Source Code Cheat Engine Detector, User-Mode [Strings, Modules , Handles(Registry, Files, soon) ]

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

isravle

Dank Tier Donator
Aug 29, 2020
11
248
0
Hello ALL,

I started to make my own UD CE, and I wrote a tool that tries to detect if some process is a Cheat Engine by the following:
1. An array of strings (Feel free to add, I know there is much more..)
2. Loaded modules.

Soon I will add:
3. Handles to specific registry keys which contain "CheatEngine: (Working hard on it, it's a little tricky to get all handles and their names using NtQueryInformationProcess, SystemHandleInformation)
4. CE conf detector
5. OutputDebugString() - some anti-cheats like "League of legends" Anticheat detects Cheat engine when CE print some debug strings. (Just set all OutputDebugString() as a comment)


Cheat engine detector:
#include <Windows.h>
#include <iostream>
#include <tchar.h>
#include <psapi.h>


int DetectModules(DWORD processID)
{
    HMODULE hMods[1024];
    HANDLE hProcess;
    DWORD cbNeeded;
    unsigned int i;
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
        PROCESS_VM_READ,
        FALSE, processID);
    if (NULL == hProcess)
        return 1;

    if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
    {
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];

            if (GetModuleFileNameEx(hProcess, hMods[i], szModName,sizeof(szModName) / sizeof(TCHAR)))
            {
                if (wcsstr(szModName, L"lua53-32.dll") ||
                    wcsstr(szModName, L"lua53-64.dll") ||
                    wcsstr(szModName, L"lfs.dll")) {
                    std::wcout << "\t" << szModName << std::endl;
                }

            }
        }
    }
    CloseHandle(hProcess);
    return 0;
}

int SearchForString(DWORD pid, const char* data, size_t len)
{
    int results = 0;
    HANDLE process = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
    if (process)
    {
        SYSTEM_INFO si;
        GetSystemInfo(&si);

        MEMORY_BASIC_INFORMATION info;
        char* buff = NULL;
        char* p = 0;
        while (p < si.lpMaximumApplicationAddress)
        {
            if (VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info))
            {
                if (info.State != MEM_FREE) {
                    //std::cout << std::hex << info.BaseAddress << " | " << std::hex << info.RegionSize << std::endl;
                    p = (char*)info.BaseAddress;
                    buff = (char*)new char[info.RegionSize];
                    SIZE_T bytesRead;
                    if (ReadProcessMemory(process, p, &buff[0], info.RegionSize, &bytesRead))
                    {
                        for (size_t i = 0; i < (bytesRead - len); ++i)
                        {
                            if (memcmp(data, &buff[i], len) == 0)
                            {
                                results++;
                                std::cout << "\t" << std::hex << (void*)(p + i) <<"\t" << data << std::endl;
                                //return (char*)p + i;
                             
                            }
                        }
                    }
                    free(buff);
                }
                p += info.RegionSize;
            }
        }
    }
    return results;
}

int main()
{
    DWORD pid;
    std::cout << "[+] Please enter PID:" << std::endl;
    std::cin >> pid;


    std::cout << "[+] Searching for strings:" << std::endl;
    int numOfStrings = 2;
    int results = 0;
    const char* strings[] = { "Cheat Engine", "Dark Byte" };
    for (size_t i = 0; i < numOfStrings; i++)
    {
        std::cout << "[+] Searching for \"" << strings[i] << "\"" << std::endl;
        results = SearchForString(pid, strings[i], strlen(strings[i]));
        std::cout << "[+] Found " << std::dec << results << " references." << std::endl << std::endl;
    }

    std::cout << "[+] Searching loaded CE DLL's" << std::endl;
    DetectModules(pid);

    return 0;
}
Output of the Tool:
Code:
[+] Please enter PID:
5412
[+] Searching for strings:
[+] Searching for "Cheat Engine"
        0000000000B73F30        Cheat Engine
        0000000000B73F8A        Cheat Engine
...
        00007FF951D7F751        Cheat Engine
[+] Found 310 references.

[+] Searching for "Dark Byte"
        0000000000BA3EC6        Dark Byte
        ...
        0000000000E4AFC9        Dark Byte
        0000000006D57B09        Dark Byte
[+] Found 5 references.

[+] Searching loaded CE DLL's
        C:\Program Files\Cheat Engine 7.1\lua53-64.dll
        C:\Program Files\Cheat Engine 7.1\clibs64\lfs.dll

Hope its will help to somebody,
Please feel free to contact me for help make this tool better :)
 
Last edited:

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,497
78,998
2,417
cool little project! I've been wanting to make a UDCE generator for a long time but I'm too lazy, if I ever do I use this to make mine better
 
  • Like
Reactions: isravle

isravle

Dank Tier Donator
Aug 29, 2020
11
248
0
cool little project! I've been wanting to make a UDCE generator for a long time but I'm too lazy, if I ever do I use this to make mine better
Big thank you Rake!

Well i started to wrote python script which change cheat engine strings, credits etc.
Its works pretty good for now!

But when i think about strings it will be impossible because there is to much string in rdata, and filenames which store in rdata that make it really hard to hide..
🤔🤷‍♂️
 
  • Like
Reactions: RyccoSN

naimcool

Trump Tier Donator
Dank Tier Donator
Full Member
Jan 2, 2020
12
648
0
Hello ALL,

I started to make my own UD CE, and I wrote a tool that tries to detect if some process is a Cheat Engine by the following:
1. An array of strings (Feel free to add, I know there is much more..)
2. Loaded modules.

Soon I will add:
3. Handles to specific registry keys which contain "CheatEngine: (Working hard on it, it's a little tricky to get all handles and their names using NtQueryInformationProcess, SystemHandleInformation)
4. CE conf detector
5. OutputDebugString() - some anti-cheats like "League of legends" Anticheat detects Cheat engine when CE print some debug strings. (Just set all OutputDebugString() as a comment)


Cheat engine detector:
#include <Windows.h>
#include <iostream>
#include <tchar.h>
#include <psapi.h>


int DetectModules(DWORD processID)
{
    HMODULE hMods[1024];
    HANDLE hProcess;
    DWORD cbNeeded;
    unsigned int i;
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
        PROCESS_VM_READ,
        FALSE, processID);
    if (NULL == hProcess)
        return 1;

    if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
    {
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];

            if (GetModuleFileNameEx(hProcess, hMods[i], szModName,sizeof(szModName) / sizeof(TCHAR)))
            {
                if (wcsstr(szModName, L"lua53-32.dll") ||
                    wcsstr(szModName, L"lua53-64.dll") ||
                    wcsstr(szModName, L"lfs.dll")) {
                    std::wcout << "\t" << szModName << std::endl;
                }

            }
        }
    }
    CloseHandle(hProcess);
    return 0;
}

int SearchForString(DWORD pid, const char* data, size_t len)
{
    int results = 0;
    HANDLE process = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
    if (process)
    {
        SYSTEM_INFO si;
        GetSystemInfo(&si);

        MEMORY_BASIC_INFORMATION info;
        char* buff = NULL;
        char* p = 0;
        while (p < si.lpMaximumApplicationAddress)
        {
            if (VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info))
            {
                if (info.State != MEM_FREE) {
                    //std::cout << std::hex << info.BaseAddress << " | " << std::hex << info.RegionSize << std::endl;
                    p = (char*)info.BaseAddress;
                    buff = (char*)new char[info.RegionSize];
                    SIZE_T bytesRead;
                    if (ReadProcessMemory(process, p, &buff[0], info.RegionSize, &bytesRead))
                    {
                        for (size_t i = 0; i < (bytesRead - len); ++i)
                        {
                            if (memcmp(data, &buff[i], len) == 0)
                            {
                                results++;
                                std::cout << "\t" << std::hex << (void*)(p + i) <<"\t" << data << std::endl;
                                //return (char*)p + i;
                            
                            }
                        }
                    }
                    free(buff);
                }
                p += info.RegionSize;
            }
        }
    }
    return results;
}

int main()
{
    DWORD pid;
    std::cout << "[+] Please enter PID:" << std::endl;
    std::cin >> pid;


    std::cout << "[+] Searching for strings:" << std::endl;
    int numOfStrings = 2;
    int results = 0;
    const char* strings[] = { "Cheat Engine", "Dark Byte" };
    for (size_t i = 0; i < numOfStrings; i++)
    {
        std::cout << "[+] Searching for \"" << strings[i] << "\"" << std::endl;
        results = SearchForString(pid, strings[i], strlen(strings[i]));
        std::cout << "[+] Found " << std::dec << results << " references." << std::endl << std::endl;
    }

    std::cout << "[+] Searching loaded CE DLL's" << std::endl;
    DetectModules(pid);

    return 0;
}
Output of the Tool:
Code:
[+] Please enter PID:
5412
[+] Searching for strings:
[+] Searching for "Cheat Engine"
        0000000000B73F30        Cheat Engine
        0000000000B73F8A        Cheat Engine
...
        00007FF951D7F751        Cheat Engine
[+] Found 310 references.

[+] Searching for "Dark Byte"
        0000000000BA3EC6        Dark Byte
        ...
        0000000000E4AFC9        Dark Byte
        0000000006D57B09        Dark Byte
[+] Found 5 references.

[+] Searching loaded CE DLL's
        C:\Program Files\Cheat Engine 7.1\lua53-64.dll
        C:\Program Files\Cheat Engine 7.1\clibs64\lfs.dll

Hope its will help to somebody,
Please feel free to contact me for help make this tool better :)
 

Attachments

You can download 0 Attachments
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Similar threads

Community Mods