[GUIDE] How to make your hack undetectable

Nyamochka · 05/18/2010, 14:33

This is an advanced guide covering only conceptual stuff for people who already know how to create trainers. It's not the stuff you should completely rely on, but something I figured out for myself by inspecting X-Trap's behavior.

At the moment, X-Trap's detection routine is pretty lame.

It has a blacklist of program's it doesn't like to be running.
It verifies a checksum of static address space of a protected application (it either does it once or pretty rarely)

Stuff you could try to prevent your hack from being detected:

In order to fight the blacklisting, run your trainer with random image name each time. Example: it runs, copies itself into a tempfile, runs the tempfile which patches the memory.
X-Trap doesn't like when remote processes mess with its application's address space. Make your code reside in application's address space (injection). Do your modifications in a while after the application starts, so we're sure X-Trap's done with its checks already.
Beat blacklisting when using LoadLibrary - make sure the file name is random and and always deallocate the filename string from remote process memory.
Advanced: don't inject a DLL, inject the code itself by allocating memory inside the target process. I haven't done this myself (because DLL injection still works and is much easier ), but this will be a bold option when X-Trap detection mechanism improves.

That's all for now; hope UG folks will add some nice advises to my lame assumptions

Happy hacking!

Al Kappaccino · 05/18/2010, 14:34

Surly helpful.

~~HAKAN.~~ · 05/18/2010, 14:52

I think it Helps

Thank you.

elmomo277 · 05/18/2010, 14:56

Good job! Thank you! (mein 100ster post YEAH)

Kaisame · 05/18/2010, 15:55

Quote:

Originally Posted by elmomo277

Er is sowieso nich erster aber auch egal XD

Is klar, aber ab jez haltet euch besser ans Thema (mir inklusive)

jinkaku · 05/18/2010, 18:57

thx for this guide

Chriss09 · 05/19/2010, 10:27

we hope alastor is reading xD

Nyamochka · 05/19/2010, 10:42

Quote:

Originally Posted by Chriss09

we hope alastor is reading xD

Alastor should be in school by now

After they've blacklisted me again I can't be sure about anything anymore

I can't find out WHAT they've blacklisted. It's neither the temporary path, nor the .tmp filename... Currently I'm trying to fool it with injecting a DLL residing in System32- let's see if it works.

~~iPoDDD~~ · 05/19/2010, 10:58

Thank You for you help ^^

Maragon101 · 05/19/2010, 13:01

Quote:

Originally Posted by iPoDDD

Thank You for you help ^^

is it just me or am i the onley one who gets the feeling that you don't even understand whats going on and try to spamm everywhere you can?

cmpqz321 · 05/19/2010, 14:07

thx

killerwiller250 · 05/19/2010, 15:34

thank you

Maragon101 · 05/19/2010, 18:52

^all this

Lieber thx button drücken als thx zu schreiben das ist spamm.

You should rather klick on the thx button than post "thanks" becouse it's spamm.

©£¥ňŋ²© · 05/19/2010, 20:15

german?

~~Bummzuabua~~ · 05/19/2010, 20:19

1. thanks its a nice guide

2.

#reportet doublepost