Tyrar 7 Posted May 27, 2014 Share Posted May 27, 2014 I've found a File (AntiAccess.h) in Extern/include/YmirBase and I was wondering whats inside. It's content is pretty small and simple, the following Function will disable every write access to the current process. Of course it's not all you have to do for a fully working protection, but i thought this Function in addition with another good anti cheat will work very good. BOOL EL_FORCEINLINE EL_DenyProcessAccess( void ) { BYTE abyBuffer[0x200]; PACL pACL; SID_IDENTIFIER_AUTHORITY stIdentifierAuthority = SECURITY_WORLD_SID_AUTHORITY; PSID pSid = NULL; BOOL bRet = FALSE; DWORD dwSize = 0; HANDLE hToken = NULL; HANDLE hProcess = ::GetCurrentProcess(); PTOKEN_USER pUserInfo = NULL; if( ::AllocateAndInitializeSid( &stIdentifierAuthority, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSid ) == FALSE ) goto Cleanup; if( ::OpenProcessToken( hProcess, TOKEN_QUERY, &hToken ) == FALSE ) goto Cleanup; ::GetTokenInformation( hToken, TokenUser, NULL, NULL, &dwSize ); if( dwSize > 1024 ) goto Cleanup; pUserInfo = (PTOKEN_USER) ::GlobalAlloc( GPTR, dwSize ); if( pUserInfo == NULL ) goto Cleanup; if( ::GetTokenInformation( hToken, TokenUser, pUserInfo, dwSize, &dwSize ) == FALSE ) goto Cleanup; pACL = (PACL) &abyBuffer; if( ::InitializeAcl( pACL, 0x200, ACL_REVISION ) == FALSE ) goto Cleanup; // Deny except PROCESS_TERMINATE and PROCESS_SET_SESSIONID if( ::AddAccessDeniedAce( pACL, ACL_REVISION, PROCESS_CREATE_PROCESS | PROCESS_DUP_HANDLE | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, pSid ) == FALSE ) goto Cleanup; // Allow SYNCHRONIZE, PROCESS_QUERY_INFORMATION, PROCESS_SET_INFORMATION, PROCESS_SET_QUOTA and PROCESS_TERMINATE if( ::AddAccessAllowedAce( pACL, ACL_REVISION, SYNCHRONIZE | PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION | PROCESS_SET_QUOTA | PROCESS_TERMINATE, pUserInfo->User.Sid ) == FALSE ) goto Cleanup; if( ::SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, PROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, 0, 0, pACL, 0 ) != ERROR_SUCCESS ) goto Cleanup; bRet = TRUE; Cleanup: if ( hToken ) ::CloseHandle( hToken ); if ( pSid ) ::FreeSid( pSid ); return bRet; } 6 Link to comment Share on other sites More sharing options...
Former Staff .InyaProduction 1125 Posted May 27, 2014 Former Staff Share Posted May 27, 2014 A python injection protection is already included to the bin (crashes on injection) im not sure if normal dll injection is already fixed too. The python loader as mix didnt crash the binary so i guess its not (even if the loader is useless cause the reason above) Anyone have an Idea how to include the stuff from above? Link to comment Share on other sites More sharing options...
Tyrar 7 Posted May 27, 2014 Author Share Posted May 27, 2014 #include <YmirBase/AntiAccess.h> ... EL_DenyProcessAccess(); You should call the Function as fast as possible. It's not very effective against Cheat Engine or OllyDBG, but a few injectors won't work anymore. 1 Link to comment Share on other sites More sharing options...
Former Staff .InyaProduction 1125 Posted May 27, 2014 Former Staff Share Posted May 27, 2014 Cheat engine isnt pretty effective on hacking anyways. Some speedhacks etc. OllyDBG is more critical. I never worked with Olly. Lets say i got an totaly new encryption algorythm and packer like lzo4 instead of minlzo. Would it be possible to write an unpacker with Olly? Link to comment Share on other sites More sharing options...
Tyrar 7 Posted May 27, 2014 Author Share Posted May 27, 2014 Yes. The first Extractor was made this way, someone copied the decryption and decompression code out of OllyDBG. Link to comment Share on other sites More sharing options...
Former Staff .InyaProduction 1125 Posted May 27, 2014 Former Staff Share Posted May 27, 2014 You cant actually copy 1:1 i think. Isnt it just pseudo code? Link to comment Share on other sites More sharing options...
ShuzZzle 28 Posted May 27, 2014 Share Posted May 27, 2014 You cant actually copy 1:1 i think. Isnt it just pseudo code? yep but with the pseudo code you can kinda rewrite the source code Link to comment Share on other sites More sharing options...
Tyrar 7 Posted May 27, 2014 Author Share Posted May 27, 2014 Why do you think that's Pseudocode? This code is found in Extern/YmirBase/AntiAccess.h! Link to comment Share on other sites More sharing options...
ShuzZzle 28 Posted May 27, 2014 Share Posted May 27, 2014 Why do you think that's Pseudocode? This code is found in Extern/YmirBase/AntiAccess.h! I wasn't talking about this HeaderFile. I meant the creation of the first fileextractor where no source existed^^ Link to comment Share on other sites More sharing options...
Tyrar 7 Posted May 27, 2014 Author Share Posted May 27, 2014 There wasn't any Pseudocode used. Pseudocode is first: bad practice, second: harder to understand than Assembler. Link to comment Share on other sites More sharing options...
Active Member Koray 2002 Posted September 25, 2014 Active Member Share Posted September 25, 2014 YmirBase/AntiAccess.h(7) : error C4430: missing type specifier - int assumed. Note: C++ does not support default-int Line 7: '{' how to fix? Link to comment Share on other sites More sharing options...
Night 366 Posted September 25, 2014 Share Posted September 25, 2014 YmirBase/AntiAccess.h(7) : error C4430: missing type specifier - int assumed. Note: C++ does not support default-int Line 7: '{' how to fix? http://msdn.microsoft.com/en-us/library/ms173696.aspx i will test it later 1 Link to comment Share on other sites More sharing options...
Recommended Posts