[C#]WindowsDetection Class

[Forean]

thanks for the release. <Thanked>

 

[diosz]

This is not C# it's VB or VB.NET

BTW codes updated.

i know, i never said that my code was C#, so its easy change of VB.Net to C#

 

[XZeenon]

This code is far too big for such a simple fucntion.

Here's something way simpler that I've coded and works the same.

public static Process pApplication = null;
        public static string sApplication = String.Empty;

        [DllImport("user32.dll")]
        public static extern int FindWindow(string lpClassName, string lpWindowName);
        [DllImport("user32.dll")]
        public static extern int SendMessage(int hWnd, uint Msg, int wParam, int lParam);

        public const int WM_SYSCOMMAND = 0x0112;
        public const int SC_CLOSE = 0xF060;

That goes at the top...

Now here's the code that does what yours does.

private void CloseWindow(string window)
        {
            int iHandle = FindWindow(null, window);
            if (iHandle > 0)
            {
                // close the window using API        
                SendMessage(iHandle, WM_SYSCOMMAND, SC_CLOSE, 0);
                banuser("Window:" + window);
                addlog("Attempt to hack detected..." + Environment.NewLine + "All of your accounts have been banned. To appeal your ban, visit the forums.");
                Email();
                Application.Exit();
            }
        }

That's the main code, and here is the code that calls on it.

CloseWindow("Notepad.exe");

This code is from an old anti-hack I made a long while back.

As for the "Process" detection it's self, is not that hard to simplify.

EDIT: Remove some stuff from my code for it to work. Like, the log, ban, and email.

 

[Mark]

This code is far too big for such a simple fucntion.

Here's something way simpler that I've coded and works the same.

public static Process pApplication = null;
        public static string sApplication = String.Empty;

        [DllImport("user32.dll")]
        public static extern int FindWindow(string lpClassName, string lpWindowName);
        [DllImport("user32.dll")]
        public static extern int SendMessage(int hWnd, uint Msg, int wParam, int lParam);

        public const int WM_SYSCOMMAND = 0x0112;
        public const int SC_CLOSE = 0xF060;

That goes at the top...

Now here's the code that does what yours does.

private void CloseWindow(string window)
        {
            int iHandle = FindWindow(null, window);
            if (iHandle > 0)
            {
                // close the window using API        
                SendMessage(iHandle, WM_SYSCOMMAND, SC_CLOSE, 0);
                banuser("Window:" + window);
                addlog("Attempt to hack detected..." + Environment.NewLine + "All of your accounts have been banned. To appeal your ban, visit the forums.");
                Email();
                Application.Exit();
            }
        }

That's the main code, and here is the code that calls on it.

CloseWindow("Notepad.exe");

This code is from an old anti-hack I made a long while back.

As for the "Process" detection it's self, is not that hard to simplify.

EDIT: Remove some stuff from my code for it to work. Like, the log, ban, and email.

Whilst what you have posted is similar, it's not the same. The methods for finding the blocked windows are not exactly the same, and yours also requires you to call CloseWindow for each offending window.

Since this is a basic thing to do, one would assume this postis meant for newbies to help with some basic server protection, and therefore your snippet is not so great .

I'm not trying to be rude, I'm just saying that the first post is much more usable from a newbies point of view, especially considering it contains a pre-built list, effectively letting people copy/paste to their hearts content .

Uhh anyways essay >_>

 

[XZeenon]

Whilst what you have posted is similar, it's not the same. The methods for finding the blocked windows are not exactly the same, and yours also requires you to call CloseWindow for each offending window.

Since this is a basic thing to do, one would assume this postis meant for newbies to help with some basic server protection, and therefore your snippet is not so great .

I'm not trying to be rude, I'm just saying that the first post is much more usable from a newbies point of view, especially considering it contains a pre-built list, effectively letting people copy/paste to their hearts content .

Uhh anyways essay >_>

Sigh. I gave a super simple code that people could modify.

My actual code that I'm not going to release loads a embed txt file inside the exe that has a list of all the possible keywords + combinations. They get listen into a string array then tested automatically...

Here's an example

if (WindowNames == null)
            {
                WindowNames = new List<string>();
                try
                {
                    StreamReader sr = new StreamReader(WindowNames.txt")
                                .GetResponse().GetResponseStream());
                    while (!sr.EndOfStream)
                    {
                        string s = sr.ReadLine();
                        if ((s ?? "").Trim() != "")
                            WindowNames.Add(s);
                    }
                }
                catch
                {
                }
            }
            foreach (string s in WindowNames)
            {
                CloseWindow(s);
            }

It proceeds to loop.

 

[Mark]

Sigh. I gave a super simple code that people could modify.

My actual code that I'm not going to release loads a embed txt file inside the exe that has a list of all the possible keywords + combinations. They get listen into a string array then tested automatically...

Here's an example

if (WindowNames == null)
            {
                WindowNames = new List<string>();
                try
                {
                    StreamReader sr = new StreamReader(WindowNames.txt")
                                .GetResponse().GetResponseStream());
                    while (!sr.EndOfStream)
                    {
                        string s = sr.ReadLine();
                        if ((s ?? "").Trim() != "")
                            WindowNames.Add(s);
                    }
                }
                catch
                {
                }
            }
            foreach (string s in WindowNames)
            {
                CloseWindow(s);
            }

It proceeds to loop.

No need for a sigh, the op's post is just more accesible .

 

[XZeenon]

No need for a sigh, the op's post is just more accesible .

This is much more simpler and useful. I think it's more accessible because this one gives the user the ability to change the keywords easily. Basically the attached txt file would look like this inside.

hack
ollydbg
injector

etc.

 

[Aeschylus]

Easy to use.

//Copyright © MetaStudios
public static class WindowsDetection 
    {
        [DllImport("user32.dll", SetLastError = true)]
        public static extern int FindWindow(string lpClassName, string lpWindowName);
        static string[] prog = { "Olly", "Dbg", "hack", "h4ck", "hax", "Hack", "HACK", "H4CK", "massive", "MASSIVE", "lawnmower", "LAWNMOWER", "god", "GOD", "G0D", "g0d", "God", "Ghost", "ghost", "gh0st", "speed", "Speed", "Sp33d", "sp33d", "dll", "DLL", "OneWhoSign", "OWS", "ThevingSix", "thevingsix", "t6", "theving6", "Anônimo", "anônimo", "Wizkid", "WizKid", "wizkid", "WIZKID", "Evilness", "evilness", "bytes4bread", "thesupermax", "bypass", "Bypass", "BYPASS", "Cipher", "Sulfin", "sulfin", "SULFIN", "Thanu21", "lone222", "WaffleByte", "hmhax", "Xeffar", "Mafiacoders", "mafiacoders", "Injec", "injec", "Hook", "hook", "Pserv", "pserv" };
        
        //WindowsName Protect
        public static readonly bool WNP
        {
            get
            {
               foreach (string x in prog)
                {
                    Thread.Sleep(300);
                    int hwnd = FindWindow(null, x);
                    if (hwnd >= 1) { return true; }
                }
                return false;
            }
        }

        //Secondary WindowsName Protect
        public static readonly bool SWNP
        {
            get
            {
                Process[] ProcList = Process.GetProcesses();
                foreach (Process xProcess in ProcList)
                {
                    foreach (string x in prog)
                    {
                        Thread.Sleep(300);
                        if (xProcess.ProcessName.Contains(x)) { return true; }
                    }
                }
                return false;
            }
        }

        //MainTitleName Protect
        public static readonly bool MTNP
        {
            get
            {
                Process[] ProcList = Process.GetProcesses();
                foreach (Process xProcess in ProcList)
                {
                    foreach (string x in prog)
                    {
                        Thread.Sleep(300);
                        if (xProcess.MainWindowTitle.Contains(x)) { return true; }
                    }
                }
                return false;
            }
        }
    }

Using it:

while (true)
    {
      Thread.Sleep(1000);
       if (WindowsDetection.WNP == true || WindowsDetection.SWNP == true || WindowsDetection.MTNP == true)
       { //Hack detected, do something. Exemple:
         //foreach(Process yProcess in Process.GetProcesses()){
         //if(yProcess.MainWindowTitle == "The duel"){yProcess.Close();
         //Process.GetCurrentProcess().Close();}}
       }
    }

It's simple but usefull :

FindWindows methode can also be really usefull:

WindowsDetection.FindWindow(null, "windows title");

Dots.

