What are the most effective methods to detect bot application presence/activity (client-side)?

Question

What are the most effective methods to detect bot application presence/activity?

1 Considering the user can grant any access for the anti-cheat system in Windows (XP/7) OS.

2 Not taking in account potential amorality or illegality of methods.

3 Neglecting user-behaviour detections (like checking time between user actions or smoothness of mouse moves or using CAPTCHAs to detect bot or whatever).

Thus far I can think of:

• Checking INJECTED flags for mouse/keyboard events.

• Scanning processes list, detecting potentially "bad" processes.

• Checking integrity of application to avoid direct injeсtions.

• Checking if the environment is a virtual machine (to avoid false negatives of above checks).

Answer 1

Here's a good post on this subject: How to prevent cheating in our (multiplayer) games?

My thoughts on your list:

• KbDllHookStruct Injected Flag - You'll get false positives for users with virtual devices. This is also easy to fake using several undocumented methods.
• Scanning processes - Also prone to false positives and potential legal issues.
• Detecting injection - Many legitimate applications inject themselves into other processes (e.g. DisplayFusion, dxtory, fraps)
• Checking for VM - Playing a game in a virtual machine doesn't mean the player is cheating.

A few suggestions:

• In your process, scan and compute the hashes of loaded modules (including your own) and disconnect/ban if malicious assemblies are detected. Requires a store of known hashes.
• Check for the presence of a debugger.
• Check for memory/hardware breakpoints.
• Server/client-side vector checks for speed and teleport detection.
• Server-side checks are easier to implement, maintain and as Damon commented above, are much more reliable. Anything on the client can be subverted.