How was DayZNavigator ever detected?

[kidovate]

DayZNavigator injected a DLL into your web browser and dropped a file off in a temporary folder for the browser interface. It opened a memory handle (for reading memory values) to the DayZ Client and passively read memory values on an interval (polling).

My question is - how could VAC / BattlEye detect this approach?

• Checking the hash of the process doesn't work as it's within the chrome.exe process
• Memory reads are passive - if they even traced back the module that had the handle on the process - would it be distinguisable from Chrome's process?
• Did they simply do string searches within the running processes?

I'm seeking some information on this as I believe I have an implementation that will be impossible to detect (aside from string and binary pattern scans) because it does not inject a DLL into anything (separate module), but instead adds machine code to the process itself (with a remote thread).

[kidovate]

.... just realized I forgot to put this under discussion, my bad. If someone could move it, it would be excellent

[`Rejected]

You have got me interested and should release this way of making it undetectable :P

[Woodhouse]

@kidovate, the hack pauses the Arma2OA process. BE_Dllmain is routinely called throughout the game's runtime. If this happens while the process is paused, it will lead to either a kick + report or a just a report. And both of those results lead to you getting banned. If I'm not mistaken, I believe GameHack #79 is associated with server actions (kick + report) against all versions of DayZ Navigator.

[kidovate]

Interesting, I can do it without actually freezing the game, I can see why that would be helpful but not why it would be required. You could just dump the entire process memory and read it rather than freeze and iterate over all the memory...

Anyway I've created a version of Navigator called DayZEagle that is very passive and should not be detectable. It doesnt' inject a module but just a remote thread... I'm interested to see if it is detectable.

[Woodhouse]

I can see why that would be helpful but not why it would be required.

I think it was to avoid the register scans. I'm sure there's a lot more to it than that though.

[xLoLeRxx]

What is this Dayz navigator? It is for the mod?

[Woodhouse]

What is this Dayz navigator? It is for the mod?

A very old open source ESP hack that utilized DayZDB.com's maps. Yes, it was.

[Douggem]

Guys, Battleye has a scan that scans for a signature at every byte of committed memory in every process it can open. Just because you hide your scanner in another process doesn't make it BE proof (in fact, it doesn't even help). Battleye also has two mechanisms made specifically to fight DayZ Navigator, which Chicken already mentioned (a scan that gets the thread's context and looks at positions relative to the base pointer on the stack for signatures, and the Battleye service which checks to see if BE has been suspended). The service uses RPM to write the detection into the Arma process which Battleye sends back to the server upon request. It does not automatically kick, and believe it or not some people have false positives for it all the damn time (one of my hacks logs detections and I get reports of detection 260 - a BE service detection - regularly, despite the user not using anything that suspends BE).

You gotta understand, Battleye only cares about getting bans, they don't care about stopping cheating. So if you can stop the bans from happening, even if you don't actually avoid or bypass Battleye, you're good. And it's easy.

EDIT: Forgot this was about the standalone. Obviously VAC is another animal entirely, and I don't know enough about it to comment. The above info is just about Battleye.

[Ulookingat]

Guys, Battleye has a scan that scans for a signature at every byte of committed memory in every process it can open. Just because you hide your scanner in another process doesn't make it BE proof (in fact, it doesn't even help). Battleye also has two mechanisms made specifically to fight DayZ Navigator, which Chicken already mentioned (a scan that gets the thread's context and looks at positions relative to the base pointer on the stack for signatures, and the Battleye service which checks to see if BE has been suspended). The service uses RPM to write the detection into the Arma process which Battleye sends back to the server upon request. It does not automatically kick, and believe it or not some people have false positives for it all the damn time (one of my hacks logs detections and I get reports of detection 260 - a BE service detection - regularly, despite the user not using anything that suspends BE).

You gotta understand, Battleye only cares about getting bans, they don't care about stopping cheating. So if you can stop the bans from happening, even if you don't actually avoid or bypass Battleye, you're good. And it's easy.

EDIT: Forgot this was about the standalone. Obviously VAC is another animal entirely, and I don't know enough about it to comment. The above info is just about Battleye.

Would it be possible to write a dll that replaces the BE dll but just reports everything is "ok" so you could pause as much as you want?

[Douggem]

Yes you could write a BE emulator.