Tutorial How to Detect External Overlays

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
767
22,668
47
Detecting External Cheats

Something I hear people saying all the time is how external cheats are so much more difficult to detect than internal.


I respectfully disagree.

While it might be true that it's harder to for an anti-cheat to checkup on every process on the system there's one thing everyone is forgetting: no one cares about processes. We don't need to do anything crazy like scan every process's address space for handles to our process, or do signature scanning or anything overkill like that: we only need a handful of API calls to detect like 90% of external cheats.

All we care about is the windows that are currently active on the desktop. For an external to do anything useful it has to layer itself over the game's window which you guessed it is trivial to detect. It could be injected into explorer or using process hollowing it doesn't matter it has to create a window. We can start off quickly checking every window's styles inside our EnumWindowsProc function:

C++:
BOOL CALLBACK EnumWindowsProc(HWND hWnd, LPARAM lParam)
{
    LONG exStyle = GetWindowLongPtr(hWnd, GWL_EXSTYLE);

    if (exStyle & WS_EX_TOPMOST &&
       (exStyle & WS_EX_TRANSPARENT || exStyle & WS_EX_LAYERED))
    {
        // This window is interesting to us
    }
    return TRUE;
}
This will give us all windows that are set to TOPMOST and have either the TRANSPARENT or LAYERED attribute something that 90% of external cheats use to draw over the top of the game window. Another thing they do is resize themselves to match the game window's size and position once again completely trivial to check.

So we can check the following things:
  1. The window's x, y coordinates.
  2. The window's size in comparison to our window.
  3. Optionally: nudge test.
Nudge test:

Early on I noticed that a "feature" most externals have is the ability to snap to the window if it's moved. We can check this by adjusting our own position very slightly and checking to see if the suspicious application moves it's window as well. If it updates it's position relative to ours that's a giant red flag. We don't want to degrade the user experience so how you implement this check is important and should be done in a conservative fashion as the user will notice the window 'shaking' if you're calling this every second.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts