Anti-plug-in principle

Anti-plug-in principle
I don't think it is related to a simulated keyboard or mouse. Next I will introduce some anti-plug-ins and solutions.
Active Defense:
Obtain the plug-in memory feature process name plug-in title and plug-in window class name plug-in injects DLL name plug-in into the game hook for the game ~ Determine whether the system DLL used by the game is modified
NP Injection Protection Law
The anti-plug-in method is to insert a DLL to each of our processes and use the DLL to determine Code Whether the game is compromised ~
The solution is to install a dllhook to our plug-in so that its DLL cannot be inserted into our process for protection.
Title Protection Law
The game determines whether the title of each window is accompanied by a specified keyword eye. If yes, the game determines as a plug-in.
The solution is to customize Algorithm Random title when the plug-in is started
Injection Protection Law
The name of the process that the game judges plug-ins inject into the game ~ There is no need to modify the name to directly hide the process in the DLL.
Class Name Protection Law
Now, many games use anti-plug-ins to determine the name of the plug-in window class ~ For example, Warcraft is ~ As long as your Program When the window class name involves the specified keywords, It is plug-ins. Whether you are a plug-in or not, this is common. If you do not open plug-ins, it is also blocked.
Memory feature Protection Law
The anti-plug-in of the game gets your memory features (just like anti-virus software gets key virus code)
There are many solutions to improve your process permissions so that he cannot view your plug-in memory ~ Add to your key memory features to make the game misjudgment and so on ....
Process name
This is very common. For example, if you open an external directory named ".exe", you can just block it.
The solution is to change the system process name svchost.exe or rising rising.exe ~ (I will use rising.exe haha
System DLL compile Method
Sometimes you need to modify the system's DLL for the anti-plug-in of the game ~~ Therefore, the game will determine whether the DLL is modified ~ To implement anti-plug-ins
I have no solutions yet ~ His judgment method is many, CRC, a series
Passive defense:
When the game is running, enable apihook to intercept API information to invalidate API execution ~ An error occurs when the game memory is protected so that it cannot be debugged or debugged.
Anti-apihook
This section describes how to implement anti-apihook.
The game uses the creation of the driver interception process to add a DLL file to each process. This dll will hook a large number of key APIs in the current process. Once the API called by this process is found to be harmful and the game process will be filtered. In principle, it is similar to the process protection implemented by the global hook + apihook in the previous section.
In other words, apihook filters some special key API calls.
To implement the Anti-apihook function, we need to understand the implementation principle of apihook.
What is apihook?
Some means can be used to control the call of certain API functions by the target process.
What are the methods of apihook?
There are two methods to call common hook APIs.
One is to find the entry address of the API in the memory, modify the first eight-character section of the entry data to a compilation of jmp xxxxxxxx unconditional jump commands, when this API is called, it will jump to another specified function entry, that is, the callback handler with the same parameters and returned values as this API.
In the process input table (IAT table), locate the API address to be called and modify the address, when the program finds this API address in the input table, it obtains the modified callback program entry address.
In the preceding two methods, the second method does not need to be filtered, because the program can call an API without passing the input table. The first step is to modify the first eight-character section of the entry, because as long as the program calls this API, it must enter from its entry address.
Solution
When a process is created, read and save the eight-character data section at the entrance of the key API to be used. Then, each time you call these APIs, write back all the original eight-character data. In this way, the game fails to intercept our API entry.
But one thing to note is that our programs must run before the game. If the game has run before, it will be late. At that time, the eight-character section data you saved will have been moved by the game for a long time. Moreover, if the game stops running after you save the modified data, you can restore the API entry and call these Apis.
Game memory Protection Law
The process permission is elevated so that the plug-in cannot edit the game memory to implement the anti-plug-in.
Or if you modify the memory, an error is returned.
The solution is to use the underlying technology (I will not introduce it in detail, considering the balance of the game)