How to Detect Threads & Bypass Anti-Cheat Detection

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

don't you hate it when your sheet is detected your threads could be wide let's explore how threads work what malicious ones look like and the solution to the problem so the first thing that you need to know is whenever a new thread is created base thread in it thunk is called we get this address here we set it to the original function then we hook the function here and then we just let our program just go in a while true Loop and up here we have our base thread and it thk hook so now that you know that what we can do is we have a few variables here argument is basically what um this argument gets provided here so whenever you call create thread it's this argument right here LP parameter and whenever you call load Library this argument would equal to load Library a or if you're manual mapping then this would be the address of your shell code so we're not going to worry about that too much but we're going to worry about the start address of the thread so if we start this up here got GH injector inject using little Library as you can see base thread and nit th Cod called here's our starter dress and here's our other start address now if you look at these two over here this start address starts with 1540 and this is like 7 FFF and the interesting thing about these is this one looks like it's just some randomly allocated memory but this one looks like it's an actual valid address so if we take this get our cheat engine loaded up here and then we enter this address here as you can see it's somewhere in ndl something something right but if we take this address here this start address will go right here in the contrl G as you can see this is just non-existent anymore the Shell Code has been freed up for our Lo Library injection so what we can do to detect our load Library injector here or a suspicious thread as you might say is very simple all we'll do is memory basic information info that we'll call virtual Cory if virtual Cory start address and info SI of info then we'll write out a check here if info. type is not equal to M image this is not a valid image then all we're going to do is print out debug print invalid address th 0 x% P start address rint that out so let's start that up here got our in inject oh there we go invalid address sus right here see that's our address bam our malicious thread has just been detected and another way which you can detect this too is actually pretty easy copy this right here the 7 FF part which is legitimate and then all you do here is this then what we're going to do is just do U 64 start = 0x now we'll just change everything to zero so now what we're going to do is if pass this to a ulong 64 start address is less than the start which value here we can also say this one is a weird value by print invalid address weird we can print that out again start address start that up vect our dll make bigger and as as you can see both of those checks worked so what you could do in a combination is you can add this check and this check to just like an and and statement so that's all there really is to detecting malicious threads you could go further in and you know uh manually check these addresses by seeing if they belong in a certain module or something like that but that's kind of what this check is right here but you could check you know if this if this is in the text section or whatever right so that's pretty much all there is for detecting malicious threads now we can move on to avoiding all of this in general and stay ended so let's get to [Music] that so the first thing that you need to know is whenever a new thread is created base thread in it thunk is called that's why we're hooking the function right so if we go to GitHub and we go to a load Library a injector for example right if we load Library a inject with a GH injector here we go load library and then we inject right see we get detected right the reason why is because right here I'll show you a real world example right here we allocating memory this is where our dll path goes right we allocate memory in the process we write the string to the memory we create a thread we call load Library that's the start address which is load library then we pass in the address of our string so then inside the process load Library gets called your D gets loaded in right whenever you create this thread that start address right here this that's what that is that's literally the address of load library in your program right so that's going to raise a lot of flags and that's how you'll get detected like that right so the same thing applies with manual mapping when you're manual mapping right and you have the start routine function here and the guided hacking injector there's multiple different methods you can use and you create thread X hijack thread all this other stuff to bypass the detection Vector all you have to do is just avoid creating a thread literally avoid calling create remote thread entty create thread X all that stuff so instead what you can do is hijack a thread which will just take an existing thread and let your shell code run through that thread or you can do something called the kernel callback or you can do Q user APC fake V so now if I restart the program here start it up again bring it up here go to manual map B eh as you can see there it is now yes base thread in it th Cook gets called but see we have no suspicious addresses here so that's good and the only reason why I'm using fake eh is because these other ones don't work in my program just because it's such a simple program there's not really anything you know that there's no other threads you can hijack there's literally just the main thread right so um and I don't have like an actual game window on my program and Q user APC doesn't work and Colonel callbacks don't work either but if you use these options you know Shell Code execution methods on other games I'm pretty sure they would work so that's really all there is guys to bypassing the detection vectors is literally just change your TR code execution method when you're Manu mapping or you know don't use old library a at all but that's that's really it um so that's going to wrap up this whole video I hope you guys found it resourceful if there's anything you need like our guided hacking injector you can always find it on our website guided hacking.com and I'll see you next time peace a

Info

Channel: Guided Hacking

Views: 16,636

Rating: undefined out of 5

Keywords: guidedhacking, reverse engineering, thread detection, createremotethread, detect createremotethread, gh injector, guidedhacking injector, guided hacking injector, how to detect threads, CreateRemoteThread, NtCreateThreadEx, anticheat bypass, loadlibrary detection, dll injection, detect dll injection, anticheat, anti-cheat, anti cheat bypass, createremotethread injection, how to identify threads, how to check threads, cheat engine, bypass anti cheat, cheat engine bypass

Id: KzD_nc5B_8w

Channel Id: undefined

Length: 7min 44sec (464 seconds)

Published: Sun Nov 12 2023