How do I accessing a protected process's .exe address?
Question
I am writing anti cheat software for a video game. Using CreateToolhelp32Snapshot I can get a list of open processes. From there I would like to find the address of each process and read through its .exe file. While this works for most processes, protected processes deny access to methods such as OpenProcess or GetModuleFileNameEx. Assuming my application is being run as administrator, is there a work around to finding protected processes addresses?
1 answers
solution1
0 2020-05-15 22:27:49
Cheat Engine is not a Protected Process and neither are 99.9% of cheats. You can check the certificate for the exe in Process Hacker and you will see it only has Code Signing and no Protected Process designation.
If you cannot access a cheat's memory it's because they're protecting it with a kernel driver. You must also be running in kernel if you want to touch the process. If they have somehow created a PP then you need to be in kernel.
There are many usermode methods they can use to protect themselves as well, they can simply hook OpenProcess() in every running process including yours and return 0 when you're trying to open their process.
You would need to get a copy of the cheat and reverse engineer it to figure out how it's protecting itself, then you can start removing or bypassing these protections.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.