March 29, 2022
HEX DEREF PRO has an advanced DKOM (direct kernel object manipulation) functionality that enables you to make an undetected Cheat Engine. The Cheat Engine or any other user mode process can be hidden with a mouse click including it's elevated process handle object that enables memory scans on a protected game process. This technique bypasses every user mode anti-cheat.The solution in HEX DEREF has been tested with the following kernel level anti-cheats: EAC, Battleye without a ban. The two are the most used mainstream anti-cheat solutions.
You can purchase the professional version of the software using this link: HEX DEREF PRO
The lab was performed on Windows 10 Pro x64 21H2 without PatchGuard BSDO at the time of writing.
From a technical perspective, it's not that simple to make Cheat Engine undetectable. CE attach itself to the game process using the OpenProcess() API. Upon attaching to a process a handle object is created with the desired permissions on the process object. Even the game process itself can detect that your handle object has read and/or write (RW) access rights to the game process. You cannot use CE scripts in the game unless the handle has read access. By default every kernel level anti-cheat strips the access to a protected game process. Therefore, DKOM functionality is needed to make an undetectable Cheat Engine.
To backup the claim of the functionality effectiveness. The hidden process object was not visible neither to kernel debugger nor Volatility 3 2.0.1 hidden process detection as shown in the video. The following scan methods could not find the hidden process DKOM'd by the kernel driver: windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree
To get fully undetected Cheat Engine, you will also need to hide strings in memory. You can discuss about the article in the official SUPPORT THREAD of the software.