Thread: Exe Suspender and Task Manager, For AntiCheatSystem Analyzing

Hi everyone
This is my new topic. I wrote this program for suspending the game. When i want to connect the game with Game Title, the game title was Null. So i was changing the title and after connecting to the game. Then, the anticheat system is developped and it was closing the game when the game title is changed. I thought, if i suspend the program, all the system and anticheat will be disabled and i could use my titlechanger. It worked !

After that, i put a timer, and when an exe is started to run, the program is immediately suspending the game. I am using Cheat Engine and searching for where the anticheat system starts to run or opens the game. I use simply "Nop" and "Jump" for disabling anticheats some. So this program is really helpful for the game hackers. Because when the exe is loading, you can debug it step by step.
Here is a screenshot from my program. I used Vb6 to write it.
rac1 pro tools.PNG
To describe my program simply;
1- It can be used as taskmanager,
2- It can be used as suspender.



You can suspend a program in two ways;
- Use the listbox to choose the exe,
- Enter the exe name manually into textbox.

Here is a simplified photo
proc tools v2.png

The suspender Module, (not source, code inside)

Code:

Option Explicit

Private Type THREADENTRY32
        dwSize As Long
        cntUsage As Long
        th32ThreadID As Long
        th32OwnerProcessID As Long
        tpBasePri As Long
        tpDeltaPri As Long
        dwFlags As Long
End Type

Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const SYNCHRONIZE = &H100000
Private Const THREAD_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &H3FF

Private Const TH32CS_SNAPTHREAD = &H4

Private Declare Function SuspendThread Lib "kernel32" (ByVal hthread As Long) As Long
Private Declare Function ResumeThread Lib "kernel32" (ByVal hthread As Long) As Long
Private Declare Function OpenThread Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal dwProcessId As Long) As Long
Private Declare Function Thread32First Lib "kernel32" (ByVal hObject As Long, p As THREADENTRY32) As Boolean
Private Declare Function Thread32Next Lib "kernel32" (ByVal hObject As Long, p As THREADENTRY32) As Boolean

Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Public Sub GetThreads(pID As Long)

Form1.lstThreads.ListItems.Clear
Dim hsnapshot As Long
Dim htthread As Long
Dim pthread As Boolean
Dim pt As THREADENTRY32
Dim mList As ListItem

hsnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0)
pt.dwSize = Len(pt)
pthread = Thread32First(hsnapshot, pt)

While pthread
        htthread = OpenThread(THREAD_ALL_ACCESS, 0, pt.th32ThreadID)
        If htthread <> 0 And pt.th32OwnerProcessID = pID Then
        Set mList = Form1.lstThreads.ListItems.Add(, , htthread)
        mList.SubItems(1) = pt.th32ThreadID
        mList.SubItems(2) = pt.cntUsage
        mList.SubItems(3) = pt.dwFlags
        mList.SubItems(4) = pt.dwSize
        mList.SubItems(5) = pt.tpBasePri
        mList.SubItems(6) = pt.tpDeltaPri
        mList.SubItems(7) = "Active"
        End If
        pthread = Thread32Next(hsnapshot, pt)
Wend
CloseHandle hsnapshot
End Sub

Public Function GetKOPID() As Long
Dim pID As Long, wHandle As Long

wHandle = FindWindow(vbNullString, Form1.Text1)
If wHandle > 0 Then
        GetWindowThreadProcessId wHandle, pID
        If pID > 0 Then GetKOPID = pID
End If
End Function

Public Function SuspendMe(ThreadID As Long) As Boolean
Dim ret As Long
ret = SuspendThread(ThreadID)
'MsgBox ThreadID

If ret <> -1 Then SuspendMe = True
End Function

Public Function ResumeMe(ThreadID As Long) As Boolean
Dim ret As Long
ret = ResumeThread(ThreadID)
If ret <> -1 Then ResumeMe = True
End Function

Function EnableTPT()
If Form1.lstThreads.ListItems.Count > 0 Then
        Dim i As Integer
        Dim tptID
        
        For i = 1 To Form1.lstThreads.ListItems.Count
                tptID = Form1.lstThreads.ListItems.Item(i).Text
                Debug.Print tptID
                        If CLng(tptID) > 0 Then
                        Dim ret As Boolean
                        ret = ResumeMe(CLng(tptID))
                                If ret Then
                                'MsgBox "Thread Suspended.", vbInformation, "Succeed"
                                Else
                                 If i = 1 Then MsgBox "Thread Suspending Failed (" & tptID & ")"
                                 
                                End If
                        End If
        Next i
End If
End Function

Function DisableTPT()
If Form1.lstThreads.ListItems.Count > 0 Then
        Dim i As Integer
        Dim tptID
        
        For i = 1 To Form1.lstThreads.ListItems.Count
                tptID = Form1.lstThreads.ListItems.Item(i).Text
                Debug.Print tptID
                        If CLng(tptID) > 0 Then
                        Dim ret As Boolean
                        ret = SuspendMe(CLng(tptID))
                                If ret Then
                                'MsgBox "Thread Suspended.", vbInformation, "Succeed"
                                Else
                                 If i = 1 Then MsgBox "Thread Suspending Failed (" & tptID & ")"
                                 
                                End If
                        End If
        Next i
End If
End Function




Public Sub GetThreadsSuspended(pID As Long)

Form1.lstThreads.ListItems.Clear
Dim hsnapshot As Long
Dim htthread As Long
Dim pthread As Boolean
Dim pt As THREADENTRY32
Dim mList As ListItem

hsnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0)
pt.dwSize = Len(pt)
pthread = Thread32First(hsnapshot, pt)

While pthread
        htthread = OpenThread(THREAD_ALL_ACCESS, 0, pt.th32ThreadID)
        If htthread <> 0 And pt.th32OwnerProcessID = pID Then
        Set mList = Form1.lstThreads.ListItems.Add(, , htthread)
        mList.SubItems(1) = pt.th32ThreadID
        mList.SubItems(2) = pt.cntUsage
        mList.SubItems(3) = pt.dwFlags
        mList.SubItems(4) = pt.dwSize
        mList.SubItems(5) = pt.tpBasePri
        mList.SubItems(6) = pt.tpDeltaPri
        mList.SubItems(7) = "SUSPENDED"
        End If
        pthread = Thread32Next(hsnapshot, pt)
Wend
CloseHandle hsnapshot
End Sub

Function WindowToProcessId(ByVal hwnd As Long) As Long
    Dim lpProc As Long
    Call GetWindowThreadProcessId(hwnd, lpProc)
    WindowToProcessId = lpProc
End Function


Function ControlMeForSuspend(ko_pid As Long) As Boolean
    
    Dim mykohandle, mykopid As Long
    
    mykohandle = FindWindow(vbNullString, App.Title)
    mykopid = WindowToProcessId(mykohandle)
    'MsgBox mykohandle
    'MsgBox mykopid
   
    
    If WindowToProcessId(FindWindow(vbNullString, App.Title)) = ko_pid Then
     ControlMeForSuspend = 1
     Else
     ControlMeForSuspend = 0
     End If

End Function

suspender_ProcessTools.rar