{"id":2257,"date":"2024-06-20T13:29:35","date_gmt":"2024-06-20T16:29:35","guid":{"rendered":"https:\/\/reversingthread.info\/?p=2257"},"modified":"2024-06-20T13:29:35","modified_gmt":"2024-06-20T16:29:35","slug":"battleye-analysis-part-1-window-detection","status":"publish","type":"post","link":"https:\/\/reversingthread.info\/index.php\/2024\/06\/20\/battleye-analysis-part-1-window-detection\/","title":{"rendered":"Battleye Analysis Part 1 &#8211;  Window Detection"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>This research delves into Battleye&#8217;s detection mechanisms, this part 1 is focused on identifying and analyzing suspicious windows. This analysis aims to understand these methods for research purposes only, not to bypass or attack the software. The provided code was extracted and has been beautified for clarity.<\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Those detection were analysed from the game DayZ, at date 06\/20\/2024.<\/mark><\/p>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Window detection overview<\/h2>\n\n\n\n<p>BattlEye employs three primary methods for detecting suspicious windows. The first method involves scanning for blacklisted window names and class names, while the second method focuses on analyzing window styles and attributes, such as topmost or transparent properties, the third one is a check for validating if the enumerated windows was actually run. Additionally, its implements a fourth layer of protection by verifying the integrity of the functions used to perform these checks, ensuring that they have not been hooked or tampered with. <\/p>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Breakdown <\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Report Buffer and Report Function<\/h3>\n\n\n\n<p>BattlEye employs a <strong>0x5400<\/strong>-byte report buffer to store detection data. The buffer&#8217;s first byte is always 0, the second identifies the report type, and the rest contains detection details. BattlEye uses <strong>malloc <\/strong>for dynamic allocation. A separate <strong>0x5000<\/strong>-byte buffer temporarily holds detection data before copying it to the report buffer prior to sending.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"struct Report\n{\n    BYTE       Unknown;\n    ReportType ReportType;\n    BYTE       ReportData[21502];\n};\n\nusing BattleyeReport_t = void(BYTE* reportBuffer, uint32_t reportSize, uint32_t Unknown);\n\nBattleyeReport_t BattleyeReport = nullptr;\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">struct<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #4EC9B0\">Report<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    BYTE       Unknown;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    ReportType ReportType;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    BYTE       <\/span><span style=\"color: #9CDCFE\">ReportData<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">21502<\/span><span style=\"color: #D4D4D4\">];<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">};<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #C586C0\">using<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #4EC9B0\">BattleyeReport_t<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #569CD6\">void<\/span><span style=\"color: #D4D4D4\">(BYTE* reportBuffer, <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> reportSize, <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> Unknown);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #4EC9B0\">BattleyeReport_t<\/span><span style=\"color: #D4D4D4\"> BattleyeReport = <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Report Types<\/h3>\n\n\n\n<p>While this enum is incomplete and will be expanded upon later, it contains the three primary report types relevant to window detection. It is important to note that the <strong><code>DetectedAbnormalWindow_Handle_File<\/code> <\/strong>report type also includes checks for blacklisted window names, opened handles and files, which will be discussed in further detail later in this analysis.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"enum class ReportType : uint8_t\n{\n    DetectedBlackListedWindow          = 0x33,\n    DetectedAbnormalWindow_Handle_File = 0x3C,\n    DetectedFailToEnumerateWindow      = 0x44\n};\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">enum<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">class<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #4EC9B0\">ReportType<\/span><span style=\"color: #D4D4D4\"> : <\/span><span style=\"color: #569CD6\">uint8_t<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #4FC1FF\">DetectedBlackListedWindow<\/span><span style=\"color: #D4D4D4\">          = <\/span><span style=\"color: #B5CEA8\">0x33<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #4FC1FF\">DetectedAbnormalWindow_Handle_File<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #B5CEA8\">0x3C<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #4FC1FF\">DetectedFailToEnumerateWindow<\/span><span style=\"color: #D4D4D4\">      = <\/span><span style=\"color: #B5CEA8\">0x44<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">};<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Window Iteration<\/h3>\n\n\n\n<p>BattlEye initiates the window detection process by retrieving the topmost window using the <strong><code>GetTopWindow<\/code> <\/strong>function. It then enters an infinite loop, iterating through the windows by calling <code><strong>GetWindow<\/strong><\/code> with the current <strong><code>topWindow<\/code> <\/strong>as the first argument and <strong><code>GW_HWNDNEXT<\/code> <\/strong>as the second. The loop continues until the <code>parentWindow<\/code> becomes <strong>NULL<\/strong>. The <strong><code>indexAtBufferReport<\/code> <\/strong>is incremented by <strong><code>0x1C<\/code> <\/strong>plus the size of the data added to the report buffer for each window. The detection process persists as long as <strong><code>indexAtBufferReport<\/code> <\/strong>remains smaller than <code><strong>0x4E80<\/strong><\/code>. The detection&#8217;s only occurs on windows that do not belong to the game process itself. <\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"void CheckWindows()\n{\n    DWORD processId       = 0;\n    char  windowName[220] = {};\n    HWND  parentWindow    = nullptr;\n    HWND  currentWindow;\n\n\n    HWND topWindow = GetTopWindow(nullptr);\n    bool exitLoop  = false;\n\n\n    int indexAtBufferReport = 4;\n    while (true)\n    {\n        \/\/ Get the process ID of the current window\n        GetWindowThreadProcessId(topWindow, &amp;processId);\n\n        \/\/ Check if we are not in same process.\n        if (GetCurrentProcessId() != processId)\n        {\n            \/\/ Get the window name\n            GetWindowTextA(topWindow, &amp;windowName[2], 128);\n\n            \/\/ Detect window name.\n            DetectWindowNames(topWindow, windowName);\n\n            \/\/ Detect Windows Style &amp; More Window name.\n            DetectAbnormalWindows(topWindow, parentWindow, windowName, processId);\n        }\n\n\n        if (!parentWindow &amp;&amp; GetCurrentProcessId() == processId &amp;&amp; (\n                currentWindow = GetWindow(topWindow, GW_CHILD)) !=\n            nullptr)\n        {\n            parentWindow = topWindow;\n            topWindow    = currentWindow;\n        }\n        else\n        {\n            while (true)\n            {\n                \/\/ Get next window\n                topWindow = GetWindow(topWindow, GW_HWNDNEXT);\n                if (topWindow)\n                {\n                    if (indexAtBufferReport &lt;= 0x4E80)\n                    {\n                        break;\n                    }\n                }\n\n                if (!parentWindow)\n                {\n                    exitLoop = true;\n                    break;\n                }\n                topWindow    = parentWindow;\n                parentWindow = nullptr;\n            }\n        }\n\n\n        \/\/ This is the minimum size increment each report. The index is calculated by also adding the data from the window which was detected.\n        indexAtBufferReport += 0x1C;\n\n        \/\/ We reached the end of the windows\n        if (exitLoop)\n            break;\n    }\n\n    std::printf(&quot;[+] Done!\\n&quot;);\n}\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">void<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">CheckWindows<\/span><span style=\"color: #D4D4D4\">()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    DWORD processId       = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">char<\/span><span style=\"color: #D4D4D4\">  <\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">220<\/span><span style=\"color: #D4D4D4\">] = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    HWND  parentWindow    = <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    HWND  currentWindow;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    HWND topWindow = <\/span><span style=\"color: #DCDCAA\">GetTopWindow<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">bool<\/span><span style=\"color: #D4D4D4\"> exitLoop  = <\/span><span style=\"color: #569CD6\">false<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> indexAtBufferReport = <\/span><span style=\"color: #B5CEA8\">4<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">while<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ Get the process ID of the current window<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #DCDCAA\">GetWindowThreadProcessId<\/span><span style=\"color: #D4D4D4\">(topWindow, &amp;processId);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ Check if we are not in same process.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #DCDCAA\">GetCurrentProcessId<\/span><span style=\"color: #D4D4D4\">() != processId)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">            \/\/ Get the window name<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #DCDCAA\">GetWindowTextA<\/span><span style=\"color: #D4D4D4\">(topWindow, &amp;<\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">2<\/span><span style=\"color: #D4D4D4\">], <\/span><span style=\"color: #B5CEA8\">128<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">            \/\/ Detect window name.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #DCDCAA\">DetectWindowNames<\/span><span style=\"color: #D4D4D4\">(topWindow, windowName);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">            \/\/ Detect Windows Style &amp; More Window name.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #DCDCAA\">DetectAbnormalWindows<\/span><span style=\"color: #D4D4D4\">(topWindow, parentWindow, windowName, processId);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (!parentWindow &amp;&amp; <\/span><span style=\"color: #DCDCAA\">GetCurrentProcessId<\/span><span style=\"color: #D4D4D4\">() == processId &amp;&amp; (<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                currentWindow = <\/span><span style=\"color: #DCDCAA\">GetWindow<\/span><span style=\"color: #D4D4D4\">(topWindow, GW_CHILD)) !=<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            parentWindow = topWindow;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            topWindow    = currentWindow;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">else<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">while<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">                \/\/ Get next window<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                topWindow = <\/span><span style=\"color: #DCDCAA\">GetWindow<\/span><span style=\"color: #D4D4D4\">(topWindow, GW_HWNDNEXT);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (topWindow)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (indexAtBufferReport &lt;= <\/span><span style=\"color: #B5CEA8\">0x4E80<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                        <\/span><span style=\"color: #C586C0\">break<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (!parentWindow)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    exitLoop = <\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    <\/span><span style=\"color: #C586C0\">break<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                topWindow    = parentWindow;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                parentWindow = <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ This is the minimum size increment each report. The index is calculated by also adding the data from the window which was detected.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        indexAtBufferReport += <\/span><span style=\"color: #B5CEA8\">0x1C<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ We reached the end of the windows<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (exitLoop)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">break<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #4EC9B0\">std<\/span><span style=\"color: #D4D4D4\">::<\/span><span style=\"color: #DCDCAA\">printf<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;[+] Done!<\/span><span style=\"color: #D7BA7D\">\\n<\/span><span style=\"color: #CE9178\">&quot;<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Detecting blacklisted window names<\/h3>\n\n\n\n<p>This is the first method, BattlEye retrieves the <strong>class name<\/strong> and <strong>window name <\/strong>of <strong>each window<\/strong> and compares them against a predefined list of <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">blacklisted names<\/mark>. If a match is found, a report is sent. It is important to note that the blacklisted window names in this case are specifically targeted towards the game <strong>DayZ<\/strong>. When analyzing other games, such as <strong>Rainbow Six<\/strong> or <strong>PUBG<\/strong>, or any other <strong>Battleye game<\/strong>, the blacklisted strings may differ based on the specific cheats discovered in those environments. Additionally, the <strong>class name<\/strong> detection here is used to identify a name that is later utilized in another aspect of BattlEye&#8217;s detection mechanism, which is not directly related to the window itself.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"#define REPORT_BUFFER_LENGHT 0x5400\n\nvoid DetectWindowNames(HWND hwndWindow, char* windowName)\n{\n    int  reportSize = 13; \/\/ The initial reportSize is 13.\n    int  nameLength = strlen(windowName);\n    bool foundDetectedFlag; \/\/ This flag is used in futher shellcode.\n    bool foundBlackListedWindow;\n\n    \/\/ Infinite loop\n    for (int j = 0; ; ++j)\n    {\n        \/\/ Check if there atleast 5 characters in the window name\n        if (j &gt;= nameLength - 5)\n        {\n            \/\/ GetClassNameA\n            if (GetClassNameA(hwndWindow, windowName, 64) &amp;&amp; !strcmp(windowName, &quot;TaskMana&quot;))\n            {\n                foundDetectedFlag = true;\n            }\n        }\n        else\n        {\n            \/\/ Detected the following blacklisted window names\n            if (!strcmp(&amp;windowName[j + 2], &quot;Chod's&quot;) ||\n                !strcmp(&amp;windowName[j + 2], &quot;Satan5&quot;) ||\n                !strcmp(&amp;windowName[j + 2], &quot;kernelch&quot;))\n            {\n                foundBlackListedWindow = true;\n                break;\n            }\n        }\n    }\n\n    if (foundBlackListedWindow)\n    {\n        Report report     = {};\n        report.Unknown    = 0;\n        report.ReportType = ReportType::DetectedBlackListedWindow;\n\n        \/\/ Check \n        if (reportSize + nameLength + 3 &lt;= REPORT_BUFFER_LENGHT)\n        {\n            *reinterpret_cast&lt;uint16_t*&gt;(&amp;report.Unknown + reportSize) = nameLength + 1; \/\/ Write to offset 13\n            for (int i                            = 0; i &lt; nameLength + 1; ++i)\n                report.ReportData[i + reportSize] = windowName[i]; \/\/ Start at offset 15\n\n\n            reportSize += nameLength + 3;\n            BattleyeReport(&amp;report, reportSize, 0);\n        }\n    }\n}\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #C586C0\">#define<\/span><span style=\"color: #569CD6\"> REPORT_BUFFER_LENGHT 0x5400<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #569CD6\">void<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">DetectWindowNames<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #4EC9B0\">HWND<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">hwndWindow<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #569CD6\">char*<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\">  reportSize = <\/span><span style=\"color: #B5CEA8\">13<\/span><span style=\"color: #D4D4D4\">;<\/span><span style=\"color: #6A9955\"> \/\/ The initial reportSize is 13.