0

I am writing anti cheat software for a video game. Using CreateToolhelp32Snapshot I can get a list of open processes. From there I would like to find the address of each process and read through its .exe file. While this works for most processes, protected processes deny access to methods such as OpenProcess or GetModuleFileNameEx. Assuming my application is being run as administrator, is there a work around to finding protected processes addresses?

François Andrieux
  • 28,148
  • 6
  • 56
  • 87
Loran1156
  • 9
  • 1
  • for what you need open/work with protected processes ? i not think that any cheat run in protected process – RbMm Feb 27 '20 at 18:55
  • 1
    I think RbMm is correct. A [PP](https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html) won't be able to be cheat software. For your anti-cheat software to open and read a PP, it will need to be signed at the same signing level or below of the PP. – Eljay Feb 27 '20 at 19:00
  • No in this case the third part programs are pp. This particular game has quite a few and the idea with my program is to read through the .exes in order accurately identify those known programs. I can get the list of processes and read through any process with minimum privilege (if I have its address). The question is how do I find a pp address? – Loran1156 Feb 27 '20 at 19:35
  • If a program succeeds to have itself registered as a protected process, it has every privilege it needs to pummel your anti cheat software. – IInspectable Feb 27 '20 at 19:51
  • How so? The address is the only information I need for my program to be complete. Is there no way to retrieve that information from windows? – Loran1156 Feb 27 '20 at 20:09
  • For example, CheatEngine (a very common third party program) is a pp. When i try to use methods such as GetModuleFileNameEx, the printError response is access denied. – Loran1156 Feb 27 '20 at 20:48
  • @Loran1156 Please [edit] your question to show the actual code you are having trouble with. – Remy Lebeau Feb 28 '20 at 04:00
  • i very strong doubt that some CheatEngine is windows protected process. if you mean https://www.cheatengine.org/ - it not protected. at second process have no any address. you mean load address of exe file. *The address is the only information I need* your problem that you can not open process. protected process you not open without kernel mode help or be itself protected process with not less protection level. and again - doubt that you need this at all – RbMm Feb 28 '20 at 06:11

1 Answers1

0

Cheat Engine is not a Protected Process and neither are 99.9% of cheats. You can check the certificate for the exe in Process Hacker and you will see it only has Code Signing and no Protected Process designation.

If you cannot access a cheat's memory it's because they're protecting it with a kernel driver. You must also be running in kernel if you want to touch the process. If they have somehow created a PP then you need to be in kernel.

There are many usermode methods they can use to protect themselves as well, they can simply hook OpenProcess() in every running process including yours and return 0 when you're trying to open their process.

You would need to get a copy of the cheat and reverse engineer it to figure out how it's protecting itself, then you can start removing or bypassing these protections.

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59