1) Walk process memory with VirtualQuery
2) Inject a small 4kb module into process
3) Setup an exception handler ( VEH preferable )
4) Using shared memory or some other extremely hood method of external process communication, touch each page's start. ( no homo / no pedo )
5) If no exception is generated check VirtualQuery again to make sure shit didn't change on us. Alternatively call VirtualProtect or some other shit. Make sure also the exception was an access violation specifically.
6) If this page is Mr. not fucking listed. Goddamn it some mega fag is homo enabling. Use extremely hood methods to tell the server to fuck this nigga up. Then pray to Allah to send Cho to make this infidel submit.
7) Make sure to release the page back into the wild regardless of whether an exception was generated or not. Touching it releases it from the deep. VirtualUnlock + VirtualFree.
8) ???
9) Profit
Shortfalls: TRON, Hypervisiors, ring 0/3 VQ/VP etc hooks, hidden GUARD/NOACCESS pages that serve as alert pages, etc. New VEH installed by hack. etc etc
Other thoughts: VirtualLock possibly. Randomly touch a page ( no homo / no pedo ). SUSPEND ALL THREADS
Concept #2:
1) Walk a process memory with VirtualQuery
2) Choose all uncommited regions
3) Randomly pick an uncommitted region and allocate it and the full size with VirtualAlloc with at least PAGE_READWRITE. Make sure you use VirtualQuery again to check if it was committed before you do anything.
4) Write to that region and check in the game process whether we were successful or not, also call NtReadVirtualMemory from our other process as a dual check
5) VirtualFree the allocated region ( if the region was previously reserved send it back to that state ), and repeat 1-5 until all non committed regions were taken care of.
6) ???
7) Profit
Shortfalls: TRON, Hypervisiors, temporarily increasing the working set of a process and maybe stealing execution time and cache kills, another thread allocating same region, etc
Bypassing both scans preferably?
Concept:
1) Hook VirtualAlloc, VirtualFree, VirtualQuery, VirtualProtect, ReadProcessMemory, etc in kernel mode
2) Use your driver to hook the IDT
3) Allocate a large region for shadow pages to redirect any I/O to, MAKE SURE TO KEEP IT ALIGNED TO THE RESERVED REGION you are hiding in
What this means is that if the reserved region you are hiding in is 100 pages, your shadow region must also be 100 pages.
4) Desync the TLB for your page(s), add exception to the usermode code that you need to and everything else gets the shadow page
5) ???
6) Profit
Note: I have omitted a few steps, but I think this is sufficient to stop serious contenders.
Concept #2:
1) Undo all hooks.
2) Send hack into kernelmode or into other region heavily encrypted
3) Wait for scan to subside.
4) Once scan has subsided, redo hooks, reallocate and reload
5) ???
6) Profit
Note: This method is potentially unstable/unsafe as far as execution is concerned. If you have code executing in your memory region while the scan hits you, only prayer is to possibly send their scan into a deadlock while you finish executing then protect your region. In other words: a race condition.
Comment