Process Hacker and Windows discussion

 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

23 Jun 2017, 18:56

or wait... Am I to understand option 2 means that PH is no longer an issue for running with VAC servers?
 
emakemae

VAC ban

26 Jun 2017, 09:51

Has anyone in recent time (since v2.39) gotten an actual VAC ban from using ph?
 
NVinside
New User
Posts: 1
OS: Windows 10 X64 LTSB
Location: Swiss

Re: VAC banned by Process Hacker

07 Jul 2017, 15:10

Not only VAC also BattleEye.

Image
 
User avatar
viksoftru
Member
Posts: 529
OS: Win7 (Live! DVD), BSD

Re: VAC banned by Process Hacker

07 Jul 2017, 21:02

For check try temporary stop driver KProcessHacker2 (KProcessHacker3) -> Services tab - Ctrl-K -> KprocessHacker... -> Apps or RMsClick -> Stop and test the game again.
 
User avatar
dmex
Admin
Posts: 1386
Location: Australia

Re: VAC banned by Process Hacker

08 Jul 2017, 11:20

NVinside wrote:
07 Jul 2017, 15:10
Not only VAC also BattleEye.

Image
Sorry about that... I accidently merged some changes yesterday that were not compatible with BattlEye and the nightly builds were automatically blocked by BattlEye anticheat protection. I've reverted those changes and it's fixed the problem. Please update to the latest nightly build and you'll be able to use Process Hacker with BattlEye once again.

If anyone is still having issues with BattlEye after updating to the nightly release then please create a new bug report :thumbup:


RE: VAC

Valve refuses to discuss why they're blocking Process Hacker and we have not been able to identify code or reproduce evidence of Process Hacker having ever been used to cheat in any Valve games.

The simple fact that you're only kicked from Valve games instead of getting permanently banned shows that Valve also don't even consider Process Hacker a cheating tool.

Process Hacker is also compatible with BattlEye anti-cheat and all features are compatible with BattlEye protected games. Both of those features they want removed can be very easily disabled using the ObRegisterCallbacks API and if Valve was using that function they would be able block a large number of cheaters overnight and every other anti-cheat has been using that function for this exact reason (e.g. BattlEye).

All Valve is doing by blocking Process Hacker is preventing users from being able to identify performance problems and from being able to check processes for malicious activity and what does removing features exactly achieve when those features can be easily disabled?

Here's what every other anti-cheat company has done:
1. Downloaded this code: https://github.com/Microsoft/Windows-dr ... obcallback
2. Compiled it.
3. Signed it.
4. Used it.
5. Stopped blocking Process Hacker.

Microsoft wrote that code for this exact reason and it's very easy to setup and configure... Valve already have a certificate to sign the code so this whole process would take less than an hour to configure and setup but here we are 1 year and 7 months later and Valve has done absolutely nothing to stop anyone cheating and continued to target Process Hacker instead... :?
 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

08 Jul 2017, 12:20

As I saw the message from Valve, can't you just show the warning and then they can approve it?

It sounds like they are willing to fix the issue.
 
User avatar
TETYYS
Plugin Developer
Posts: 492
OS: Win 10 x64

Re: VAC banned by Process Hacker

08 Jul 2017, 12:21

Lance_Lake wrote:
08 Jul 2017, 12:20
It sounds like they are willing to fix the issue.
for 18 months already
 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

08 Jul 2017, 12:24

He was told 2 solutions. I understand how he doesn't want to do number one. But number two sounds reasonable. Has he put in the warning and Valve won't follow through?
 
User avatar
TETYYS
Plugin Developer
Posts: 492
OS: Win 10 x64

Re: VAC banned by Process Hacker

08 Jul 2017, 12:26

do you think valve will bother to implement something that doesn't make money for 0.01% of players instead of just blocking them?
 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

08 Jul 2017, 12:29

They said that they would. They don't have to implement anything. As I read it, it is up to DMX to show the warning.

Have you tried doing this and telling Valve that it has it now?
 
User avatar
dmex
Admin
Posts: 1386
Location: Australia

Re: VAC banned by Process Hacker

08 Jul 2017, 14:38

Lance_Lake wrote:
08 Jul 2017, 12:20
It sounds like they are willing to fix the issue.
That email was from almost two years ago... Valve have not replied even once to at least 5 emails and 3 support tickets over the last 18 months.
Lance_Lake wrote:
08 Jul 2017, 12:20
As I saw the message from Valve, can't you just show the warning and then they can approve it?
Warning messages were the first thing we added:
https://github.com/processhacker2/plugi ... alog.c#L27

That code used to be part of Process Hacker but it was discontinued and removed 11 months ago. The terminator was a feature for terminating malware processes and rootkits using 13 or so different methods of terminating a processes on Windows and one of those methods would overwrite process memory with garbage (NULLs) - which causes the process to terminate - but writing to process memory (even when its just zeros which does nothing!) triggered a VAC account ban.

A number of users including Jason Fossen (SANS Institute) have already mentioned how useful the feature was for SANS training courses on this thread:
viewtopic.php?f=5&t=2295&p=8054#p7746

Alex Ionescu (CrowdStrike) and Jason Fossen (SANS) have included Process Hacker as part of their IT security training courses and train thousands of developers every year. Those exact same features are compatible with BattlEye and are easily disabled so why should we destroy valuable security training for developers based on a single email from an anonymous Valve email address when it's completely unnecessary?
Lance_Lake wrote:
08 Jul 2017, 12:29
They said that they would. They don't have to implement anything.
If Valve were using the ObRegisterCallbacks routine then we wouldn't need to implement anything either. The ObRegisterCallbacks routine is how anti-cheat software like BattlEye blocks Process Hacker features and there's even code on Github from Microsoft showing how it works.
 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

08 Jul 2017, 14:44

Ok. I will see what I can find out. I know some people in the company and I will see if I can push this forward. It should've been handled by now.

Though I will point out that VAC is not going to do what you suggest since the delayed banning is part of what makes VAC effective (and no, I don't want to get into a debate as to if it is or not). But let me see what is going on.
 
Dredd47

Re: VAC banned by Process Hacker

20 Nov 2017, 00:37

Hello,

Do you have news from Valve ?
 
labak
New User
Posts: 1
OS: Windows 10 64bit
Location: Stockholm

Re: VAC banned by Process Hacker

22 Nov 2017, 19:53

Since one of the latest Dota 2 patch, I don't get any error, if PH2 is running in the background. Earlier, I had to restart the game and Steam as well after every game, but not anymore.
 
Shigbeard_

Re: VAC banned by Process Hacker

30 Dec 2017, 12:28

I can still confirm that on CS:GO using the nightly builds, I cannot play CS:GO with PH running. I've personally tried to raise a response out of the steam community, and everyone is adamant that PH is interfering with VAC, despite all evidence to the contrary.

It's quite clear at this stage that VAC is simply operating on a mixed black/white list. It will search for writable handles to processes it is supposed to protect that aren't on a whitelist, and search for software that is on a blacklist... and if it detects either, it will trigger a deauth.

The most annoying part about all of this is the delay on Valve's part. Sometimes the deauth won't trigger for at least 30 minutes after you have started playing, even if PH was only running for a split second. Once that deauth has triggered, you won't get reauthed until you restart your computer, restart steam, and restart the game... AND EVEN THEN you have to wait another 10 to 15 minutes for VAC to reauth, and by that time you've been given a cooldown from competitive for abandoning a match.

