stefansundin/superf4

[Concern] Is this program susceptible to cheat detection?

NanoCats opened this issue · 2 comments

NanoCats commented

I'm just wary of anything that runs in the background and could get me in trouble/banned form video games.

stefansundin commented

It's a fair question. I'd say that the chance is extremely low. SuperF4 does listen for keypresses to detect the button combination. The program does not attempt to read the memory or alter other processes, which I think is what most cheat programs do.

When SuperF4 detects the key combination, it does the following:

  1. Attempts to give itself SeDebugPrivilege in order to kill any process (but may still be limited to kill elevated processes, if SuperF4 itself is not elevated).
    https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege
  2. Tries to get a handle to the process we are going to kill with: 
    process = OpenProcess(PROCESS_TERMINATE, FALSE, pid)
    https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openprocess
  3. Tries to kill the process with: 
    TerminateProcess(process,1)
    https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-terminateprocess
  4. Removes SeDebugPrivilege from itself.

See the code here:

superf4/superf4.c

Lines 204 to 291 in 2a6afbe

void Kill(HWND hwnd) {
// To prevent overkill
if (killing) {
return;
}
// Get process id of hwnd
DWORD pid;
GetWindowThreadProcessId(hwnd, &pid);
// Check if the process is blacklisted
HANDLE process = OpenProcess(vista?PROCESS_QUERY_LIMITED_INFORMATION:PROCESS_QUERY_INFORMATION, FALSE, pid);
wchar_t name[256];
DWORD ret = GetProcessImageFileName(process, name, ARRAY_SIZE(name));
CloseHandle(process);
if (ret == 0) {
#ifdef DEBUG
Error(L"GetProcessImageFileName()", L"Kill()", GetLastError());
#endif
}
else {
PathStripPath(name);
for (int i=0; i < ProcessBlacklist.length; i++) {
if (!wcsicmp(name,ProcessBlacklist.items[i])) {
return;
}
}
}
// Let's do this
killing = 1;
int SeDebugPrivilege = 0;
// Get process token
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken) == 0) {
// Could not elevate privileges, so we try without elevated privileges.
#ifdef DEBUG
Error(L"OpenProcessToken()", L"Kill()", GetLastError());
#endif
}
else {
// Get LUID for SeDebugPrivilege
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Enable SeDebugPrivilege
if (AdjustTokenPrivileges(hToken,FALSE,&tkp,0,NULL,0) == 0 || GetLastError() != ERROR_SUCCESS) {
CloseHandle(hToken);
#ifdef DEBUG
Error(L"AdjustTokenPrivileges()", L"Kill()", GetLastError());
#endif
}
else {
// Got it
SeDebugPrivilege = 1;
}
}
// Open the process
process = OpenProcess(PROCESS_TERMINATE, FALSE, pid);
if (process == NULL) {
#ifdef DEBUG
Error(L"OpenProcess()", L"Kill()", GetLastError());
#endif
return;
}
// Terminate process
if (TerminateProcess(process,1) == 0) {
#ifdef DEBUG
Error(L"TerminateProcess()", L"Kill()", GetLastError());
#endif
return;
}
// Close handle
CloseHandle(process);
// Disable SeDebugPrivilege
if (SeDebugPrivilege) {
tkp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0);
CloseHandle(hToken);
}
}

But as always, I take no responsibility for anything. Use at your own risk.

It would be interesting to ask the same question to some game developers.. how do their anti-cheat protection try to detect cheaters?

Synetech commented

Any anti-cheat that would "catch" this would also catch any macro/hotkey program as well as Windows' built-in taskkill and Task Manager. Besides, this isn't a cheating tool, it's no different than pressing Alt+F4 or killing it with the Task Manager; any game that prevents you from exiting the game has bigger problems than players cheating. ¬_¬