Use heuristics to determine systems vulnerable to cheating
Although game hackers can come up with crafty methods to bypass detections as time progresses, it may still be possible to flag their system as being possibly compromised to cheating based on multiple system information data points.
Scout Lite does not use heuristics, but the multiplayer version of Scout does.
We employ a range of solutions for common vulnerabilities in games
A common attack on single player games is to modify the memory for specific variables resulting in drastic gameplay changes.
Lite Version: Encrypt the memory behind the variable.
Full Version: Prevent read/write access to the protected process
When a violation is triggered, fast action may be required.
Lite Version: Unity events give the developer full control to define functions that will be invoked in the case of a violation being thrown by Scout.
Full Version: Submits violations to the Scout server for further analysis. The Scout server will then evaluate all recent violations and determine if the system is confident enough to issue a punishment.
Cheaters will commonly employ methods to draw results over top of the game. The objects drawn are typically in the form of an ESP (Extra Sensory Perception) system.
Lite Version: Enumerate windows and flag for common window style combinations that typically indicate the presence of an overlay.
Full Version: Enumerate windows and flag for common window style combinations as well as monitor other applications for hijacked windows.
Once we determine that an application is malicious, we employ techniques to prevent the blacklisted process and the game from running at the same time.
Lite Version: Enumerate all running processes and check the names against the blacklisted name list.
Full Version: Create code signatures for blacklisted processes then scan for the code signatures frequently. Furthermore, monitor blacklisted code signing certificates.
Occasionally game devs will find the need to store small bits of information on the end-user's device. This is typically done using Player Preferences in Unity. Player Preferences are un-encrypted by default which leave them vulnerable to manual modifications.
Lite Version: Provides a wrapper to encrypt the preferences stored on disk.
As the game hacking scene continues to develop, so does the necessity for anti-cheats to gain elevated privileges in the system.
The full version of Scout (Not Lite) employs a windows kernel mode driver (KMDF) that:
- Monitors system resources for malicious memory allocations - Strips read and write access on handles to the protected game process - Performs code-signature scans for shell code allocations that have been previously deemed as malicious by the Scout team - Blacklists compromised system drivers and applications - Performs integrity checks on system applications and drivers to flag for malicious modifications.