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\">  nameLength = <\/span><span style=\"color: #DCDCAA\">strlen<\/span><span style=\"color: #D4D4D4\">(windowName);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">bool<\/span><span style=\"color: #D4D4D4\"> foundDetectedFlag;<\/span><span style=\"color: #6A9955\"> \/\/ This flag is used in futher shellcode.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">bool<\/span><span style=\"color: #D4D4D4\"> foundBlackListedWindow;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Infinite loop<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">for<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> j = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">; ; ++j)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ Check if there atleast 5 characters in the window name<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (j &gt;= nameLength - <\/span><span style=\"color: #B5CEA8\">5<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">            \/\/ GetClassNameA<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #DCDCAA\">GetClassNameA<\/span><span style=\"color: #D4D4D4\">(hwndWindow, windowName, <\/span><span style=\"color: #B5CEA8\">64<\/span><span style=\"color: #D4D4D4\">) &amp;&amp; !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(windowName, <\/span><span style=\"color: #CE9178\">&quot;TaskMana&quot;<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                foundDetectedFlag = <\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">else<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">            \/\/ Detected the following blacklisted window names<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (!<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(&amp;<\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">[j + <\/span><span style=\"color: #B5CEA8\">2<\/span><span style=\"color: #D4D4D4\">], <\/span><span style=\"color: #CE9178\">&quot;Chod&#39;s&quot;<\/span><span style=\"color: #D4D4D4\">) ||<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(&amp;<\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">[j + <\/span><span style=\"color: #B5CEA8\">2<\/span><span style=\"color: #D4D4D4\">], <\/span><span style=\"color: #CE9178\">&quot;Satan5&quot;<\/span><span style=\"color: #D4D4D4\">) ||<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(&amp;<\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">[j + <\/span><span style=\"color: #B5CEA8\">2<\/span><span style=\"color: #D4D4D4\">], <\/span><span style=\"color: #CE9178\">&quot;kernelch&quot;<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                foundBlackListedWindow = <\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                <\/span><span style=\"color: #C586C0\">break<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (foundBlackListedWindow)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        Report report     = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">Unknown<\/span><span style=\"color: #D4D4D4\">    = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">ReportType<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #4EC9B0\">ReportType<\/span><span style=\"color: #D4D4D4\">::DetectedBlackListedWindow;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ Check <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (reportSize + nameLength + <\/span><span style=\"color: #B5CEA8\">3<\/span><span style=\"color: #D4D4D4\"> &lt;= REPORT_BUFFER_LENGHT)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            *<\/span><span style=\"color: #569CD6\">reinterpret_cast<\/span><span style=\"color: #D4D4D4\">&lt;<\/span><span style=\"color: #569CD6\">uint16_t<\/span><span style=\"color: #D4D4D4\">*&gt;(&amp;<\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">Unknown<\/span><span style=\"color: #D4D4D4\"> + reportSize) = nameLength + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">;<\/span><span style=\"color: #6A9955\"> \/\/ Write to offset 13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">for<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> i                            = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">; i &lt; nameLength + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">; ++i)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                <\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">ReportData<\/span><span style=\"color: #D4D4D4\">[i + reportSize] = <\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">[i];<\/span><span style=\"color: #6A9955\"> \/\/ Start at offset 15<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            reportSize += nameLength + <\/span><span style=\"color: #B5CEA8\">3<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #DCDCAA\">BattleyeReport<\/span><span style=\"color: #D4D4D4\">(&amp;report, reportSize, <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Detection of abnormal windows<\/h3>\n\n\n\n<p>The detection of abnormal windows primarily relies on analyzing <strong>window attributes.<\/strong> The system retrieves both <strong>GWL_STYLE<\/strong> and <strong>GWL_EXSTYLE <\/strong>using <strong>GetWindowLongA<\/strong>, and then performs a series of attribute checks. If any of these checks are triggered, a report is sent to the server.<\/p>\n\n\n\n<p>It&#8217;s worth noting that while the checks in the pseudocode are represented as hexadecimal values for brevity, they correspond to standard Windows API definitions such as <strong>WS_EX_TOPMOST <\/strong>and <strong>WS_EX_TRANSPARENT<\/strong>. <\/p>\n\n\n\n<p>Interestingly, this detection mechanism also incorporates checks for specific window names. However, these are reported using the <strong>DetectedAbnormalWindow_Handle_File <\/strong>rather than the previously discussed blacklisted window detection.<\/p>\n\n\n\n<p>Upon matching any of the specified flags, BattlEye compiles a report containing the window&#8217;s attributes and sends it to their servers for further analysis. This comprehensive approach enables BattlEye to detect a wide range of potential cheat software, even those attempting to disguise themselves through careful window property manipulation.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(3 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"void DetectAbnormalWindows(HWND hwndWindow, HWND parentWindow, char* windowName, int windowPid)\n{\n    int     startIndex            = 4;\n    int     startIndex2           = 0;\n    wchar_t windowNameUnicode[64] = {};\n    char    windowNameASCII[230]  = {};\n    bool    notepadWindowFound    = false; \/\/ This is a check for the future\n    RECT    windowRect            = {};\n    int     reportSize            = 0;\n\n    \/\/ Get the window style flags\n    int styleFlags   = GetWindowLongA(hwndWindow, GWL_STYLE);\n    int exStyleFlags = GetWindowLongA(hwndWindow, GWL_EXSTYLE);\n\n    \/\/ Get the window rect\n    GetWindowRect(hwndWindow, &amp;windowRect);\n\n    \/\/ Check if windows is hidden and the window name is &quot;MSPaintA&quot;\n    if (!