How detect Cheat Engine?

Question

I would like to ask you how can I detect Cheat Engine?

This is what I found:

• process name
• process main window title
• process icon file (?)
• process EXE file hash
• process EXE full path
  

Do you know any other way?

Answer 1

Most of what you say is external scanning, basically just scanning for certain aspects of Cheat Engine to detect it.

If your planning to detect it for a Anti-Cheat then your out of luck with your mentioned methods as all said things are easily spoofable, If your beginning development on a Anti-Cheat I recommend detecting something like Code Injection or Hex Modifying.

If your working on a project just to detect CE for say a function and your not focusing on stopping cheat engine then you could write up a script to detect the Process Name or PID, For EXE File Hash and EXE Full path those arn't reliable as they can easily change throughout your scripts history and for detecting process by icon file your also out of luck as you need to know the Process Name or PID to get the INFORMATION on the Process and RIP the Icon to read it and then match the image.

Window Title is also Really not reliable as the CE Title changes a lot when memory hacking and other CE related stuff.

Process name is also very un reliable as again CE Title will change when memory hacking and such.

A reliable method of detecting CE is by detecting its Debugger, Try to detect when CE Attaches its Debugger to the process and also scanning for unknown libraries that CE Injects and uses.

For detecting CE I suggest you try to detect the Base Address of the CE Debugger, You can also try to detect certain assembly movements like here

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
// NULL

originalcode:
mov [ecx+38],eax
mov eax,[edx+3C]

exit:
jmp returnhere

"process.exe" +B5B23
jmp newmem
nop
returnhere:

This is a Code Injection Script used by CE Debugger

This is just a sample of what you would need to detect, But you would need a pretty optimized script and fast script to try and scan a process of assembly bytes and addresses to find a specific array of bytes. If you are going to do this I suggest coding it in C++ or C#, Python is not reliable in this case as you will need to scan memory addresses and with the current tool set of memory hacking libraries for python it just won't work in this case so I recommend C++ or C#.

Answer 2

You can use CreateToolhelp32Snapshot with this api you can get every process info running in the system and you can use EnumWindows to get the windows names And you can Detour hook LoadLibraryA and LoadLibraryExA to detect if any dll getting injecting and use IsDebuggerPresent and CheckRemoteDebuggerPresent to prevent process debugging

Answer 3

I'm not a pro in this field but I think none of parameters you've mentioned are reliable.Keep in mind that it's an open-source software,so all of them can be changed easily(custom build) to deceive you.

I think the most common aspect of all programs like CE is DLL Injection(It's a windows' term but there are similar techniques in other OSes as well).Although this is just one of the features that CE provides.

So you have to check all the loaded DLLs in your processes' address space.You know what should be there and anything else is injected into your process.You can check that via Process Explorer(There indeed exist related APIs that can be used to detect that automatically(i.e without user interaction with a graphical software) ,but sorry I'm not a Windows guy).There's a nice article by Chris Hoffman about that if you want to read more.

If somebody comes up with a better answer, I'm glad to hear.