What are the most effective methods to detect bot application presence/activity (client-side)?

906 views Asked by At

What are the most effective methods to detect bot application presence/activity?

1 Considering the user can grant any access for the anti-cheat system in Windows (XP/7) OS.

2 Not taking in account potential amorality or illegality of methods.

3 Neglecting user-behaviour detections (like checking time between user actions or smoothness of mouse moves or using CAPTCHAs to detect bot or whatever).

Thus far I can think of:

  • Checking INJECTED flags for mouse/keyboard events.

  • Scanning processes list, detecting potentially "bad" processes.

  • Checking integrity of application to avoid direct injeсtions.

  • Checking if the environment is a virtual machine (to avoid false negatives of above checks).

1

There are 1 answers

3
hyru On BEST ANSWER

Here's a good post on this subject: How to prevent cheating in our (multiplayer) games?

My thoughts on your list:

  • KbDllHookStruct Injected Flag - You'll get false positives for users with virtual devices. This is also easy to fake using several undocumented methods.
  • Scanning processes - Also prone to false positives and potential legal issues.
  • Detecting injection - Many legitimate applications inject themselves into other processes (e.g. DisplayFusion, dxtory, fraps)
  • Checking for VM - Playing a game in a virtual machine doesn't mean the player is cheating.

A few suggestions:

  • In your process, scan and compute the hashes of loaded modules (including your own) and disconnect/ban if malicious assemblies are detected. Requires a store of known hashes.
  • Check for the presence of a debugger.
  • Check for memory/hardware breakpoints.
  • Server/client-side vector checks for speed and teleport detection.
  • Server-side checks are easier to implement, maintain and as Damon commented above, are much more reliable. Anything on the client can be subverted.