| View previous topic :: View next topic |
| Author |
Message |
Snooman
Cheater
![]() Reputation: 1
Joined: 20 Jan 2012
Posts: 42
|
 Posted: Tue Dec 04, 2018 1:33 am Post subject: Win32: Monitoring process memory usage per thread / module |
 |
|
I have a strange issue with my game. My question is not necessarily cheatengine related - maybe there are also other Windows tools for this job.
I work with a delphi dll I inject into the process, disable some anti-cheat stuff and do whatever I want. I run multiple instances of the game on one computer. All instances of the game do the same job.
Under unclear circumstances, some processes starts to allocate lots of physical memory. Normally the game runs with about 300-400mb mem but sometimes for some processes it grows up to almost maximum 2gb / 32bit space.
I suspect that a part of the anti cheat hacking log features (which I have disabled as much I could possibly find) is running mad collecting data, but fails to send - as I have blocked sending the data to internet.
Also possible is that I created some weird memory leak in my dll, but this does not seem rational as all other instances run smooth.
Is there a way or a software to see what thread, or what module inside this process is allocating so much memory?
_________________
This text has been encrypted with XOR twice for security reasons. |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Dec 05, 2018 2:48 am Post subject: |
|
|
Windows doesn't have APIs for things like this because it is not up to the OS to manage the allocations and allocations are not thread-specific, they are process-specific. The most you can do is find the total memory usage of the process which you already seem to know.
You would need to hook the allocation functions that the game is using to create the blocks of memory and keep track of them yourself, pretty much like a simple memory profiler that most high-end apps do. The allocations can be done a number of ways so you may need to hook more than 1 thing depending on how the game and anti-cheat are coded.
_________________
- Retired. |
|
| Back to top |
|
|
Snooman
Cheater
![]() Reputation: 1
Joined: 20 Jan 2012
Posts: 42
|
| Posted: Wed Dec 05, 2018 8:16 pm Post subject: |
|
|
Thanks... i think i got Xigncode 99% disabled but game itself also has anti-cheat features. I think some component is running mad.
The spooky thing only appears on some bot instances and starts after the bot ran for an hour or so. Maybe game server sends a packet like 'hey, check this client please' and all collected data sets accumulate as they cant be sent...
Hard to track this sh*t down as this only happens sporadically.
I cripple logging features by just 'RET xxxx'-ting the functions. If the memory gets freed in that function ... I have a problem. Honestly I'm not that Win API expert.
_________________
This text has been encrypted with XOR twice for security reasons. |
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Wed Dec 05, 2018 9:24 pm Post subject: |
|
|
| Snooman wrote: | Maybe game server sends a packet like 'hey, check this client please' and all collected data sets accumulate as they cant be sent...
Hard to track this sh*t down as this only happens sporadically. |
analyze and patch the win-socket receiver, just find what library they are using. (ws2_32.dll or wsock32.dll)
note:
this is a hint, im no expert in networking/internet stuff.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Thu Dec 06, 2018 1:21 am Post subject: |
|
|
| Snooman wrote: | Thanks... i think i got Xigncode 99% disabled but game itself also has anti-cheat features. I think some component is running mad.
The spooky thing only appears on some bot instances and starts after the bot ran for an hour or so. Maybe game server sends a packet like 'hey, check this client please' and all collected data sets accumulate as they cant be sent...
Hard to track this sh*t down as this only happens sporadically.
I cripple logging features by just 'RET xxxx'-ting the functions. If the memory gets freed in that function ... I have a problem. Honestly I'm not that Win API expert. |
Xign has a lot of features that can be enabled/disabled on the fly and per-program. So it could be any number of features that it includes. Xign has more than just simple user-mode anti-cheat stuff as well, but that depends on if they are using any of the enhanced/extended features like the kernel driver.
Xign also does have packets to tell the client to scan for things or to do certain actions regarding assumed hacks/exploits. Xign also has a heartbeat packet, if used, which tells itself to validate that it is running and working as it should be.
The other thing to keep in mind is that Xign has a billion different versions that range from game to game. Some with certain things forced-on or forced-off, some with things completely removed, some with Xign protected with VMProtect, others without, etc. So that is something to keep in mind when digging into things. Xign does make a log itself, but it's generally dumped to disk immediately as its written to. They generally don't keep much in memory.
Something you can do as well to try and figure out what the memory is, monitor the memory pages that are allocated when the game is just stating/running before any issues. Then when the issues start, compare the new pages created that are considered leaks. Check what's in them to see if its game data, potential xign data, or your own hook data.
It's hard to give much input on what it could be overall though without seeing your personal hooks code and such.
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
