Home > Net >  Can programs detect if I am using ReadProcessMemory on it?
Can programs detect if I am using ReadProcessMemory on it?

Time:07-21

I'm writing a program to read a game's memory as it runs. I want to avoid the game noticing me however, since it might behave differently under observation. Is it possible for processes to detect the act of me inspecting it's memory from another process?

This is the method I'm using to inspect it:

// this is how I gain the target process's handle

HANDLE findHandle(const wchar * exeFilename) {
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);
    HANDLE target = NULL;
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    if (Process32First(snapshot, &entry) == TRUE) {
        while (Process32Next(snapshot, &entry) == TRUE) {
            if (wcscmp(entry.szExeFile, exeFilename) == 0) {  
                target = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
                break;
            }
        }
    }
    CloseHandle(snapshot);
    return target;
}

// dst = destination buffer that the other process's memory is read into
// src = source address from within the other process
// hProcess = handle of the process we are inspecting
// protectedAccess = this allows us around some obstacle, though I'm not sure what/how specifically?
// returns the amount of memory read successfully

size_t patchedRead(char* dst, char* src, uint32 size, HANDLE hProcess, bool protectedAccess) {
    SIZE_T readTotal = 0;
    if (protectedAccess) {
        DWORD oldprotect;
        if(!VirtualProtectEx(hProcess, src, size, PAGE_EXECUTE_READWRITE, &oldprotect))
            return 0;
        ReadProcessMemory(hProcess, src, dst, size, &readTotal);
        if(!VirtualProtectEx(hProcess, src, size, oldprotect, &oldprotect))
            return 0;
    } else {
        ReadProcessMemory(hProcess, src, dst, size, &readTotal);
    }
    return size_t(readTotal);
}

CodePudding user response:

It's not possible to detect a ReadProcessMemory or WriteProcessMemory but it is possible to detect the preceding OpenProcess that is needed to gain access.

CodePudding user response:

Is it possible for processes to detect the act of me inspecting it's memory from another process?

No, it is not. Well, not without injecting code into every running process (such as with AppInit_DLLs or SetWindowsHookEx()) that then hooks/detours the ReadProcessMemory() function directly.

Page link:https//www.codepudding.com/net/482812.html

Prev:Is "(unsigned)value" cast undefined behaviour?
Next:Undefined symbols for architecture x86_64 library isn't linked
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding