|
System Service Hijacking Ban
I’ve been developing several different bypasses for fun, but one bypass that keeps getting me banned by BE is exploiting a system service. Currently, before the game is started, I am using a simple, hand-made LoadLibrary injector w/ SEDebug Priv to load a DLL into a system service. It then creates a remote thread and sits dormant for a few minutes while I start up the game. After 2 minutes, it steals a HANDLE to the target game and begins to RPM/WPM. The DLL itself is not packed, but all give-aways like Strings are XORd. In addition, nothing is C+P since it was written from scratch. However, I seem to be getting banned from this process after a few days. Anyone see a glaring detection vector or have some pointers about what might be getting detected? I have been trying to the isolate different parts of it, but it’s time consuming due to BE’s ban delay. Another weird observation is that if I run it during the lobby and the first 5-10 min of the game, I never get banned. But if I play a few full games, the ban is nearly guaranteed. I appreciate all the help that I can get! |
|