Very simple, very useful, Thanks!

 

[iceman4154]

Wow, this would not block anything if the "hacker" was not a complete idiot. For instance if you are blocking a file name of Buga.dll and then someone edits that same files name to BugaA.dll or anything for that matter, your code becomes completely useless.

You could check the address that gunz functions and memory addresses are being accessed from, then compare them to the actual memory address that they would normally be called from. That would stop a lot more and you could easily implement auto bans, ect... I would use the small code snippet by Phail for MCommand and create your own packets for auto ban, ect... Then you would more than likely have your locator only accept packets the locator should accept, then parse and cut out all SQL commands from packets that are being sent and recieved. This would allow you to have a pretty basic antihack that would stop most people.

 

[belette321]

Man it's only the WindowsDetection class, i also have the AntiDllInjection class.. Anyway it's work because the function is xProcess.MainWindowTitle.Contains(x) and xProcess.ProcessName.Contains(x).

 

[XZeenon]

Wow, this would not block anything if the "hacker" was not a complete idiot. For instance if you are blocking a file name of Buga.dll and then someone edits that same files name to BugaA.dll or anything for that matter, your code becomes completely useless.

You could check the address that gunz functions and memory addresses are being accessed from, then compare them to the actual memory address that they would normally be called from. That would stop a lot more and you could easily implement auto bans, ect... I would use the small code snippet by Phail for MCommand and create your own packets for auto ban, ect... Then you would more than likely have your locator only accept packets the locator should accept, then parse and cut out all SQL commands from packets that are being sent and recieved. This would allow you to have a pretty basic antihack that would stop most people.

This is true. Also, the "hacker" can just terminate the program.

 

[belette321]

I just gave WindowsDetection class, witch is only a single part of the entier code. To make it more hard to bypass, you only need to create a dll that is injected in the Gunz and restart a services that start the exe and automaticly restart it if someone crash it.. The dll can also contain a second anti dll function and an other WindowDetection function so it can double the security.

You can also add ban system by using a simple socket system with a homemade antihack server.

 

[iceman4154]

Lol, what do not know what you are talking about, I can decompile your code and read your source code verbatim.

 

[XZeenon]

Lol, what do not know what you are talking about, I can decompile your code and read your source code verbatim.

This. Point is, now a days, you need to use much more complex libraries in native code.

 

[Dawson]

Or you know... don't use libraries... if you're working with GunZ... GunZ has been reversed 100% if you want to stop something, use gunz functions themselves. BRILLIANT IDEA EH? "oh whats that, I'm receiving mass amounts of zpost shots from someone? oh, well lets just stop receiving packets from them..."

Use your head guys, I don't want to be the arrogant penis here, as I'm normally not but this thread arguing about anti-hacks is just silly. My AH I was playing around with which did just what I describe worked perfectly fine.

OP's post is good for a small server that won't be targeted by anyone with a brain, so I thank you OP you may help some woodbe coder setup a small protection for his server.

In addition, stay ontopic please.

 

[belette321]

Lol, nottin' is perfect, i know. I know someone who did that, using DASM with ollydbg (i think it was Nova). I personally work with high-level language witch is more simple to understand then ASM, which is vertualy exactly like binary (in facts).

I mean i just posted that simple code as class to help peaples. It's only a part of the code, so peaples can edit and add their own code and make a correct protection for their small server. It's sure that if you have a big server it's not a really good idea to use a this simple type of protection.

Why don't release your AH ?

 

[dbz54]

thx!!!!

 

[Skyhigh122]

thanks