| View previous topic :: View next topic |
| Author |
Message |
Polynomial
Grandmaster Cheater
![]() Reputation: 5
Joined: 17 Feb 2008
Posts: 524
Location: Inside the Intel CET shadow stack
|
 Posted: Sun Apr 11, 2010 12:55 pm Post subject: Making CE undetectable without recompile |
 |
|
I'm attempting to develop a small stub executable that launches CE in a way that makes it undetectable, without needing a recompile. Here's what it does so far:
1) Stores the standard CE executable and extracts, appending some random data on the end to fool hash checks.
2) Modifies the CE window title to something random.
3) Renames the executable file.
4) Alters some values (including the file description meta) in the CE binary from "Cheat Engine" to "CE0123456789", with a random number.
Any ideas to help make it undetectable?
_________________
It's not fun unless every exploit mitigation is enabled.
Please do not reply to my posts with LLM-generated slop; I consider it to be an insult to my time. |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25794
Location: The netherlands
|
| Posted: Sun Apr 11, 2010 1:02 pm Post subject: |
|
|
change the position and widths of the windows and objects (resource editing)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Cheat Engine User
Something epic
![]() Reputation: 60
Joined: 22 Jun 2007
Posts: 2071
|
| Posted: Sun Apr 11, 2010 1:09 pm Post subject: |
|
|
| unlink yourself from EPROCESS
|
|
| Back to top |
|
|
Polynomial
Grandmaster Cheater
![]() Reputation: 5
Joined: 17 Feb 2008
Posts: 524
Location: Inside the Intel CET shadow stack
|
| Posted: Sun Apr 11, 2010 2:00 pm Post subject: |
|
|
| Dark Byte wrote: | | change the position and widths of the windows and objects (resource editing) |
Do you know of any good resources (pun unintended) on editing resources in a binary?
| Holland wrote: | | unlink yourself from EPROCESS |
I assume you're talking about rootkit-style behaviour in the kernel, setting FLink and BLink across objects to remove one from the list? I've written code to do this, but aren't there issues installing unsigned driver binaries in Vista and Win7? I want this to be pretty much an "out of the box" program where someone can just run it without messing about with any settings in their OS.
_________________
It's not fun unless every exploit mitigation is enabled.
Please do not reply to my posts with LLM-generated slop; I consider it to be an insult to my time. |
|
| Back to top |
|
|
Cheat Engine User
Something epic
![]() Reputation: 60
Joined: 22 Jun 2007
Posts: 2071
|
| Posted: Sun Apr 11, 2010 4:09 pm Post subject: |
|
|
| Burningmace wrote: | | Holland wrote: | | unlink yourself from EPROCESS |
I assume you're talking about rootkit-style behaviour in the kernel, setting FLink and BLink across objects to remove one from the list? I've written code to do this, but aren't there issues installing unsigned driver binaries in Vista and Win7? I want this to be pretty much an "out of the box" program where someone can just run it without messing about with any settings in their OS. |
Indeed I am. You could try it, at least. When making this app, such a function would be nice to include.
|
|
| Back to top |
|
|
Polynomial
Grandmaster Cheater
![]() Reputation: 5
Joined: 17 Feb 2008
Posts: 524
Location: Inside the Intel CET shadow stack
|
| Posted: Sun Apr 11, 2010 4:16 pm Post subject: |
|
|
I'll give it a go.
When CE attaches its debugger, is there a DLL injected into the target process? If so, I'll need to remove it from the process' loaded module list. This could get difficult.
_________________
It's not fun unless every exploit mitigation is enabled.
Please do not reply to my posts with LLM-generated slop; I consider it to be an insult to my time. |
|
| Back to top |
|
|
Noz3001
I'm a spammer
 Reputation: 26
Joined: 29 May 2006
Posts: 6220
Location: /dev/null
|
| Posted: Tue Apr 13, 2010 10:50 am Post subject: |
|
|
| Holland wrote: | | unlink yourself from EPROCESS |
Why would you need to do this? Doesn't CE do it for its self?
|
|
| Back to top |
|
|
giwang
Newbie cheater
![]() Reputation: 0
Joined: 14 Jun 2009
Posts: 13
Location: Port 80
|
| Posted: Sat Apr 24, 2010 12:22 pm Post subject: |
|
|
| Array of bytes in the combo box string has been detected
|
|
| Back to top |
|
|
Polynomial
Grandmaster Cheater
![]() Reputation: 5
Joined: 17 Feb 2008
Posts: 524
Location: Inside the Intel CET shadow stack
|
| Posted: Mon Apr 26, 2010 8:23 pm Post subject: |
|
|
I actually figured that certain programs might check that, so I was going to switch the spaces to underscores and stick a space or two on the end.
As regards unlinking from EPROCESS, if it's done by CE, then I'd guess it's done with Kernel Mode Stealth in the options. I'd probably need a clarification on this by Dark Byte to be sure though, since I can still see it in the task manager. Might be that CE checks the calling process.
_________________
It's not fun unless every exploit mitigation is enabled.
Please do not reply to my posts with LLM-generated slop; I consider it to be an insult to my time. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
