Go Back

Steam's anti-debugging code

I bought a few more steam games on friday (F.E.A.R. 3, DeusEx, Brinck, Fall out series, Duke Nukem) and ran into the annoying crash-at-breakpoint again. This time, however, I decided to put some time into it to try and find why this is happening.

After a lot of googling I ran into this blog post:
http://nsylvain.blogspot.com/2007/08/threadhidefromdebugger-but-why.html

While it does not specifically mention Steam, it does explain why WinDBG (and other debuggers like OllyDBG and C.E.) crash the game when a break point is triggered. Windows simply does not tell WinDBG about the break point and as such it crashes the game (as the game can't handle it either).

So I spend several hours figuring out ways to circumvent the "ThreadHideFromDebugger" flag.

At first I tried to undo the "ThreadHideFromDebugger" flag, but apparently once you've set this flag, it stays on  (there's no way to turn it off on a thread). I then tried to access the ETHREAD structure which gets modified by "NtSetInformationThread" but apparently you can't get access to the ETHREAD structure from User Space (at least not in any way that I could find).

So the only way to get rid of the "ThreadHideFromDebugger" flag is by not letting the application set the flag. There's two ways to do this, stop it in user mode or in kernel mode. Kernel mode is nice, but it really isn't funny to BSOD your system a lot while developing the driver. Also the whole 'need it to be signed' part for x64 sucks. But this is still a valid option which I might look into.

But I decided to write a user mode DLL which you can inject into Steam. Once it's injected, you simply have to start the game you want to debug from within steam and the DLL does all the work for you. It hooks 3 functions, CreateProcessA/W and NtSetInformationThread, the NtSetInformationThread hook is responsible for actually disabling the "ThreadHideFromDebugger" flag. The CreateProcess hooks are used to hook any game launched by Steam.

There's 1 big *read this*, do *not* start VAC-games (and probably also PunkBuster games) with this DLL loaded into Steam! It will most likely get you banned. Also a small disclaimer, only use this to cheat in single player games. Cheating in online-games is wrong mkay! ;)

You can download it here.

Posted by: Da_Teach on Sunday, August 07, 2011  •  C# Hack Cheat Engine WinDBG Anti-Debugger

  • Facebook
  • Twitter
  • DZone It!
  • Digg It!
  • StumbleUpon
  • Technorati
  • Del.icio.us
  • NewsVine
  • Reddit
  • Blinklist
  • Add diigo bookmark
  • So what does this DLL do? Does it allow you to cheat all by itself, or does it just circumvent the Steam anti-cheat protection (thereby allowing to cheat with another tool like Cheat Engine)?
    And how do you use it? Just copy to the steam directory and run the AntiDebuggerLoader.exe with Steam running? Or do you have to start a game first?
    Thanks for the effort in any case, I greatly appreciated your Defense Grid Trainer. :-)

    Alarion  •  07 Aug

  • Currently when you try to use Cheat Engine's "Find out what access/writes to this address", you will crash some steam games. If you inject the anti-anti-debug dll into steam before starting your game of choice. You can actually use the "Find out what access/writes to this address" function within Cheat Engine.

    For the more advanced people, it'll also allow you to use WinDbg / OllyDbg on the steam games that used to crash when using either debuggers.

    If the game has anti-cheat detection (like VAC/PunkBuster) then this DLL will get seen and you will get banned. It does not try to hide itself in any way, shape or form.

    I use this to be able to debug a game to find the more advanced cheats or to find static addresses, which was hard without being able to debug.

    Da_Teach  •  07 Aug

  • hi thx 4 this !! I tried injecting into steam and all but it did not work ( for Deus EX )

    ch33ch  •  25 Aug

  • Just another question, did u test this with Deus eX? =) Cuz  Deus Ex really closes when Find out what writes to this  address ..  even  injected. Any ideas  ?  If I could help  in  any way too.

    ch33ch  •  25 Aug

  • I'll look into Dues Ex tomorrow/sunday, it could be that it uses another method and it could also be that the injection fails for Dues Ex.

    Da_Teach  •  26 Aug

  • Thank you very much, id appreciate that =) if ud like  u can email me

    Cheers

    ch33ch  •  27 Aug

  • Im sorry bout the duplicate msg, anyway , i was looking into  Deus Ex (olly) and i found  a isDebugger text reference (no  t isDebuggerPresent but olny isDebugger) and i  checked it out i  canceld it Like nopping the  jnz and nothing seemed to happen ...but still checking  it out...

    ch33ch  •  27 Aug

  • Ok i got Deus Ex to run in a VMware Win XP  and i tried kernel mode and all and Find out what writes  makes the game close , i wonder DBVM in win  xp in VMWare...would trhat  work...

    ch33ch  •  28 Aug

  • Ok dbvm is only for 64bit ... Xp 32bit in this  case

    tried to  inject  ur  dll on Vware XP  error on  opening  .exe  cuz of .net framework  idk why it wont  instal..

    ch33ch  •  28 Aug

  • I've taken a quick look at it and it seems that the game just exits the moment a debugger is attached. It's not the same as the other games and I suspect this utilizes other anti-debugger tricks.

    I'll look into it, I'll start with disabling tricks like isDebuggerPresent, etc. I'll let you know what the outcome is.

    Da_Teach  •  28 Aug

  • Ok , ill be checking that out also =)

    ch33ch  •  28 Aug

  • Well I disabled most of the anti-debugger technique's (not all of them though) and it still crashes. I'll find it, if its the last thing I'll do :)

    Da_Teach  •  29 Aug

  • Nice !
    I support that and would like to help !
    Could u email me where i could search for this also ? I appreciate if u do

    ch33ch  •  30 Aug

  • I tested Deus Ex steam edition ;

    VMware and Win Xp KernelMode on Cheatengine  6.1 did not work,

    i tested on win  7 64 cheatengine 6.1 VEH debugger did not work then i  started Ollying a bit and i found a isDebugger text reference...still nopped those addresses and  nothing , i mean, it did not work...thats for now... ill be testing further...

    ch33ch  •  30 Aug

  • I got 0 results till now  it still closes i must find this, still searching... lol

    ch33ch  •  03 Sep

  • Great read. I've had this same issue with a MMORPG I was debugging some time ago.

    Manoer  •  04 Sep

  • Ive seen some trainers out there and on ce.org i saw a ce  script so the person must have broken the code... i still  havnt ,

    ch33ch  •  07 Sep

  • Steam update today also.. lol

    ch33ch  •  07 Sep

  • I have found a way. Just use WIn Xp or 7 32bit with debugger mode on CE and use Global Routine checked on...!!!

    ch33ch  •  24 Oct

  • Thanks!  I have been trying to hack Borderlands and I was unable to successfully use breakpoints.  Injecting your dll fixed the problem.

    dcx2  •  26 Nov

Post a comment!
  4. Formatting options