(styleFlags &amp; WS_VISIBLE) &amp;&amp; !strcmp(windowName, &quot;MSPaintA&quot;))\n    {\n        HANDLE targetProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, windowPid);\n        if (targetProcess)\n        {\n            CloseHandle(targetProcess);\n            return;\n        }\n\n        if (GetLastError() != ERROR_INVALID_PARAMETER)\n            return;\n    }\n\n    int        nameLength             = GetWindowTextW(hwndWindow, windowNameUnicode, 64);\n    const auto resultBytesWrittenName = WideCharToMultiByte(\n                                                            CP_UTF8,\n                                                            0,\n                                                            windowNameUnicode,\n                                                            nameLength,\n                                                            windowNameASCII + startIndex + 1,\n                                                            255,\n                                                            nullptr,\n                                                            nullptr);\n\n    *(BYTE*)(windowNameASCII + startIndex) = resultBytesWrittenName;\n    startIndex2                            = startIndex + resultBytesWrittenName + 1;\n\n    nameLength                         = GetClassNameW(hwndWindow, windowNameUnicode, 64);\n    const auto resultBytesWrittenClass = WideCharToMultiByte(\n                                                             CP_UTF8,\n                                                             0,\n                                                             windowNameUnicode,\n                                                             nameLength,\n                                                             windowNameASCII + startIndex2 + 1,\n                                                             255,\n                                                             nullptr,\n                                                             nullptr);\n\n    *(BYTE*)(windowNameASCII + startIndex2) = resultBytesWrittenClass;\n\n    if (windowNameASCII[startIndex2] == 7 &amp;&amp; strcmp(&amp;windowNameASCII[1], &quot;Notepad&quot;))\n    {\n        notepadWindowFound = true;\n    }\n\n    \/\/ No idea yet...\n    auto v56 = startIndex2 + *(BYTE*)(windowNameASCII + startIndex2) + 1;\n\n    HANDLE  procHandle            = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, windowPid);\n    wchar_t lpExeNameW[128]       = {0};\n    DWORD   lpExeNameSize         = 128;\n    bool    foundProcessImagePath = false;\n    if (procHandle)\n    {\n        if (QueryFullProcessImageNameW(procHandle, 0, lpExeNameW, &amp;lpExeNameSize))\n        {\n            lpExeNameSize = WideCharToMultiByte(\n                                                CP_UTF8,\n                                                0,\n                                                lpExeNameW,\n                                                lpExeNameSize,\n                                                windowNameASCII + v56 + 1,\n                                                255,\n                                                nullptr,\n                                                nullptr);\n\n            if (lpExeNameSize)\n            {\n                foundProcessImagePath = true;\n            }\n        }\n\n        CloseHandle(procHandle);\n    }\n\n    uint32_t blackListedWindowCount = 0;\n    for (HWND m = GetWindow(hwndWindow, GW_CHILD); m; m = GetWindow(m, GW_HWNDNEXT))\n    {\n        char tmpWindowName[32] = {};\n        if (!GetWindowTextA(m, tmpWindowName, 32))\n            continue;\n\n\n        if (!strcmp(tmpWindowName, &quot;recoil&quot;)\n            || !strcmp(tmpWindowName, &quot;Recoil&quot;)\n            || !strcmp(tmpWindowName, &quot;No-Recoil&quot;)\n            || !strcmp(tmpWindowName, &quot;No-recoil&quot;)\n            || !strcmp(tmpWindowName, &quot;Triggerb&quot;)\n            || !strcmp(tmpWindowName, &quot;triggerb&quot;)\n            || !strcmp(tmpWindowName, &quot;RapidFir&quot;)\n            || !strcmp(tmpWindowName, &quot;Rapidfir&quot;)\n            || !strcmp(tmpWindowName, &quot;Rapid Fir&quot;)\n            || !strcmp(tmpWindowName, &quot;Rapid fir&quot;)\n            || !strcmp(tmpWindowName, &quot;Rapid fir&quot;)\n            || !strcmp(tmpWindowName, &quot;Chance (%&quot;)\n            || !strcmp(tmpWindowName, &quot;(%):&quot;)\n            || !strcmp(tmpWindowName, &quot;drakonia&quot;))\n\n        {\n            blackListedWindowCount++;\n        }\n    }\n\n    DWORD fileAttribute[10]{};\n    GetFileAttributesExW(lpExeNameW, GetFileExInfoStandard, &amp;fileAttribute);\n\n    auto sendReport = [](uint8_t imagePathLength, DWORD imageSize, uint32_t styleFlags, uint32_t exStyleFlags,\n                         RECT    rect,\n                         int     reportSize)\n    {\n        Report report     = {};\n        report.Unknown    = 0;\n        report.ReportType = ReportType::DetectedAbnormalWindow_Handle_File;\n\n        struct\n        {\n            BYTE     ReportType           = 0x3C;\n            BYTE     Unknown              = 0;\n            uint8_t  ImagePathLength      = 0;\n            DWORD    ImageSize            = 0;\n            CHAR     lpExeName[128]       = {};\n            char     WindowName[64]      = {};\n            char     WindowClassName[64] = {};\n            uint32_t styleFlags           = 0;\n            uint32_t exStyleFlags         = 0;\n            RECT     windowRect           = {};\n        } reportInfo;\n\n        reportInfo.ImagePathLength = imagePathLength;\n        reportInfo.ImageSize       = imageSize;\n        reportInfo.styleFlags      = styleFlags;\n        reportInfo.exStyleFlags    = exStyleFlags;\n        reportInfo.windowRect      = rect;\n        \/\/ etc\n\n\n        BattleyeReport(&amp;report, reportSize, 0);\n        \n    };\n\n\n    if (blackListedWindowCount)\n    {\n         sendReport(static_cast&lt;uint8_t&gt;(lpExeNameSize), fileAttribute[8], styleFlags, exStyleFlags, windowRect,\n                   reportSize);\n        return;\n    }\n\n\n    if (parentWindow &amp;&amp; exStyleFlags &amp; WS_EX_LAYERED || styleFlags &amp; WS_VISIBLE)\n    {\n        sendReport(0, 0, styleFlags, exStyleFlags, windowRect, reportSize);\n        return;\n    }\n\n    \/\/ Check if the window is layered and topmost\n    if (exStyleFlags &amp; WS_EX_LAYERED &amp;&amp; exStyleFlags &amp; WS_EX_TOPMOST)\n    {\n         sendReport(static_cast&lt;uint8_t&gt;(lpExeNameSize), fileAttribute[8], styleFlags, exStyleFlags, windowRect,\n                   reportSize);\n        return;\n    }\n\n    if ((exStyleFlags | styleFlags) == 0x14CF0100)\n    {\n         sendReport(static_cast&lt;uint8_t&gt;(lpExeNameSize), fileAttribute[8], styleFlags, exStyleFlags, windowRect,\n                   reportSize);\n        return;\n    }\n\n    int combinationWindowFlags = exStyleFlags &amp; styleFlags;\n\n    constexpr uint32_t blacklistedFlagsCombination[] = {\n        0x34CF0100, 0x14EF0310, 0x34EF0310, 0x14EF0110, 0x34EF0110, 0x17090020, 0x17090000, 0x16090020,\n        0x94080020, 0x94080080, 0x9C080080, 0x160A0080, 0x16CA0008, 0xD60A0080,\n        0xD6080101, 0x160D0020, 0x940800A0, 0x16CF0101, 0x36CF0101, 0x160D0000, 0x94080000, 0x16C20100,\n        0x16C80100, 0x16080080, 0x160C0000, 0x1E0900A0, 0x9C880020, 0x9C0800A0, 0x9C080024, 0x9C080020, 0x150908A0,\n        0x16020008, 0x9C080000, 0xD40800A0, 0x94000010, 0xB4000010, 0x94880020, 0x1E0D0028, 0x140800A0, 0x14080020,\n        0x14080080, 0x9C880220, 0x960B00A0, 0x140908A0, 0x160A0000, 0x960814B0, 0x9D080000, 0x16CA0108, 0x36CA0108,\n        0x160800A0, 0x9C1F0137, 0x160A0020, 0x9C1F01B7, 0x94080220, 0x960A00A0, 0x9CA80020, 0x960A0080, 0x9C0900A0,\n        0x96080020, 0x960800A0, 0x9C1800A0, 0x9C4800A0, 0xD6080020, 0x9E1800A0, 0x1C0800A0, 0x94880000, 0x9D080020,\n        0xDC0A0020, 0x1C0900A0, 0x961900A0, 0x964B00A0, 0x9E1840A0, 0x1C480020, 0x9E0C00A0, 0x16CE0101, 0x36CE0101,\n        0x960904A0, 0x14EC0110, 0x9C0C00A0, 0x948802A0, 0x9C080220, 0x9C0A6060, 0x14CF0108, 0x34CF0108, 0x15080020,\n        0x14CA0101, 0x34CA0101, 0x16020000, 0x94000088, 0x96000000, 0x94030400, 0x96030400, 0x9C09004C, 0x94CD01CD\n\n    };\n\n    \/\/ Check if the combination of flags is blacklisted\n    if (std::ranges::find(blacklistedFlagsCombination,\n                          combinationWindowFlags) !