KR101249764B1 - method for detecting and blocking game-hack process - Google Patents

method for detecting and blocking game-hack process Download PDF

Info

Publication number
KR101249764B1
KR101249764B1 KR1020100076787A KR20100076787A KR101249764B1 KR 101249764 B1 KR101249764 B1 KR 101249764B1 KR 1020100076787 A KR1020100076787 A KR 1020100076787A KR 20100076787 A KR20100076787 A KR 20100076787A KR 101249764 B1 KR101249764 B1 KR 101249764B1
Authority
KR
South Korea
Prior art keywords
game
cpu
access
security
hack
Prior art date
Application number
KR1020100076787A
Other languages
Korean (ko)
Other versions
KR20120014674A (en
Inventor
김찬호
노재훈
김인환
이재혁
김명수
윤상진
Original Assignee
주식회사 잉카인터넷
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 잉카인터넷 filed Critical 주식회사 잉카인터넷
Priority to KR1020100076787A priority Critical patent/KR101249764B1/en
Priority to PCT/KR2011/005720 priority patent/WO2012020948A2/en
Publication of KR20120014674A publication Critical patent/KR20120014674A/en
Application granted granted Critical
Publication of KR101249764B1 publication Critical patent/KR101249764B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a method for detecting and blocking a game hack process that is executed on a gamer client system and whose access is blocked.
The method for detecting access blocking game hack process according to the present invention includes a first step in which a security process stores a list of access permission execution processes, and a process (CPU allocation process) information in which the security process is assigned a CPU. A second step of extracting, and a third step of determining, by the security process, the CPU allocation process as an access blocking game hack if the CPU allocation process is not included in the access permission execution process list.

Description

Method for detecting and blocking game-hack process

The present invention relates to a method for detecting a game hack process, and more particularly, to a method for detecting and blocking a game hack process, which is executed in a gamer client system and whose access is blocked.

The widespread use of high-speed Internet has led to the rapid growth of the online game population and the development of numerous online games. However, the concept and concept of game security is still weak. Illegal programs in computers are called hacks or hacking programs, and hacks or hacking programs in games are called game hacks. These game hacks refer to programs that manipulate files, memory, etc. of a particular game process.

Game hacks allow gamers to easily win games by manipulating the game's memory to change certain data, such as stats and stamina, increasing the speed or number of blows in martial arts games, or granting macro functions. This is why gamers want to install game hacks for online games. However, the use of game hacks in online games can cause problems such as a balance breakdown among users, a heavy load on the game server, and the like. In other words, if some users play games while benefiting in an abnormal way, the balance with other users is broken, and in serious cases, the overall balance of the online game is broken and the game server is overloaded. Done.

Therefore, game providers have installed a security program for gamers along with the game. When the user executes the game program, the game process is executed and the security process is executed in succession. In addition, if the gamers interrupt the security process while the game is running, the game process is also stopped. That is, the security process is executed together with the game process during the online game, and the executed security process blocks the execution of the game hack.

Generally, a 'program' or a 'file' refers to a command set written in order to execute a computer, and a 'process' refers to a program running in the computer. That is, the game program is executed as a game process on the gamer computer, the security program is executed as the security process, and the security process detects and blocks the game hacks executed on the computer.

The security process accesses an arbitrary process executed during the game and analyzes its characteristics to determine whether it is a game hack, and if it is determined to be a game hack, blocks the execution of the game process or game hack process.

In this way, the security process accesses a specific process and analyzes its characteristics to determine whether the process is a game hack, thereby blocking the game hacker from executing the game hack. However, some game hacks have recently been hidden from the security process by manipulating kernel APIs, or preventing the security process from obtaining its own handle object. This is called access blocking. Because security processes cannot access game hacks that are blocked, they cannot analyze their features or block their execution.

That is, the game security process typically detects game hacks using the handle object. Since the game hacks that are blocked from access prevent the security process from obtaining its own handle object, the game security process operates through the handle object of the process. It is impossible to monitor or block. In addition, even if the game hack makes the process memory scan totally or partially impossible, the security process cannot control or block it. Therefore, a countermeasure against this is required.

SUMMARY OF THE INVENTION An object of the present invention, which is devised to solve the above-mentioned problems of the prior art, is to provide a method for detecting and blocking the execution of an approach blocked game hack.

In accordance with an aspect of the present invention, there is provided a method for detecting an access blocking game hack process, comprising: a first step in which a security process stores a list of access permission execution processes, and a process in which the security process is assigned a central processing unit (CPU); A second step of extracting (CPU allocation process) information; and a third step of determining, by the security process, the CPU allocation process as an access blocking game hack if the CPU allocation process is not included in the access permission execution process list. It is characterized by.

In addition, the access blocking game hack process execution blocking method according to the present invention, the first step of the security process stores the access permission execution process list, and the process that the security process is assigned a central processing unit (CPU) (CPU allocation process) ) A second step of extracting information; a third step of determining, by the security process, the CPU allocation process as an access blocking game hack if the CPU allocation process is not included in the access permission execution process list; And a fourth step of preventing the access blocking game hack from being allocated to the CPU.

