Creating Anti-Cheat for CS 1.6

[Dixxx]

hi.i play cs 1.6 and i wanna open a ladder league but first i wanna make an anti cheat,so,can somneone tell me how to make a program that will be able to login to the website data ?

[Nico]

https://www.mpgh.net/forum/31-c-c-pro...resources.html

[Saltine]

For starters, scan for any processes that match a list of processes that you would like to disallow. If any of them are detected, close the client.

Code:

if(GetModuleHandle(...))
//close client

This is just a basic technique, but it will foil some hacking attempts.
Create an array of process names:

Code:

#define numberofblacklistedprocesses 3
string blacklist[numberofblacklistedprocesses] = {"p1.exe", "p2.exe", "p3.exe"};

Then iterate through the array with a for loop and check if each process is running

Code:

for(int index = 0; index<numberofblacklistedprocesses; index++)
{
if(GetModuleHandle(blacklist[index])
{
//hacking program detected, do whatever
}
}

Hope I helped.

[Jason]

For starters, scan for any processes that match a list of processes that you would like to disallow. If any of them are detected, close the client.

Code:

if(GetModuleHandle(...))
//close client

This is just a basic technique, but it will foil some hacking attempts.
Create an array of process names:

Code:

#define numberofblacklistedprocesses 3
string blacklist[numberofblacklistedprocesses] = {"p1.exe", "p2.exe", "p3.exe"};

Then iterate through the array with a for loop and check if each process is running

Code:

for(int index = 0; index<numberofblacklistedprocesses; index++)
{
if(GetModuleHandle(blacklist[index])
{
//hacking program detected, do whatever
}
}

Hope I helped.

GetModuleHandle only works internally afaik, you need to use a process32snapshot or w/e it's called to look for external processes. Another easy step is to hook your own loadlibrary function, that'll stop any injectors that use the LoadLibrary method.

[[MPGH]master131]

Also you might want to use VirtualQueryEx on a specific process and use ReadProcessMemory on each region and see if any of the memory regions match a DLL signature. I'm not sure if injected DLLs appear on VirtualQueryEx though.

Note that when scanning each memory region to ignore any that don't have MEM_COMMIT as the .State value (well that's the allocation type that most/all injectors that I know of inject with) from the MEMORY_BASIC_INFORMATION that is outputted by VirtualQueryEx.

[Jason]

Also you might want to use VirtualQueryEx on a specific process and use ReadProcessMemory on each region and see if any of the memory regions match a DLL signature. I'm not sure if injected DLLs appear on VirtualQueryEx though.

Note that when scanning each memory region to ignore any that don't have MEM_COMMIT as the .State value (well that's the allocation type that most/all injectors that I know of inject with) from the MEMORY_BASIC_INFORMATION that is outputted by VirtualQueryEx.

Not sure why you'd be querying external processes' memory

As for injected dlls showing up in VQ, that depends on the injection method. Regular methods (such as remote-executing LoadLibraryA will show up, because you're loading the .dll properly and as such there will be entries into the various info tables.

[[MPGH]master131]

Not sure why you'd be querying external processes' memory

As for injected dlls showing up in VQ, that depends on the injection method. Regular methods (such as remote-executing LoadLibraryA will show up, because you're loading the .dll properly and as such there will be entries into the various info tables.

Yeahs, I wasn't definately sure.

[Saltine]

GetModuleHandle only works internally afaik, you need to use a process32snapshot or w/e it's called to look for external processes. Another easy step is to hook your own loadlibrary function, that'll stop any injectors that use the LoadLibrary method.

I came across this piece of code: *Credits to MSDN*

Code:

#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>

//  Forward declarations:
BOOL GetProcessList( );
BOOL ListProcessModules( DWORD dwPID );
BOOL ListProcessThreads( DWORD dwOwnerPID );
void printError( TCHAR* msg );

int main( void )
{
  GetProcessList( );
  return 0;
}

BOOL GetProcessList( )
{
  HANDLE hProcessSnap;
  HANDLE hProcess;
  PROCESSENTRY32 pe32;
  DWORD dwPriorityClass;

  // Take a snapshot of all processes in the system.
  hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
  if( hProcessSnap == INVALID_HANDLE_VALUE )
  {
    printError( TEXT("CreateToolhelp32Snapshot (of processes)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  pe32.dwSize = sizeof( PROCESSENTRY32 );

  // Retrieve information about the first process,
  // and exit if unsuccessful
  if( !Process32First( hProcessSnap, &pe32 ) )
  {
    printError( TEXT("Process32First") ); // show cause of failure
    CloseHandle( hProcessSnap );          // clean the snapshot object
    return( FALSE );
  }

  // Now walk the snapshot of processes, and
  // display information about each process in turn
  do
  {
    _tprintf( TEXT("\n\n=====================================================" ));
    _tprintf( TEXT("\nPROCESS NAME:  %s"), pe32.szExeFile );
    _tprintf( TEXT("\n-------------------------------------------------------" ));

