[GUIDE] How to make your hack undetectable

Page 1 of 2 1 2
05/18/2010 14:33 Nyamochka#1
This is an advanced guide covering only conceptual stuff for people who already know how to create trainers. It's not the stuff you should completely rely on, but something I figured out for myself by inspecting X-Trap's behavior.

At the moment, X-Trap's detection routine is pretty lame.
  • It has a blacklist of program's it doesn't like to be running.
  • It verifies a checksum of static address space of a protected application (it either does it once or pretty rarely)

Stuff you could try to prevent your hack from being detected:
  • In order to fight the blacklisting, run your trainer with random image name each time. Example: it runs, copies itself into a tempfile, runs the tempfile which patches the memory.
  • X-Trap doesn't like when remote processes mess with its application's address space. Make your code reside in application's address space (injection). Do your modifications in a while after the application starts, so we're sure X-Trap's done with its checks already.
  • Beat blacklisting when using LoadLibrary - make sure the file name is random and and always deallocate the filename string from remote process memory.
  • Advanced: don't inject a DLL, inject the code itself by allocating memory inside the target process. I haven't done this myself (because DLL injection still works and is much easier :p), but this will be a bold option when X-Trap detection mechanism improves.

That's all for now; hope UG folks will add some nice advises to my lame assumptions :) Happy hacking!
05/18/2010 14:34 Al Kappaccino#2
Surly helpful.
05/18/2010 14:52 HAKAN.#3
I think it Helps ;)
Thank you.
05/18/2010 14:56 elmomo277#4
Good job! Thank you! (mein 100ster post YEAH)
05/18/2010 15:55 Kaisame#5
Quote:
Originally Posted by elmomo277 View Post
Er is sowieso nich erster aber auch egal XD
Is klar, aber ab jez haltet euch besser ans Thema (mir inklusive)
05/18/2010 18:57 jinkaku#6
thx for this guide
05/19/2010 10:27 Chriss09#7
we hope alastor is reading xD
05/19/2010 10:42 Nyamochka#8
Quote:
Originally Posted by Chriss09 View Post
we hope alastor is reading xD
Alastor should be in school by now :D

After they've blacklisted me again I can't be sure about anything anymore :facepalm:

I can't find out WHAT they've blacklisted. It's neither the temporary path, nor the .tmp filename... Currently I'm trying to fool it with injecting a DLL residing in System32- let's see if it works.
05/19/2010 10:58 iPoDDD#9
Thank You for you help ^^
05/19/2010 13:01 Maragon101#10
Quote:
Originally Posted by iPoDDD View Post
Thank You for you help ^^
is it just me or am i the onley one who gets the feeling that you don't even understand whats going on and try to spamm everywhere you can?
05/19/2010 14:07 cmpqz321#11
thx
05/19/2010 15:34 killerwiller250#12
thank you
05/19/2010 18:52 Maragon101#13
^all this :facepalm:
Lieber thx button drücken als thx zu schreiben das ist spamm.

You should rather klick on the thx button than post "thanks" becouse it's spamm.
05/19/2010 20:15 ©£¥ňŋ²©#14
german?
05/19/2010 20:19 Bummzuabua#15
1. thanks its a nice guide :)
2.

#reportet doublepost
Page 1 of 2 1 2