Shulou(Shulou.com)06/02 Report--

This article mainly explains "what is the design method of FPS game anti-cheating system". The explanation content in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian slowly and deeply to study and learn "what is the design method of FPS game anti-cheating system" together!

Common injection methods for game plug-ins

At present, most of the game plug-ins are no longer the previous createremotethread + loadlibby injection method, because most anti-cheating software has its own minifilter file filter driver and imageloadcallback mirror load callback to make judgments, most anti-cheating software in this filter hook to do this operation:

if(! CheckFileCertificateByR3 (FilePatch)){ //Send the file path back to r3,r3 determines whether the file digital signature is in the whitelist digital signature (such as Microsoft digital signature), if it is a whitelist file, let it go, if it is not a whitelist file, intercept//if it is not a whitelist file... block;}//pass;

Therefore, plugins are particularly difficult to inject directly into the game through dll. Therefore, most plug-ins through a non-file landing injection method, the so-called non-file landing injection method, is directly in the game process to open up a memory space, the shell code plug-in dll write, after manual repair input table, and then parse pe file header to dllmain, and then through the createremoteread,apc or hook way to let the game execute this memory address, so plug-in is injected

The code is as follows (copied from Google):

//The following code comes from Google Search void InjectorDLLByManualMap(const char* filepath, HANDLE hProcess){ LPVOID lpBuffer; HANDLE hFile; DWORD dwLength; DWORD dwBytesRead; DWORD dwThreadId; ULONG_PTR lpReflectiveLoader; LPVOID lpRemoteDllBuffer; //Open file hFile = CreateFileA(filepath, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); //get file size dwLength = GetFileSize(hFile, NULL); lpBuffer = HeapAlloc(GetProcessHeap(), 0, dwLength); //read file ReadFile(hFile, lpBuffer, dwLength, &dwBytesRead, NULL); //Fix import table dwReflectiveLoaderOffset = GetReflectiveLoaderOffset(lpBuffer); //Allocate a memory space for the game process lpRemoteDllBuffer = VirtualAllocEx(hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); //write file shellcode to allocated memory space WriteProcessMemory(hProcess, lpRemoteDllBuffer, lpBuffer, dwLength, NULL) lpReflectiveLoader = (ULONG_PTR)lpRemoteDllBuffer + dwReflectiveLoaderOffset; //Start the process CreateRemoteThread(hProcess, NULL, 1024*1024, (LPTHREAD_START_ROUTINE)lpReflectiveLoader, NULL, NULL, &dwThreadId)}

Its characteristics are: memory flag for PAGE_EXECUTE_READWRITE,MEM_PRIVATE, no file, no module, will not trigger minifilter and imageloadcallbacks, can not enumerate to plug-in modules through the normal way, very high concealment.

Detecting Memory Load Plugins

The previous approach, which seems invincible, is actually counter-productive, because its characteristics are also very obvious:

Memory attribute MEM_PRIVATE, memory flag PAGE_EXECUTE_READWRITE. Size can be large.

So there are several detection methods:

1. Violent search PE header, most of these memory loaded DLLs have PE header. A memory attribute for mem_private unexpectedly also pe header, it is plug-in. Most of the anti-cheating mechanisms currently exist.

Plug-in countermeasures: erase pe head. Not only the pe head, but also all pe characteristics can be erased.

2.createthreadcallbacks Get the thread address and determine if the thread address is in memprivate memory of a memory property. If so, that means it's a hack.

Plug-in countermeasures: do not create threads, use hook side to start plug-ins.

3. api calls backtrack. As the name suggests, plug-ins always call some api address, we can trace back who called the api address, and then determine whether the memory property of the call place is mem_private. There are two ways, one is to hook all key api, in the hook part with_returnaddres() to get the call address (actually read ESP/RSP register) The second is to trigger an exception through int3 breakpoint, use exception handling function to handle this exception, determine the caller.

Plug-in countermeasures: The first inline hook method, directly write jump skip hook, such as when you hook:

JMP your hook address

push ebp

push eax

call xxxx;

Plugins can be called directly from push ebp, no longer call your jmp , you can bypass

The second kind of plug-in counter-system there is no special counter-system place. Unless plug-ins construct their own api function calls the lower api. Of course, we can confuse the address of the original lower api (infinite set), specifically later in the said.

Implementation of call backtracking

To implement call backtracking, we need to implement the following steps:

1. Set exception handlers to catch exceptions, as follows:

AddVectoredExceptionHandler

2. Copy the original API address to your own memory area, and then fill in the original API address as int, the code is as follows:

LPVOID pHOOKAdress; pHOOKAdress = Megrez_GetProAdress(pszModuleName, pszProcName); vecInt3HookedAdress.push_back((DWORD)pHOOKAdress); //for detection if (pHOOKAdress == 0) { return 0; } DWORD dProSize = 0; LPBYTE pTemp = (LPBYTE)pHOOKAdress; BYTE bTemp = 0; for (dProSize = 0; ; ) { bTemp = *pTemp++; dProSize++; if (bTemp == 0xcc) { break; } } DWORD dFileSize = dProSize - 1; PVOID pNewAddr = VirtualAlloc(NULL, dFileSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (pNewAddr == NULL) { return 0; } Megrez_SetMemoryAttr(pHOOKAdress, dProSize); memcpy(pNewAddr, pHOOKAdress, dProSize - 1); memset(pHOOKAdress, 0xcc, 1); memset((PBYTE)pHOOKAdress + 1, 0xc3, 1); memset((PBYTE)pHOOKAdress + 2, 0x90, dProSize - 1 -2); memset((PBYTE)pHOOKAdress + 2 + dProSize - 1 - 2 - 1, 0xcc, 1); //memset((PBYTE)pHOOKAdress + 2 + dProSize - 3 - 2 , 0xcc, 2); mapAdress.insert(pair((DWORD)pHOOKAdress, (DWORD)pNewAddr)); Megrez_SetMemoryAttr(pHOOKAdress, dProSize); Megrez_SetMemoryAttr(pNewAddr, dFileSize);

So the API function becomes int3, and when it's called, it triggers an int3 exception, and it gets caught by our exception handler.

3. Query the memory information of the exception location. If it is the code called by meme_private, report it to the server. The code is as follows (remember, the caller address is saved in esp under x32 bits, and the caller address is saved in rsp under x64 bits):

size_t sizeQuery = VirtualQuery((PVOID)caller_function, lpBuffer, sizeof(MEMORY_BASIC_INFORMATION)); bool non_commit = lpBuffer->State != MEM_COMMIT; bool foreign_image = lpBuffer->Type != MEM_IMAGE && lpBuffer->RegionSize > 0x2000; bool spoof = *(PWORD)caller_function == 0x23 FF; // jmp qword ptr [rbx], this is to prevent being cheated return sizeQuery || non_commit || foreign_image ||spoof; //return

After handling the exception, we have to jump to the original saved api memory inside the normal call (set eip saved memory address)

ExceptionInfo->ContextRecord->Eip = mapAdress[(DWORD)ExceptionInfo->ExceptionRecord->ExceptionAddress];#ifdef DEBUG WCHAR _buf[256] = { 0 }; swprintf_s(_buf, 256, L"eIP：0xX\n", ExceptionInfo->ContextRecord->Eip); OutputDebugStringW(_buf);#endif //The exception has already been handled and the next exception handler will be invoked to handle this exception return EXCEPTION_CONTINUE_EXECUTION; } //call the next processor return EXCEPTION_CONTINUE_SEARCH;

As you can see, this gives you information about the API caller and makes a decision.

So, something that detects most of the memory loads is ready (whoever calls it will be detected).

Thank you for reading, the above is "FPS game anti-cheating system design method is what" content, after the study of this article, I believe that we have a deeper understanding of FPS game anti-cheating system design method is what this problem, the specific use of the situation also needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.