0

I am working on an anticheat and I would like to hook APIs like Read/WriteProcessMemory, OpenProcess and maybe some more to check if it reads or writes some data to/from the game.

But I am not that experienced programmer to do it on my own so I tried to do it via easyhook. Firstly I got the example (http://www.codeproject.com/Articles/27637/EasyHook-The-reinvention-of-Windows-API-hooking) to work. Then I tried to replace CreateFile by ReadProcessMemory but there was a line This.Queue.Push(hProcess);, how am I supposed to replace hProcess in case I am hooking ReadProcessMemory?

I couldn't find any other example of hooking API in C# than the one hooking CreateFile posted above. Also it doesn't need to be done by easyhook if there is a simpler way. Thanks.

jackncoke
  • 2,000
  • 6
  • 25
  • 66
LukAss741
  • 771
  • 1
  • 7
  • 24
  • Good luck. The general wisdom there is that whatever you can do on the gamer's computer, the cheat program can undo. Depending on which cheating you want to prevent, it may be easier to move some of the computation into the server (if this is a client/server game). – redtuna Mar 26 '13 at 20:06
  • I am aware of it. But if it stopped like 99+% dumbs who just found a cheat on the internet then it would be success. – LukAss741 Mar 31 '13 at 14:21

1 Answers1

0

I didn't read all of that article but the way I understood it, the

  This.Queue.Push(<argument to the original function>)

part is for the tracing portion of his example.

If all you want to do is prevent someone from calling ReadProcessMemory then you don't need to do this and you also won't be calling the original entry point - just return FALSE to the caller.

500 - Internal Server Error
  • 28,327
  • 8
  • 59
  • 66
  • Which argument: hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead? It also needs to be string, so shall I just convert IntPrt to scring? And I don't want to disable the function. I just need to minotor if it tries to currupt the process - game. – LukAss741 Mar 26 '13 at 18:50
  • I meant the result that you return. If all you want to do is monitor, simply call the original function, passing through all parameters. – 500 - Internal Server Error Mar 26 '13 at 20:17