How detect Cheat Engine?

Question

I would like to ask you how can I detect Cheat Engine?

This is what I found:

• process name
• process main window title
• process icon file (?)
• process EXE file hash
• process EXE full path
  

Do you know any other way?

Answer 1

I'm not a pro in this field but I think none of parameters you've mentioned are reliable.Keep in mind that it's an open-source software,so all of them can be changed easily (custom build) to deceive you.

I think the most common aspect of all programs like CE is DLL Injection (It's a windows' term but there are similar techniques in other OSes as well).Although this is just one of the features that CE provides.

So you have to check all the loaded DLLs in your processes' address space.You know what should be there and anything else is injected into your process.You can check that via Process Explorer (There indeed exist related APIs that can be used to detect that automatically(ie without user interaction with a graphical software) ,but sorry I'm not a Windows guy).There's a nice article by Chris Hoffman about that if you want to read more.

If somebody comes up with a better answer, I'm glad to hear.

Answer 2

您可以将CreateToolhelp32Snapshot与此 api 一起使用，您可以获得系统中运行的每个进程信息，您可以使用EnumWindows获取 Windows 名称您可以绕道钩LoadLibraryA和LoadLibraryExA以检测是否有任何 dll 被注入并使用IsDebuggerPresent和CheckRemoteDebuggerPresent来阻止进程调试

Answer 3

Most of what you say is external scanning, basically just scanning for certain aspects of Cheat Engine to detect it.

If your planning to detect it for a Anti-Cheat then your out of luck with your mentioned methods as all said things are easily spoofable, If your beginning development on a Anti-Cheat I recommend detecting something like Code Injection or Hex Modifying.

If your working on a project just to detect CE for say a function and your not focusing on stopping cheat engine then you could write up a script to detect the Process Name or PID, For EXE File Hash and EXE Full path those arn't reliable as they can easily change throughout your scripts history and for detecting process by icon file your also out of luck as you need to know the Process Name or PID to get the INFORMATION on the Process and RIP the Icon to read it and then match the image.

Window Title is also Really not reliable as the CE Title changes a lot when memory hacking and other CE related stuff.

Process name is also very un reliable as again CE Title will change when memory hacking and such.

A reliable method of detecting CE is by detecting its Debugger, Try to detect when CE Attaches its Debugger to the process and also scanning for unknown libraries that CE Injects and uses.

For detecting CE I suggest you try to detect the Base Address of the CE Debugger, You can also try to detect certain assembly movements like here

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
// NULL

originalcode:
mov [ecx+38],eax
mov eax,[edx+3C]

exit:
jmp returnhere

"process.exe" +B5B23
jmp newmem
nop
returnhere:

This is a Code Injection Script used by CE Debugger

This is just a sample of what you would need to detect, But you would need a pretty optimized script and fast script to try and scan a process of assembly bytes and addresses to find a specific array of bytes. If you are going to do this I suggest coding it in C++ or C#, Python is not reliable in this case as you will need to scan memory addresses and with the current tool set of memory hacking libraries for python it just won't work in this case so I recommend C++ or C#.