I know there isn't much that you can do dmux but is there a chance you could release a "VAC friendly" version, that is clearly missing those features (and just to shut Valve up, opens a pop-up on start saying "This is the VAC Safe version of Process Hacker (You could call it Process VACker), and is missing a large number of features in order to maintain compatibility with Valve Anti-Cheat" or something to that tune? Even if it didn't receive regular updates that'd be ok.
 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

30 Dec 2017, 16:28

Shigbeard_ wrote:
30 Dec 2017, 12:28
I know there isn't much that you can do dmux but is there a chance you could release a "VAC friendly" version, that is clearly missing those features (and just to shut Valve up, opens a pop-up on start saying "This is the VAC Safe version of Process Hacker (You could call it Process VACker), and is missing a large number of features in order to maintain compatibility with Valve Anti-Cheat" or something to that tune? Even if it didn't receive regular updates that'd be ok.
Yes. Please. This is pretty much all we are asking for. :)
 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

04 Jan 2018, 16:17

So I got a hold of someone from Valve.

Unfortunately, the problem is actually that PH allows trivial cheat injection, and I believe it always opens a handle for write to processes on the system, including CSGO. This makes it impossible for VAC to tell whether a user is using PH in a passive manner (as a procmon replacement), or as a way to get their cheats into CSGO. Hope this helps clarify things.

So can you make a version that doesn't do that? It seems like that's all they pretty much want.
 
User avatar
TETYYS
Plugin Developer
Posts: 492
OS: Win 10 x64

Re: VAC banned by Process Hacker

04 Jan 2018, 23:15

Lance_Lake wrote:
04 Jan 2018, 16:17
So I got a hold of someone from Valve.

Unfortunately, the problem is actually that PH allows trivial cheat injection, and I believe it always opens a handle for write to processes on the system, including CSGO. This makes it impossible for VAC to tell whether a user is using PH in a passive manner (as a procmon replacement), or as a way to get their cheats into CSGO. Hope this helps clarify things.

So can you make a version that doesn't do that? It seems like that's all they pretty much want.
That's not a problem of PH, it's problem of VAC. Why can't they just deny open handle requests?
 
Lance_Lake
Member
Posts: 18

Re: VAC banned by Process Hacker

05 Jan 2018, 02:32

Saying it's a problem of VAC and not PH is not helpful here.

If the developer of this made a version that didn't make it possible to inject code into processes, then that would be approved. I have VAC's teams word that they would approve it if that issue was taken care of.

So please release a version that will have the ability to inject code removed so we can continue to use (and support) your program.
 
User avatar
dmex
Admin
Posts: 1386
Location: Australia

Re: VAC banned by Process Hacker

17 Jan 2018, 20:15

Lance_Lake wrote:
04 Jan 2018, 16:17
I believe it always opens a handle for write to processes on the system, including CSGO.
No.

Process Hacker does not create writable handles by default. If Process Hacker has created a writeable handle it's because you've modified the source code, intentionally injected code or modified memory. You can see the handles Process Hacker creates by selecting the handles tab for the ProcessHacker.exe process (or even the sourcecode on Github)...

https://i.imgur.com/7wOigIu.png (v2.39 stable)
https://i.imgur.com/ewSadt3.png (nightly)
Lance_Lake wrote:
05 Jan 2018, 02:32
Saying it's a problem of VAC and not PH is not helpful here.
VAC is the only anticheat that doesn't use the ObRegisterCallbacks function (which blocks injection) and instead specifically targets Process Hacker... :evil:
Lance_Lake wrote:
05 Jan 2018, 02:32
If the developer of this made a version that didn't make it possible to inject code into processes, then that would be approved.
There are better and more reliable alternatives to achieve the exact same result.

For example using the LdrRegisterDllNotification function or the DLL_THREAD_ATTACH notification (both functions detect injection by Process Hacker) or even block injection entirely using the ObRegisterCallbacks function. Microsoft created the ObRegisterCallbacks function 12 years ago to block the exact same feature Valve wants removed and every other anti-cheat client currently uses those functions for that exact reason.
Lance_Lake wrote:
05 Jan 2018, 02:32
I have VAC's teams word that they would approve it if that issue was taken care of.
Ok. I removed that feature from the nightly build and Valve are still blocking Process Hacker? :?
https://github.com/processhacker2/proce ... 4c65286fd5

Who is online

Users browsing this forum: No registered users and 3 guests