一种基于内核事件的Windows系统游戏反外挂方法

针对目前客户端反外挂方法的诸多局限，该文提出一种基于内核事件的网络游戏反外挂方法，并实现了反外挂系统CheatBlocker。该方法通过监控Windows系统中的内核事件监视和拦截进程间的异常访问及异常模块注入，同时从内核注入反外挂动态加载库(DLL)用以阻断鼠标键盘的模拟。实验结果表明，CheatBlocker可防御进程模块注入外挂和用户输入模拟类外挂，且具有较低的性能开销。而且，CheatBlocker无需修改内核数据或代码，相比于目前的反外挂系统具有更好的通用性与兼容性。

An Anti-cheat Method of Game Based on Windows Kernel Events

In view of many limitations of current client anti plug-in methods, an anti-cheat method based on kernel events is proposed, and the network game anti-cheat system called CheatBlocker is implemented. This method uses the kernel event monitoring provided by Windows to intercept the abnormal access between processes and the injection of abnormal modules. At the same time, the anti-cheat Dynamic Loaded Library (DLL) injected from the kernel can block the simulation of the mouse keyboard. The experimental results show that CheatBlocker can defend against process module injection cheating and user input simulation cheating, and has low performance overhead. Moreover, CheatBlocker does not need to modify the kernel data or code which ensures the integrity of the kernel and is more compatible than the current anti-cheat systems.