=\n        std::end(blacklistedFlagsCombination))\n    {\n        sendReport(static_cast&lt;uint8_t&gt;(lpExeNameSize), fileAttribute[8], styleFlags, exStyleFlags, windowRect,\n                   reportSize);\n        return;\n    }\n\n    \/\/ Check if the window is layered and the window name is &quot;MainWind&quot; or the window is iconic\n    if ((combinationWindowFlags == 0x16CF0100 || combinationWindowFlags == 0x36CF0100) &amp;&amp; (\n            !strcmp(&amp;windowName[2], &quot;MainWind&quot;) || (exStyleFlags &amp; WS_EX_LAYERED) != 0))\n    {\n        sendReport(static_cast&lt;uint8_t&gt;(lpExeNameSize), fileAttribute[8], styleFlags, exStyleFlags, windowRect,\n                   reportSize);\n        return;\n    }\n\n    if (combinationWindowFlags == 0x17CF0100 &amp;&amp; !strlen(windowName)\n        || (combinationWindowFlags &amp; 0xFFFFF) == 0xBA7A0\n        || (combinationWindowFlags &amp; 0xFFFFF) == 0x80323\n        || (combinationWindowFlags &amp; 0xFFFFF) == 0x90A25\n        || (combinationWindowFlags &amp; 0xFFFFF) == 0x90A65\n        || (combinationWindowFlags &amp; 0xFFFFF) == 0xE0181\n        || (combinationWindowFlags &amp; 0xFFFFF) == 0xE0080\n        || exStyleFlags == 0x5800A0\n        || exStyleFlags == 0xC00A0\n        || (exStyleFlags &amp; 0x80024) == 0x80024\n        || (combinationWindowFlags &amp; 0x9C090020) == 0x9C090020\n        || (combinationWindowFlags &amp; 0xD00800A0) == 0xD00800A0\n        || combinationWindowFlags == 0x94000000 &amp;&amp; !strlen(windowName)\n        || (exStyleFlags &amp; 0x80000) != 0\n        &amp;&amp; (strcmp(windowNameASCII + v56 + 1, &quot;IME&quot;) == 0\n            || strcmp(windowNameASCII + v56 + 1, &quot;MSCT&quot;) == 0\n            || strcmp(windowNameASCII + 2, &quot;BattlEye&quot;) == 0\n            || strcmp(windowNameASCII + v56 + 1, &quot;WorkrW&quot;) == 0 &amp;&amp; (combinationWindowFlags &amp; 0xF) != 0\n        )\n    )\n    {\n        sendReport(static_cast&lt;uint8_t&gt;(lpExeNameSize), fileAttribute[8], styleFlags, exStyleFlags, windowRect,\n                   reportSize);\n    }\n}\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">void<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">DetectAbnormalWindows<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #4EC9B0\">HWND<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">hwndWindow<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #4EC9B0\">HWND<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">parentWindow<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #569CD6\">char*<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">windowPid<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\">     startIndex            = <\/span><span style=\"color: #B5CEA8\">4<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\">     startIndex2           = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">wchar_t<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">windowNameUnicode<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">64<\/span><span style=\"color: #D4D4D4\">] = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">char<\/span><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #9CDCFE\">windowNameASCII<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">230<\/span><span style=\"color: #D4D4D4\">]  = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">bool<\/span><span style=\"color: #D4D4D4\">    notepadWindowFound    = <\/span><span style=\"color: #569CD6\">false<\/span><span style=\"color: #D4D4D4\">;<\/span><span style=\"color: #6A9955\"> \/\/ This is a check for the future<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    RECT    windowRect            = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\">     reportSize            = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Get the window style flags<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> styleFlags   = <\/span><span style=\"color: #DCDCAA\">GetWindowLongA<\/span><span style=\"color: #D4D4D4\">(hwndWindow, GWL_STYLE);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> exStyleFlags = <\/span><span style=\"color: #DCDCAA\">GetWindowLongA<\/span><span style=\"color: #D4D4D4\">(hwndWindow, GWL_EXSTYLE);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Get the window rect<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #DCDCAA\">GetWindowRect<\/span><span style=\"color: #D4D4D4\">(hwndWindow, &amp;windowRect);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Check if windows is hidden and the window name is &quot;MSPaintA&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (!(styleFlags &amp; WS_VISIBLE) &amp;&amp; !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(windowName, <\/span><span style=\"color: #CE9178\">&quot;MSPaintA&quot;<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        HANDLE targetProcess = <\/span><span style=\"color: #DCDCAA\">OpenProcess<\/span><span style=\"color: #D4D4D4\">(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, windowPid);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (targetProcess)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #DCDCAA\">CloseHandle<\/span><span style=\"color: #D4D4D4\">(targetProcess);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #DCDCAA\">GetLastError<\/span><span style=\"color: #D4D4D4\">() != ERROR_INVALID_PARAMETER)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\">        nameLength             = <\/span><span style=\"color: #DCDCAA\">GetWindowTextW<\/span><span style=\"color: #D4D4D4\">(hwndWindow, windowNameUnicode, <\/span><span style=\"color: #B5CEA8\">64<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">const<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">auto<\/span><span style=\"color: #D4D4D4\"> resultBytesWrittenName = <\/span><span style=\"color: #DCDCAA\">WideCharToMultiByte<\/span><span style=\"color: #D4D4D4\">(<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            CP_UTF8,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            windowNameUnicode,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            nameLength,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            windowNameASCII + startIndex + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            <\/span><span style=\"color: #B5CEA8\">255<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                            <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    *(BYTE*)(windowNameASCII + startIndex) = resultBytesWrittenName;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    startIndex2                            = startIndex + resultBytesWrittenName + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    nameLength                         = <\/span><span style=\"color: #DCDCAA\">GetClassNameW<\/span><span style=\"color: #D4D4D4\">(hwndWindow, windowNameUnicode, <\/span><span style=\"color: #B5CEA8\">64<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">const<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">auto<\/span><span style=\"color: #D4D4D4\"> resultBytesWrittenClass = <\/span><span style=\"color: #DCDCAA\">WideCharToMultiByte<\/span><span style=\"color: #D4D4D4\">(<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             CP_UTF8,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             windowNameUnicode,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             nameLength,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             windowNameASCII + startIndex2 + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             <\/span><span style=\"color: #B5CEA8\">255<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                             <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    *(BYTE*)(windowNameASCII + startIndex2) = resultBytesWrittenClass;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #9CDCFE\">windowNameASCII<\/span><span style=\"color: #D4D4D4\">[startIndex2] == <\/span><span style=\"color: #B5CEA8\">7<\/span><span style=\"color: #D4D4D4\"> &amp;&amp; <\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(&amp;<\/span><span style=\"color: #9CDCFE\">windowNameASCII<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">], <\/span><span style=\"color: #CE9178\">&quot;Notepad&quot;<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        notepadWindowFound = <\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ No idea yet...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">auto<\/span><span style=\"color: #D4D4D4\"> v56 = startIndex2 + *(BYTE*)(windowNameASCII + startIndex2) + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    HANDLE  procHandle            = <\/span><span style=\"color: #DCDCAA\">OpenProcess<\/span><span style=\"color: #D4D4D4\">(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, windowPid);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">wchar_t<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">lpExeNameW<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">128<\/span><span style=\"color: #D4D4D4\">]       = {<\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    DWORD   lpExeNameSize         = <\/span><span style=\"color: #B5CEA8\">128<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">bool<\/span><span style=\"color: #D4D4D4\">    foundProcessImagePath = <\/span><span style=\"color: #569CD6\">false<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (procHandle)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #DCDCAA\">QueryFullProcessImageNameW<\/span><span style=\"color: #D4D4D4\">(procHandle, <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">, lpExeNameW, &amp;lpExeNameSize))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            lpExeNameSize = <\/span><span style=\"color: #DCDCAA\">WideCharToMultiByte<\/span><span style=\"color: #D4D4D4\">(<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                CP_UTF8,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                lpExeNameW,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                lpExeNameSize,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                windowNameASCII + v56 + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                <\/span><span style=\"color: #B5CEA8\">255<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                                                <\/span><span style=\"color: #569CD6\">nullptr<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (lpExeNameSize)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                foundProcessImagePath = <\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #DCDCAA\">CloseHandle<\/span><span style=\"color: #D4D4D4\">(procHandle);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> blackListedWindowCount = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">for<\/span><span style=\"color: #D4D4D4\"> (HWND m = <\/span><span style=\"color: #DCDCAA\">GetWindow<\/span><span style=\"color: #D4D4D4\">(hwndWindow, GW_CHILD); m; m = <\/span><span style=\"color: #DCDCAA\">GetWindow<\/span><span style=\"color: #D4D4D4\">(m, GW_HWNDNEXT))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">char<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">tmpWindowName<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">32<\/span><span style=\"color: #D4D4D4\">] = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (!<\/span><span style=\"color: #DCDCAA\">GetWindowTextA<\/span><span style=\"color: #D4D4D4\">(m, tmpWindowName, <\/span><span style=\"color: #B5CEA8\">32<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">continue<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (!<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;recoil&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;Recoil&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;No-Recoil&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;No-recoil&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;Triggerb&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;triggerb&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;RapidFir&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;Rapidfir&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;Rapid Fir&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;Rapid fir&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;Rapid fir&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;Chance (%&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;(%):&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(tmpWindowName, <\/span><span style=\"color: #CE9178\">&quot;drakonia&quot;<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            blackListedWindowCount++;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    DWORD <\/span><span style=\"color: #9CDCFE\">fileAttribute<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">10<\/span><span style=\"color: #D4D4D4\">]{};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #DCDCAA\">GetFileAttributesExW<\/span><span style=\"color: #D4D4D4\">(lpExeNameW, GetFileExInfoStandard, &amp;fileAttribute);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">auto<\/span><span style=\"color: #D4D4D4\"> sendReport = [](<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">imagePathLength<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #4EC9B0\">DWORD<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">imageSize<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">styleFlags<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">exStyleFlags<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                         <\/span><span style=\"color: #4EC9B0\">RECT<\/span><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #9CDCFE\">rect<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                         <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\">     <\/span><span style=\"color: #9CDCFE\">reportSize<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        Report report     = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">Unknown<\/span><span style=\"color: #D4D4D4\">    = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">ReportType<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #4EC9B0\">ReportType<\/span><span style=\"color: #D4D4D4\">::DetectedAbnormalWindow_Handle_File;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">struct<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            BYTE     ReportType           = <\/span><span style=\"color: #B5CEA8\">0x3C<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            BYTE     Unknown              = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">  ImagePathLength      = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            DWORD    ImageSize            = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            CHAR     <\/span><span style=\"color: #9CDCFE\">lpExeName<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">128<\/span><span style=\"color: #D4D4D4\">]       = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #569CD6\">char<\/span><span style=\"color: #D4D4D4\">     <\/span><span style=\"color: #9CDCFE\">WindowName<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">64<\/span><span style=\"color: #D4D4D4\">]      = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #569CD6\">char<\/span><span style=\"color: #D4D4D4\">     <\/span><span style=\"color: #9CDCFE\">WindowClassName<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">64<\/span><span style=\"color: #D4D4D4\">] = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> styleFlags           = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> exStyleFlags         = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            RECT     windowRect           = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        } reportInfo;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">reportInfo<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">ImagePathLength<\/span><span style=\"color: #D4D4D4\"> = imagePathLength;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">reportInfo<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">ImageSize<\/span><span style=\"color: #D4D4D4\">       = imageSize;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">reportInfo<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">styleFlags<\/span><span style=\"color: #D4D4D4\">      = styleFlags;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">reportInfo<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">exStyleFlags<\/span><span style=\"color: #D4D4D4\">    = exStyleFlags;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">reportInfo<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">windowRect<\/span><span style=\"color: #D4D4D4\">      = rect;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ etc<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #DCDCAA\">BattleyeReport<\/span><span style=\"color: #D4D4D4\">(&amp;report, reportSize, <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    };<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (blackListedWindowCount)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">         <\/span><span style=\"color: #DCDCAA\">sendReport<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #569CD6\">static_cast<\/span><span style=\"color: #D4D4D4\">&lt;<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">&gt;(lpExeNameSize), <\/span><span style=\"color: #9CDCFE\">fileAttribute<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">8<\/span><span style=\"color: #D4D4D4\">], styleFlags, exStyleFlags, windowRect,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                   reportSize);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (parentWindow &amp;&amp; exStyleFlags &amp; WS_EX_LAYERED || styleFlags &amp; WS_VISIBLE)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #DCDCAA\">sendReport<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">, styleFlags, exStyleFlags, windowRect, reportSize);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Check if the window is layered and topmost<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (exStyleFlags &amp; WS_EX_LAYERED &amp;&amp; exStyleFlags &amp; WS_EX_TOPMOST)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">         <\/span><span style=\"color: #DCDCAA\">sendReport<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #569CD6\">static_cast<\/span><span style=\"color: #D4D4D4\">&lt;<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">&gt;(lpExeNameSize), <\/span><span style=\"color: #9CDCFE\">fileAttribute<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">8<\/span><span style=\"color: #D4D4D4\">], styleFlags, exStyleFlags, windowRect,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                   reportSize);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> ((exStyleFlags | styleFlags) == <\/span><span style=\"color: #B5CEA8\">0x14CF0100<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">         <\/span><span style=\"color: #DCDCAA\">sendReport<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #569CD6\">static_cast<\/span><span style=\"color: #D4D4D4\">&lt;<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">&gt;(lpExeNameSize), <\/span><span style=\"color: #9CDCFE\">fileAttribute<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">8<\/span><span style=\"color: #D4D4D4\">], styleFlags, exStyleFlags, windowRect,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                   reportSize);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> combinationWindowFlags = exStyleFlags &amp; styleFlags;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">constexpr<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">uint32_t<\/span><span style=\"color: #D4D4D4\"> blacklistedFlagsCombination[] = {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x34CF0100<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x14EF0310<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x34EF0310<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x14EF0110<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x34EF0110<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x17090020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x17090000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16090020<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x94080020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94080080<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C080080<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x160A0080<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16CA0008<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0xD60A0080<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0xD6080101<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x160D0020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x940800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16CF0101<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x36CF0101<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x160D0000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94080000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16C20100<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x16C80100<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16080080<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x160C0000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x1E0900A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C880020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C0800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C080024<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C080020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x150908A0<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x16020008<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C080000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0xD40800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94000010<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0xB4000010<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94880020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x1E0D0028<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x140800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x14080020<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x14080080<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C880220<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x960B00A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x140908A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x160A0000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x960814B0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9D080000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16CA0108<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x36CA0108<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x160800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C1F0137<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x160A0020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C1F01B7<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94080220<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x960A00A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9CA80020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x960A0080<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C0900A0<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x96080020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x960800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C1800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C4800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0xD6080020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9E1800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x1C0800A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94880000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9D080020<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0xDC0A0020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x1C0900A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x961900A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x964B00A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9E1840A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x1C480020<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9E0C00A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16CE0101<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x36CE0101<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x960904A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x14EC0110<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C0C00A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x948802A0<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C080220<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C0A6060<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x14CF0108<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x34CF0108<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x15080020<\/span><span