With respect, if you even want to refer to sample code that isn’t your own from some previous project, I suspect that you still don’t understand how hard this is. As an example to cite, look at the history of the debugger SoftICE and the reasons why it was discontinued.
If you want to continue, I suggest that you do not look for a single solution that will work on all versions of Windows with all possible configurations, but limit yourself to a few that you can plausibly accomplish and then provide instructions for your installer to reject other configurations or convert the system to one of them. Apple has proved time and again that if consumer users believe something to be valuable, they will bend over backwards or tie themselves in knots to meet whatever the requirements to have it are. It will be the problem of your marketing department
There is a cheater on the thread A, and anti-cheater on the thread B, with the former claiming to be giving a business to the latter…
Why don’t you want simply to wait until your “opponent” calls your DriverEntry() routine (i.e. something that he is asking for the assistance with on another thread)?
because most of the cheaters will load their drivers manually, and we need a way to find these manually mapped drivers
Well, in order to be in a position to load a driver manually (i.e. by means of kernel memory modifications) you’ve got to get to the kernel somehow, right? However, this part (presumably) requires a driver,which, in turn, seems to be simply eliminating the need for any extra drivers that you are so desperate to detect.
Another point to consider is that the cheater may actually do everything without ANY software -level assistance on the target machine,
in the first place. There are 2 potential ways of achieving this goal. First, they can examine ( and modify) the target system’s memory by means of plugging a PCIE FPGA that is controlled from the remote machine via USB cable, into it(check the archives for more info). The second way is running the target system inside a hypervisor, and launching the attack from the host system,rather than from the target system itself.
If your opponents take either of the above approaches they will remain totally transparent to the system-level software running on the target machine…
