I will share some things I know about the Riot AC.
This could probably help people who started their platform.
I must admit this Anti-Cheat is one of the best
* Detecting Debuggers
When you attach Cheat Engine or a debugger it uses a very specific method of interacting with the target process. Then League of Legends detects this procedure before you even attach Cheat Engine by closing League of Legends.exe
* NtQueryInformationProcess
League of Legends.exe also uses this to retrieve a DWORD_PTR value that is the port number of the debugger for the process. A nonzero value indicates that the process is being run under the control of a ring 3 debugger
* When does League of Legends.exe start Anticheat?
When analyzing the procedures. After champion selection > when starting League of Legends.exe for 0% to 40% of the loading screen before starting the match. Anticheat is loading its modules (This means the AC is still starting)
^ - "It's no use injecting a code when AntiCheat modules are loading. You will be detected the same way. But it is safer to inject during this time."
* What does it detect?
> Enumerating the Modules.
> Hooking LoadLibrary.
> DllMain Pattern Scanning.
> TLS Callback to Capture Threads.
> Debugger to Capture Threads or Loaded Modules: CreateRemoteThread, NtCreateThreadEx and RtlCreateUserThread.
^ - "all functions are detected"
> Riot AntiCheat is synchronized with callbacks like "issue order", new path, createobject.
^ - "Yes practically the Evade are fucked"
> There is no point in breaking Anticheat in League of Legends.exe. Stub.dll is also implementing AC.
> Riot detects hotfix. Not safe using a safe script in older versions of League of Legends.exe
> Riot has a module that scans your hard drive. - "During startup AC looks for files that match as Trojan:Win32/Malware"
^ - "Why? I don't know either."
> The AC also looks for the path corresponding to the injected DLL in the process.
> They also have a blacklist of dlls.
> In addition to focusing on public platforms, it also focuses on injection methods.
Credits: Exint (CC)
This could probably help people who started their platform.
I must admit this Anti-Cheat is one of the best
* Detecting Debuggers
When you attach Cheat Engine or a debugger it uses a very specific method of interacting with the target process. Then League of Legends detects this procedure before you even attach Cheat Engine by closing League of Legends.exe
* NtQueryInformationProcess
League of Legends.exe also uses this to retrieve a DWORD_PTR value that is the port number of the debugger for the process. A nonzero value indicates that the process is being run under the control of a ring 3 debugger
* When does League of Legends.exe start Anticheat?
When analyzing the procedures. After champion selection > when starting League of Legends.exe for 0% to 40% of the loading screen before starting the match. Anticheat is loading its modules (This means the AC is still starting)
^ - "It's no use injecting a code when AntiCheat modules are loading. You will be detected the same way. But it is safer to inject during this time."
* What does it detect?
> Enumerating the Modules.
> Hooking LoadLibrary.
> DllMain Pattern Scanning.
> TLS Callback to Capture Threads.
> Debugger to Capture Threads or Loaded Modules: CreateRemoteThread, NtCreateThreadEx and RtlCreateUserThread.
^ - "all functions are detected"
> Riot AntiCheat is synchronized with callbacks like "issue order", new path, createobject.
^ - "Yes practically the Evade are fucked"
> There is no point in breaking Anticheat in League of Legends.exe. Stub.dll is also implementing AC.
> Riot detects hotfix. Not safe using a safe script in older versions of League of Legends.exe
> Riot has a module that scans your hard drive. - "During startup AC looks for files that match as Trojan:Win32/Malware"
^ - "Why? I don't know either."
> The AC also looks for the path corresponding to the injected DLL in the process.
> They also have a blacklist of dlls.
List:
main.dll
curl.dll
new.dll
old.dll
ensoulsharp.sandbox.dll
riotdump.dll
networkweb.dll
LeagueSharp.Core.dll
LeagueSharp.Sandbox.dll
vm3dum.dll
EloBuddy.Core.dll
EloBuddy.SandBox.dll
System.Xml.Linq.dll
System.Data.dll
System.ServiceModel.Internals.dll
System.Transactions.dll
System.Core.dll
System.dll
System.Xml.dll
System.Drawing.dll
System.IdentityModel.dll
System.Transactions.ni.dll
D3DX9_43.dll
System.ServiceModel.ni.dll
System.Data.ni.dll
System.Data.dll
System.Configuration.ni.dll
System.Core.ni.dll
main.dll
curl.dll
new.dll
old.dll
ensoulsharp.sandbox.dll
riotdump.dll
networkweb.dll
LeagueSharp.Core.dll
LeagueSharp.Sandbox.dll
vm3dum.dll
EloBuddy.Core.dll
EloBuddy.SandBox.dll
System.Xml.Linq.dll
System.Data.dll
System.ServiceModel.Internals.dll
System.Transactions.dll
System.Core.dll
System.dll
System.Xml.dll
System.Drawing.dll
System.IdentityModel.dll
System.Transactions.ni.dll
D3DX9_43.dll
System.ServiceModel.ni.dll
System.Data.ni.dll
System.Data.dll
System.Configuration.ni.dll
System.Core.ni.dll
> In addition to focusing on public platforms, it also focuses on injection methods.
Credits: Exint (CC)
