execution", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries.
 

*Memory Honeypots

Memory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents "cheat" scanners.
 

*Anti-Debugging

Checks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.)

TBA: Arbitrary Vectored Exception Handling Detection
 

*Protected Functions

Similar in concept to a memory integrity check, but specifically detects if Winsock routines designated as "protected" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE.
 

*Process Scanner

Scans each process based on the contents (process name, window name) and unique memory signature.
 

*Module Scanner

Scans the loaded modules in the process for any with blacklisted names.

Download:

This is the hidden content, please

  • Like 10

https://Grzyb.ovh/

I am not exists

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Style Version: 0.1

The code was completely created from scratch and optimized.

The basic style on which it was created: Default

Created by: Grzyb.ovh

The style was to be simple to browse topics, devoid of graphics, uniform in color and definitely simple. ×

×
×
  • Create New...

Important Information

Do you like cookies? 🍪 We use cookies to provide the highest quality of service. Learn more