I need to prevent some hacks modify game memory by hooking some windows API

Question

Seeing easy hook examples I was able to create a hook for openProcessMemory in order to prevent some hacks mess up with some games. The case I'm facing is that some hacks do it's job so quickly that i can't make the injection in time. For example: Process A (The hack) Process B (The game) Process C (Anti cheat)

A's process open the process memory of game, write into it the desire data, and close it self, giving no time to C process, to inject A, for hook openProcessMemory to catch the moment when the hack try to open the game process. This process works fine while hacks waits for user input since, give time to the anti cheat do his job.

So, here's some questions: Is there a way, through c# easyhook, to know when game memory Is going to be modified by a hack? Currently hooking openProcessMemory (opm), writeProcessMemory (wpm) or readProcessMemory (rpm) but with described issue.

When some of related methods (opm, rpm or wpm) perform some action in target process, could this target process activate another winApi function based on the related methods?

Summary: I'm hooking injector process. And it works while anticheat has time to hook it. I would like make hooks in game process, that lead me to the injector process.

Answer 1

I advise against hooking processes that you do not own, this is not the proper solution to your problem.

The proper solution is to ship a driver which uses ObRegisterCallbacks to block access to your processes. You use ObRegisterCallbacks to create a callback everytime a handle to your process is requested. This occurs when OpenProcess() is calls, you would then strip the handle permissions (Read & Write) when handles to your game/anticheat process are requested. This is the most effective anticheat solution you can create, it will stop 99% of hackers instantly, they will not even be able to attach Cheat Engine. While making a driver might sound complicated, this one is relatively straight forward and require limited editing.

Here is the Microsoft example source code

Is there a way, through c# easyhook, to know when game memory Is going to be modified by a hack? Currently hooking openProcessMemory (opm), writeProcessMemory (wpm) or readProcessMemory (rpm) but with described issue.

You cannot detect ReadProcessMemory or WriteProcessMemory from inside your own process.

You can hook them globally in every process (which I don't recommend), and filter by handles that target your own process, returning if they do target your process.

Alternatively you can loop through all the open process handles on the system, find those which have Write permissions on your game process, and terminate those processes. This is often thought not to be possible from usermode, but it is, source code which shows you how to do that is available here

I'm hooking injector process. And it works while anticheat has time to hook it. I would like make hooks in game process, that lead me to the injector process.

Take the Guided Hacking Injector's injector methods:

You can hook LoadLibrary, LdrLoadDLL, LdrpLoadDLL in your game process to stop injection but you will have a hard time blocking Manual Mapping because it doesn't use the normal DLL loading APIs. You can hook VirtualAllocate() and VirtualProtect() to detect manual mapping but that requires a lot of customization. Using Syscalls directly can bypass this tho.

All usermode protections are easily bypassed, which is why I recommend the ObRegisterCallbacks driver.