Geek Answers Handbook

Process memory injection detection on windows (hacking protection)

Standard hacker case. The Hack file type is entered into the running process and writes the process memory by calling WriteProcessMemory. In games, this is not what you would like, because it can allow the hacker to change part of the game and give himself an edge.

There is a possibility to force the user to run a third-party program along with the game, and I will need to know what would be the best way to prevent such an injection. I have already tried to use the EnumProcessModules function, which lists all the DLL processes without success. It seems to me that hacks are injected directly into the process memory (end of the stack?), Therefore it is not detected. At the moment, I have come to several options.

  • Create a blacklist of files, file templates, process names and memory patterns of the most famous public hacks and scan them using the program. The problem is that I will need to maintain a blacklist, as well as create a program update to store all available hacks. I also found this useful answer Detecting memory access for a process , but it is possible that some existing DLLs are already using these calls, so there may be false positives.

  • Using ReadProcessMemory to control changes in well-known memory offsets (hacks usually use the same offsets to achieve something). I will need to run a few hacks, monitor the behavior and get hacking behavior patterns when compared to a regular run.

  • Is there any way to change the memory order of a process after it starts? Perhaps just pushing the process memory down the stack can be confusing hacking. This is an example of a hack call:

    WriteProcessMemory (phandler, 0xsomeoffset, & datatowrite, ...);

Therefore, if the hack is a little smarter to find the actual beginning of the process, it will already be a great success. I wonder if there is a system call that can rewrite memory to another location or somehow insert some null data in front of the stack.

So what would be best with this? This is a really interesting and dark area of ​​programming, so I would like to hear as many interesting ideas as possible. The goal is to either prevent the hack from working, or to detect it.

Best wishes

+4
source share
1 answer

From time to time, it calculates the hash or CRC images of the application stored in memory and compares it with a known hash or CRC.

Our service http://activation-cloud.com provides the ability to verify the integrity of the application by the signature stored in the database.

0
source

More articles:


All Articles