    // Retrieve the priority class.
    dwPriorityClass = 0;
    hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
    if( hProcess == NULL )
      printError( TEXT("OpenProcess") );
    else
    {
      dwPriorityClass = GetPriorityClass( hProcess );
      if( !dwPriorityClass )
        printError( TEXT("GetPriorityClass") );
      CloseHandle( hProcess );
    }

    _tprintf( TEXT("\n  Process ID        = 0x%08X"), pe32.th32ProcessID );
    _tprintf( TEXT("\n  Thread count      = %d"),   pe32.cntThreads );
    _tprintf( TEXT("\n  Parent process ID = 0x%08X"), pe32.th32ParentProcessID );
    _tprintf( TEXT("\n  Priority base     = %d"), pe32.pcPriClassBase );
    if( dwPriorityClass )
      _tprintf( TEXT("\n  Priority class    = %d"), dwPriorityClass );

    // List the modules and threads associated with this process
    ListProcessModules( pe32.th32ProcessID );
    ListProcessThreads( pe32.th32ProcessID );

  } while( Process32Next( hProcessSnap, &pe32 ) );

  CloseHandle( hProcessSnap );
  return( TRUE );
}


BOOL ListProcessModules( DWORD dwPID )
{
  HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
  MODULEENTRY32 me32;

  // Take a snapshot of all modules in the specified process.
  hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
  if( hModuleSnap == INVALID_HANDLE_VALUE )
  {
    printError( TEXT("CreateToolhelp32Snapshot (of modules)") );
    return( FALSE );
  }

  // Set the size of the structure before using it.
  me32.dwSize = sizeof( MODULEENTRY32 );

  // Retrieve information about the first module,
  // and exit if unsuccessful
  if( !Module32First( hModuleSnap, &me32 ) )
  {
    printError( TEXT("Module32First") );  // show cause of failure
    CloseHandle( hModuleSnap );           // clean the snapshot object
    return( FALSE );
  }

  // Now walk the module list of the process,
  // and display information about each module
  do
  {
    _tprintf( TEXT("\n\n     MODULE NAME:     %s"),   me32.szModule );
    _tprintf( TEXT("\n     Executable     = %s"),     me32.szExePath );
    _tprintf( TEXT("\n     Process ID     = 0x%08X"),         me32.th32ProcessID );
    _tprintf( TEXT("\n     Ref count (g)  = 0x%04X"),     me32.GlblcntUsage );
    _tprintf( TEXT("\n     Ref count (p)  = 0x%04X"),     me32.ProccntUsage );
    _tprintf( TEXT("\n     Base address   = 0x%08X"), (DWORD) me32.modBaseAddr );
    _tprintf( TEXT("\n     Base size      = %d"),             me32.modBaseSize );

  } while( Module32Next( hModuleSnap, &me32 ) );

  CloseHandle( hModuleSnap );
  return( TRUE );
}

BOOL ListProcessThreads( DWORD dwOwnerPID ) 
{ 
  HANDLE hThreadSnap = INVALID_HANDLE_VALUE; 
  THREADENTRY32 te32; 
 
  // Take a snapshot of all running threads  
  hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); 
  if( hThreadSnap == INVALID_HANDLE_VALUE ) 
    return( FALSE ); 
 
  // Fill in the size of the structure before using it. 
  te32.dwSize = sizeof(THREADENTRY32); 
 
  // Retrieve information about the first thread,
  // and exit if unsuccessful
  if( !Thread32First( hThreadSnap, &te32 ) ) 
  {
    printError( TEXT("Thread32First") ); // show cause of failure
    CloseHandle( hThreadSnap );          // clean the snapshot object
    return( FALSE );
  }

  // Now walk the thread list of the system,
  // and display information about each thread
  // associated with the specified process
  do 
  { 
    if( te32.th32OwnerProcessID == dwOwnerPID )
    {
      _tprintf( TEXT("\n\n     THREAD ID      = 0x%08X"), te32.th32ThreadID ); 
      _tprintf( TEXT("\n     Base priority  = %d"), te32.tpBasePri ); 
      _tprintf( TEXT("\n     Delta priority = %d"), te32.tpDeltaPri ); 
      _tprintf( TEXT("\n"));
    }
  } while( Thread32Next(hThreadSnap, &te32 ) ); 

  CloseHandle( hThreadSnap );
  return( TRUE );
}

void printError( TCHAR* msg )
{
  DWORD eNum;
  TCHAR sysMsg[256];
  TCHAR* p;

  eNum = GetLastError( );
  FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
         NULL, eNum,
         MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
         sysMsg, 256, NULL );

  // Trim the end of the line and terminate it with a null
  p = sysMsg;
  while( ( *p > 31 ) || ( *p == 9 ) )
    ++p;
  do { *p-- = 0; } while( ( p >= sysMsg ) &&
                          ( ( *p == '.' ) || ( *p < 33 ) ) );

  // Display the message
  _tprintf( TEXT("\n  WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );
}

Is this (or something like it) what you were referring to?
@Jason

[Void]

There's a lot you can do. I actually posted something on anti-debugging a while ago.

https://www.mpgh.net/forum/31-c-c-pro...debugging.html

That's only anti-debugging, there's a lot more if you want to make a fully functional anti-cheat.