As described above, according to the present invention, since it is possible to detect whether or not the game hack is blocked, there is an advantage of preventing the use of game hacks by gamers in online games.

1 is a diagram illustrating a CPU allocation environment in a Windows operating system.
2 is an operation flowchart illustrating a method for detecting a game nucleus of a blocked access process according to an embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings will be described in more detail a method for detecting and blocking the execution of the game hack process according to an embodiment of the present invention.

1 is a diagram illustrating a context switch implementation in a Windows operating system.

Typically, computer hardware includes a central processing unit (CPU) 110 and a memory 120, and a Windows 120 operating system 121 is loaded into the memory 120. Under the Windows operating system 121, a plurality of processes 122a, 122b, 122c, and 122d may be executed simultaneously to operate respectively. All processes 122a, 122b, 122c, and 122d must be operated on by CPU 110 to operate, and all processes 122a, 122b, 122c, and 122d are scheduled according to their priorities. Occupies the CPU 110 in sequence. The CPU 110 may not be occupied by two or more processes, and only one process may be occupied.

The process occupying the CPU 110 operates the CPU until it waits for I / O work, receives an interrupt from the kernel, stops using the CPU, or uses the maximum execution time (quantum).

A plurality of processes that want to use the CPU 110 waits for the contents of the work in the queue 123 corresponding to the priority, and the scheduler of the Windows operating system 121 uses the highest priority queue when the CPU becomes available. The work content of the process waiting at 123 is transmitted to the CPU 110. At this time, the Windows operating system 121 requests the CPU 110 to terminate the work of the existing process and perform the work of the new process, which is called a context switch.

All processes running on the Windows operating system 121, namely the game process 122a, the allowed game hack process 122b, the blocked game hack process 122c, and the security process 122d are all required to operate on a computer. All must be allocated CPU usage.

The present invention is conceived based on the operation of the computer system, and the security process monitors the process of the context switch of the scheduler of the Windows operating system 121, thereby detecting the blocked game hack process.

2 is an operation flowchart illustrating a method for detecting a game nucleus of a blocked access process according to an embodiment of the present invention. It is a matter of course that the security process must be allocated a CPU in order to execute the access blocking game hack detection method according to the present invention. Typically, one quantum given to a process with CPU occupancy time is 10 milliseconds, allowing multiple processes to operate at substantially the same time.

The security process is executed in the Windows operating system and stores a list of permitted processes (hereinafter, referred to as an access execution process) (S21).

The security process hooks the context switch signal output from the Windows operating system to the central processing unit (S22), analyzes the context switching signal, and extracts the process (hereinafter referred to as CPU allocation process) information allocated to the central processing unit (CPU). And store in a list (S23).

The security process checks whether the CPU allocation process extracted in step S23 is included in the access permission execution process list (S24), and if so (S25), proceeds to step S22 to hook the next context switch signal. If not included in step S25, the CPU allocation process is determined to be an access blocking game hack (S26). In general, most of the normal processes running on the Windows operating system are allowed access. However, the blocked process running while the game is running is almost 100% likely to be a game hack process. The game hack process, which is blocked, cannot be analyzed by the security process even if the game is manipulated. Accordingly, the security process according to the present invention determines the blocked access process that operates with CPU allocation as the game hack process.

Next, the security process checks whether the access blocking game hack determined in step S26 is included in the CPU allocation block list (S27). If the approach blocking game hack is first detected and not included in the CPU allocation block list (S28), the access blocking game hack is prevented from receiving the CPU allocation, and the access blocking game hack is included in the CPU access blocking list (S29). As a way to prevent the access blocking game hack from receiving CPU allocation, there is a method of adjusting the scheduler of the Windows operating system, removing the work contents of the access blocking game hack from the queue, and preventing the context switch from being used.

If the access blocking game hack is included in the CPU allocation block list (S28), this action prevents the access blocking game hack from being detected and receives the CPU allocation, but the access blocking game hack is returned to the CPU through the kernel manipulation. Corresponds to the case in which it is detected while using, in which case the game process is forcibly terminated (S30).

This protects normal game players by preventing gamers from benefiting from online games using illegal access blocking game hacks.

110: central processing unit (CPU) 120: memory
121: Windows operating system 122a, 122b, 122c, 122d: Process
123: cue

Claims (8)

A first step in which the security process stores a list of allowed access processes;
A second step of the security process hooking a context switch signal to extract process (CPU allocation process) information to which a CPU is allocated from the context switch signal;
The third security process checks whether the CPU allocation process is included in the access permission execution process list, and determines that the CPU allocation process is an access blocking game hack if the CPU allocation process is not included in the access permission execution process list; Approach blocking game nuclear detection method comprising the step. delete A first step in which the security process stores a list of allowed access processes;
A second step of the security process hooking a context switch signal to extract process (CPU allocation process) information to which a CPU is allocated from the context switch signal;
The third security process checks whether the CPU allocation process is included in the access permission execution process list, and determines that the CPU allocation process is an access blocking game hack if the CPU allocation process is not included in the access permission execution process list; Steps,
And a fourth step of preventing the security process from allocating the CPU to the access blocking game hack. delete 4. The method of claim 3, wherein said security process adjusts a scheduler of a Windows operating system to prevent said access blocking game hack from being allocated to said CPU. 4. The method of claim 3, wherein the fourth step removes the work contents of the access blocking game hack in which the security process is queued. 4. The method of claim 3, wherein the fourth step comprises the security process adjusting the context switch to skip the approach blocking game hack. 4. The method of claim 3, wherein the fourth step comprises the security process terminating the game.
KR1020100076787A 2010-08-10 2010-08-10 method for detecting and blocking game-hack process KR101249764B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020100076787A KR101249764B1 (en) 2010-08-10 2010-08-10 method for detecting and blocking game-hack process
PCT/KR2011/005720 WO2012020948A2 (en) 2010-08-10 2011-08-04 Method for detecting and blocking a game-hack process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020100076787A KR101249764B1 (en) 2010-08-10 2010-08-10 method for detecting and blocking game-hack process

Publications (2)

Publication Number Publication Date
KR20120014674A KR20120014674A (en) 2012-02-20
KR101249764B1 true KR101249764B1 (en) 2013-04-03

Family

ID=45568017

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020100076787A KR101249764B1 (en) 2010-08-10 2010-08-10 method for detecting and blocking game-hack process

Country Status (2)

Country Link
KR (1) KR101249764B1 (en)
WO (1) WO2012020948A2 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100385601B1 (en) * 2000-06-29 2003-05-27 주식회사 참좋은인터넷 System and method for managing information in database
KR20090111576A (en) * 2008-04-22 2009-10-27 주식회사 안철수연구소 Method for protecting program using virtual desktop

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100483700B1 (en) * 2003-12-03 2005-04-19 주식회사 잉카인터넷 Method to cut off an illegal process access and manipulation for the security of online game client by real-time
KR100685672B1 (en) * 2004-11-29 2007-02-23 주식회사 안철수연구소 Preventing method of computer programmed automatic input
KR100681696B1 (en) * 2004-11-29 2007-02-15 주식회사 안철수연구소 Method for preventing from inventing data of memory in a computer application program
KR100645983B1 (en) * 2005-08-31 2006-11-14 (주)와이즈로직 Module for detecting an illegal process and method thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100385601B1 (en) * 2000-06-29 2003-05-27 주식회사 참좋은인터넷 System and method for managing information in database
KR20090111576A (en) * 2008-04-22 2009-10-27 주식회사 안철수연구소 Method for protecting program using virtual desktop

Also Published As

Publication number Publication date
WO2012020948A2 (en) 2012-02-16
WO2012020948A3 (en) 2012-04-19
KR20120014674A (en) 2012-02-20

Similar Documents

Publication Publication Date Title
RU2703156C2 (en) Computer security systems and methods using asynchronous introspection exceptions
JP5697206B2 (en) System, method and program for protecting against unauthorized access
US10083294B2 (en) Systems and methods for detecting return-oriented programming (ROP) exploits
US7937615B2 (en) Method for improving reliability of multi-core processor computer
AU2009286432B2 (en) Heuristic method of code analysis
KR102075372B1 (en) Exception handling in a data processing apparatus having a secure domain and a less secure domain
DK2840496T3 (en) PROCEDURE, SYSTEM AND EXECUTABLE CODE TO MANAGE THE USE OF HARDWARE RESOURCES OF A COMPUTER SYSTEM
US11654365B2 (en) Secure anti-cheat system
JP6196356B2 (en) Action capture method and apparatus for virtual system based on container
KR20180018531A (en) Behavioral malware detection using an interpreter virtual machine
Yu et al. NCQ vs. I/O scheduler: Preventing unexpected misbehaviors
JP2005166051A (en) Method for preventing unauthorized access to process
EP2812836A1 (en) Exception handling in a data processing apparatus having a secure domain and a less secure domain
JP2020018517A5 (en)
KR20120014673A (en) Method for dectecting falsification of process by inserting disguised dll
KR100460009B1 (en) Method and system for loading of the image resource
KR101249764B1 (en) method for detecting and blocking game-hack process
US20120191803A1 (en) Decommissioning factored code
US10528387B2 (en) Computer processing system with resource optimization and associated methods
KR100457405B1 (en) Method of detecting whether speed hack is in use
US11194615B2 (en) Dynamic pause exiting
KR101252185B1 (en) method for blocking hack using thread check
KR20110032839A (en) Game security method using trace of excuting game hack tool
KR101530531B1 (en) Malicious Module Handling System and Method
KR101252188B1 (en) control method of accessing virtual memory data

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant