|
You last visited: Today at 11:48
Advertisement
[question] file name detection
Discussion on [question] file name detection within the Flyff Private Server forum part of the Flyff category.
09/13/2016, 21:45
|
#1
|
elite*gold: 115 
Join Date: Jan 2012
Posts: 1,156
Received Thanks: 894
|
[question] file name detection
Would it be possible to detected the entire program that is injected on the neuz and create text file including the injected file name behind in it?
Any suggestions, will be accepted...
Greetz.. 
|
|
|
|
09/13/2016, 23:35
|
#2
|
elite*gold: 0
Join Date: May 2015
Posts: 44
Received Thanks: 14
|
Yes it is 
I wrote an own antihack a year ago. It checks every module of the neuz. Note that this will also detect every dll loaded by windows or by the neuz itself!
Here are some code snippets from my old antihack:
Code:
BlockAPI(m_hProc, "NTDLL.DLL", "LdrLoadDll")
Code:
////////////////////////BlockAPI////////////////////////
bool BlockAPI(HANDLE hProcess, char* libName, char* apiName)
{
HINSTANCE hLib = NULL;
VOID *pAddr = NULL;
hLib = LoadLibrary(libName);
if(!hLib)
return false;
pAddr = (VOID*)GetProcAddress(hLib, apiName);
if(!pAddr)
return false;
if(!this->HookFunc((unsigned)pAddr, (unsigned)&_BackupedOriginal, (unsigned)&_Hook, 5))
return false;
FreeLibrary(hLib);
return true;
}
Code:
////////////////////////HookFunc////////////////////////
bool HookFunc(unsigned sourceFunc, unsigned new_address, unsigned instead_call, unsigned bts)
{
/*
read 5 bytes from offi; (5 => jmp + 4x address)
write them in right order into backup;
delete the bytes from offi; (nop)
write jmp into offi;
get diff between offi and replace;
write address into sourcefunc; (complete cmd = jmp 0x00 0x00 0x00 0x00) (0x00 = address)
write jmp into backup;
calc deff between backup and offi;
write address to backup;
*/
BYTE byte;
DWORD rw = 0;
HANDLE hProc = m_hProc; //OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
unsigned temp_address[5];
temp_address[0] = sourceFunc; // store toHooking func start location
temp_address[1] = new_address; // store new original backup func start location
for(int i = 0; i < bts; i++) // "cut" original func into backupfunc
{
ReadProcessMemory(hProc, (LPCVOID) sourceFunc, &byte, sizeof(byte), &rw); // read offiopcode &save in byte
WriteProcessMemory(hProc, (LPVOID) new_address++, &byte, sizeof(byte), &rw); // "backup" offiopcode
byte = 0x90; //nop => xchg eax, eax => nothing
WriteProcessMemory(hProc, (LPVOID) sourceFunc++, &byte, sizeof(byte), &rw); // "delete" sourcefunc opcode
}
sourceFunc = temp_address[0]; // restore start func location
byte = 0xE9; //jmp opcode
WriteProcessMemory(hProc, (LPVOID) sourceFunc, &byte, sizeof(byte), &rw); // write jmp into sourcefunc
temp_address[3] = offset(sourceFunc, instead_call); // get diff/offset between offi and replace
WriteProcessMemory(hProc, (LPVOID) ++sourceFunc, &temp_address[3], sizeof(temp_address[3]), &rw); // write diff after jmp
WriteProcessMemory(hProc, (LPVOID) new_address++, &byte, sizeof(byte), &rw); // write jmp into backupfunc
temp_address[4] = offset(temp_address[1] + bts/*after saved opcode from offi*/, temp_address[0] + bts/*after rewrittencode from offi*/); // diff between backup and offi
WriteProcessMemory(hProc, (LPVOID) new_address, &temp_address[4], sizeof(temp_address[4]), &rw); // write diff
return true;
}
Code:
//DWORD __stdcall LdrLoadDll(PWSTR* szcwPath, PDWORD* pdwLdrErr, PUNICODE_STRING pUniModuleName, PHINSTANCE pResultInstance)
////////////////////////_BackupedOriginal////////////////////////
DWORD __stdcall _BackupedOriginal(PWSTR* szcwPath, PDWORD* pdwLdrErr, PUNICODE_STRING pUniModuleName, HINSTANCE pResultInstance)
{
//partly backuped offi
__asm NOP; // offi byte 1
__asm NOP; // offi byte 2
__asm NOP; // offi byte 3
__asm NOP; // offi byte 4
__asm NOP; // offi byte 5
//call offi
__asm NOP; // jmp
__asm NOP; // address[0]
__asm NOP; // address[0]
__asm NOP; // address[0]
__asm NOP; // address[0]
}
////////////////////////_Hook////////////////////////
DWORD __stdcall _Hook(PWSTR* szcwPath, PDWORD* pdwLdrErr, PUNICODE_STRING pUniModuleName, HINSTANCE pResultInstance)
{
//if(g_zProtect->m_hProc == pResultInstance) // pResultInstance(unused..!?) => pUniModuleName check sys32 or / <= should work | get dll name + GetModuleHandle() check
if(checkDLL(pUniModuleName->Buffer))
{
// call and return original
return _BackupedOriginal(szcwPath, pdwLdrErr, pUniModuleName, pResultInstance);
}
return 1; // let other dlls return
}
pUniModuleName->Buffer from __Hook is the name of module => the name of the dll injected. I am not sure if this still work and I am also not sure if everything is right with the code above, because I developed it about 1.5 years ago. It may get's bypassed very easy!
Capt. Jack
|
|
|
|
|
09/14/2016, 17:02
|
#3
|
elite*gold: 59
Join Date: Oct 2012
Posts: 716
Received Thanks: 465
|
Possible but doesnt help you against hacks. People who work with injections will be able to do in place code replacements or manipulate the memory from outside the Programm as well.
|
|
|
|
 |
Similar Threads
|
[Question] 3rd party program detection in GCPH
10/10/2011 - Grand Chase - 6 Replies
I have a problem
A 3rd party program always get detected even if I'm not using any hack :rtfm:
http://i197.photobucket.com/albums/aa200/juzz_200 7/3rdparty.jpg
|
[Question] Argates DDS file? or any m esh/texture file?
07/25/2009 - Dekaron Private Server - 1 Replies
well as the title says i dont kno where to find the files iv looked everywhere i can think but still no joy, anyone help me out?
|
Avoid scanner detection (question)
11/27/2008 - RF Online - 1 Replies
Hey, just wondering but is there any possible way to hide away from enemy scanners/ mini map? If so, any idea where to start looking? This would be ideal for pvp or Exping semi safe.
cheers :]
|
English - Question regarding speedhack detection
09/28/2007 - General Gaming Discussion - 2 Replies
Hey all,
I can't figure out the offsets to update an old outdated fly hack I have so I just resorted to the casual client debug mode address. It works great except one thing...You get kicked out of game if you go too fast for too long..Mainly if you go straight ahead for about 8 seconds. My question is,
Is this kick due to client speedhack detection or a server speedhack detection?? And if it's client, i assume it can be disabled.
Thanks
-sjxx
|
All times are GMT +1. The time now is 11:48.
|
|
![[question] file name detection](https://www.elitepvpers.com/forum/iconimages/flyff-private-server/question-file-name-detection_ltr.gif){kind=small}
