Jump to content

Simple (Anti-Access) Protection


Recommended Posts

I've found a File (AntiAccess.h) in Extern/include/YmirBase and I was wondering whats inside.

It's content is pretty small and simple, the following Function will disable every write access to the current process.

Of course it's not all you have to do for a fully working protection, but i thought this Function in addition with another good anti cheat will work very good.

BOOL EL_FORCEINLINE EL_DenyProcessAccess( void )
{
	BYTE	abyBuffer[0x200];
	PACL	pACL;
	SID_IDENTIFIER_AUTHORITY stIdentifierAuthority = SECURITY_WORLD_SID_AUTHORITY;
	PSID pSid = NULL;
	BOOL bRet = FALSE;
	DWORD dwSize = 0;
	HANDLE hToken = NULL;
	HANDLE hProcess = ::GetCurrentProcess();
	PTOKEN_USER pUserInfo = NULL;

 	if( ::AllocateAndInitializeSid( &stIdentifierAuthority, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSid ) == FALSE )
		goto Cleanup;
	if( ::OpenProcessToken( hProcess, TOKEN_QUERY, &hToken ) == FALSE )
		goto Cleanup;
	::GetTokenInformation( hToken, TokenUser, NULL, NULL, &dwSize );
	if( dwSize > 1024 )
		goto Cleanup;
	pUserInfo = (PTOKEN_USER) ::GlobalAlloc( GPTR, dwSize );
	if( pUserInfo == NULL )
		goto Cleanup;
	if( ::GetTokenInformation( hToken, TokenUser, pUserInfo, dwSize, &dwSize ) == FALSE )
		goto Cleanup;
	pACL = (PACL) &abyBuffer;
	if( ::InitializeAcl( pACL, 0x200, ACL_REVISION ) == FALSE )
		goto Cleanup;
	// Deny except PROCESS_TERMINATE and PROCESS_SET_SESSIONID
	if( ::AddAccessDeniedAce( pACL, ACL_REVISION, PROCESS_CREATE_PROCESS | PROCESS_DUP_HANDLE | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, pSid ) == FALSE )
		goto Cleanup;
	// Allow SYNCHRONIZE, PROCESS_QUERY_INFORMATION, PROCESS_SET_INFORMATION, PROCESS_SET_QUOTA and PROCESS_TERMINATE
	if( ::AddAccessAllowedAce( pACL, ACL_REVISION, SYNCHRONIZE | PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION | PROCESS_SET_QUOTA | PROCESS_TERMINATE, pUserInfo->User.Sid ) == FALSE )
		goto Cleanup;
	if( ::SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, PROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, 0, 0, pACL, 0 ) != ERROR_SUCCESS )
		goto Cleanup;
	bRet = TRUE;
Cleanup:
	if ( hToken )
		::CloseHandle( hToken );
	if ( pSid )
		::FreeSid( pSid );
	return bRet;
}
  • Love 6
Link to comment

A python injection protection is already included to the bin (crashes on injection) im not sure if normal dll injection is already fixed too. The python loader as mix didnt crash the binary so i guess its not (even if the loader is useless cause the reason above)

Anyone have an Idea how to include the stuff from above? :D

Link to comment
#include <YmirBase/AntiAccess.h>

...
EL_DenyProcessAccess();

You should call the Function as fast as possible. It's not very effective against Cheat Engine or OllyDBG, but a few injectors won't work anymore.

  • Love 1
Link to comment

Cheat engine isnt pretty effective on hacking anyways. Some speedhacks etc. OllyDBG is more critical.

I never worked with Olly. Lets say i got an totaly new encryption algorythm and packer like lzo4 instead of minlzo. Would it be possible to write an unpacker with Olly?

Link to comment

Why do you think that's Pseudocode?

This code is found in Extern/YmirBase/AntiAccess.h!

I wasn't talking about this HeaderFile. I meant the creation of the first fileextractor where no source existed^^

Link to comment
  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.