style=\"color: #D4D4D4\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #B5CEA8\">0x14CA0101<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x34CA0101<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x16020000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94000088<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x96000000<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94030400<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x96030400<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x9C09004C<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #B5CEA8\">0x94CD01CD<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    };<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Check if the combination of flags is blacklisted<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #4EC9B0\">std<\/span><span style=\"color: #D4D4D4\">::<\/span><span style=\"color: #4EC9B0\">ranges<\/span><span style=\"color: #D4D4D4\">::<\/span><span style=\"color: #DCDCAA\">find<\/span><span style=\"color: #D4D4D4\">(blacklistedFlagsCombination,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                          combinationWindowFlags) !=<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #4EC9B0\">std<\/span><span style=\"color: #D4D4D4\">::<\/span><span style=\"color: #DCDCAA\">end<\/span><span style=\"color: #D4D4D4\">(blacklistedFlagsCombination))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #DCDCAA\">sendReport<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #569CD6\">static_cast<\/span><span style=\"color: #D4D4D4\">&lt;<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">&gt;(lpExeNameSize), <\/span><span style=\"color: #9CDCFE\">fileAttribute<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">8<\/span><span style=\"color: #D4D4D4\">], styleFlags, exStyleFlags, windowRect,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                   reportSize);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Check if the window is layered and the window name is &quot;MainWind&quot; or the window is iconic<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> ((combinationWindowFlags == <\/span><span style=\"color: #B5CEA8\">0x16CF0100<\/span><span style=\"color: #D4D4D4\"> || combinationWindowFlags == <\/span><span style=\"color: #B5CEA8\">0x36CF0100<\/span><span style=\"color: #D4D4D4\">) &amp;&amp; (<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            !<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(&amp;<\/span><span style=\"color: #9CDCFE\">windowName<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">2<\/span><span style=\"color: #D4D4D4\">], <\/span><span style=\"color: #CE9178\">&quot;MainWind&quot;<\/span><span style=\"color: #D4D4D4\">) || (exStyleFlags &amp; WS_EX_LAYERED) != <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #DCDCAA\">sendReport<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #569CD6\">static_cast<\/span><span style=\"color: #D4D4D4\">&lt;<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">&gt;(lpExeNameSize), <\/span><span style=\"color: #9CDCFE\">fileAttribute<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">8<\/span><span style=\"color: #D4D4D4\">], styleFlags, exStyleFlags, windowRect,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                   reportSize);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">return<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (combinationWindowFlags == <\/span><span style=\"color: #B5CEA8\">0x17CF0100<\/span><span style=\"color: #D4D4D4\"> &amp;&amp; !<\/span><span style=\"color: #DCDCAA\">strlen<\/span><span style=\"color: #D4D4D4\">(windowName)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xFFFFF<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0xBA7A0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xFFFFF<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0x80323<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xFFFFF<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0x90A25<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xFFFFF<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0x90A65<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xFFFFF<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0xE0181<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xFFFFF<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0xE0080<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || exStyleFlags == <\/span><span style=\"color: #B5CEA8\">0x5800A0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || exStyleFlags == <\/span><span style=\"color: #B5CEA8\">0xC00A0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (exStyleFlags &amp; <\/span><span style=\"color: #B5CEA8\">0x80024<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0x80024<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0x9C090020<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0x9C090020<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xD00800A0<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0xD00800A0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || combinationWindowFlags == <\/span><span style=\"color: #B5CEA8\">0x94000000<\/span><span style=\"color: #D4D4D4\"> &amp;&amp; !<\/span><span style=\"color: #DCDCAA\">strlen<\/span><span style=\"color: #D4D4D4\">(windowName)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        || (exStyleFlags &amp; <\/span><span style=\"color: #B5CEA8\">0x80000<\/span><span style=\"color: #D4D4D4\">) != <\/span><span style=\"color: #B5CEA8\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        &amp;&amp; (<\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(windowNameASCII + v56 + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #CE9178\">&quot;IME&quot;<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || <\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(windowNameASCII + v56 + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #CE9178\">&quot;MSCT&quot;<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || <\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(windowNameASCII + <\/span><span style=\"color: #B5CEA8\">2<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #CE9178\">&quot;BattlEye&quot;<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            || <\/span><span style=\"color: #DCDCAA\">strcmp<\/span><span style=\"color: #D4D4D4\">(windowNameASCII + v56 + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #CE9178\">&quot;WorkrW&quot;<\/span><span style=\"color: #D4D4D4\">) == <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\"> &amp;&amp; (combinationWindowFlags &amp; <\/span><span style=\"color: #B5CEA8\">0xF<\/span><span style=\"color: #D4D4D4\">) != <\/span><span style=\"color: #B5CEA8\">0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        )<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    )<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #DCDCAA\">sendReport<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #569CD6\">static_cast<\/span><span style=\"color: #D4D4D4\">&lt;<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">&gt;(lpExeNameSize), <\/span><span style=\"color: #9CDCFE\">fileAttribute<\/span><span style=\"color: #D4D4D4\">[<\/span><span style=\"color: #B5CEA8\">8<\/span><span style=\"color: #D4D4D4\">], styleFlags, exStyleFlags, windowRect,<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                   reportSize);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Failed to enumerated windows<\/h3>\n\n\n\n<p>The enumerated window employs a counter that increments with each execution. Any attempt to circumvent the execution would result in a zero counter value, triggering a <strong>DetectedFailToEnumerateWindow <\/strong>report.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"  Report report     = {};\n  report.Unknown    = 0;\n  report.ReportType = ReportType::DetectedAbnormalWindow_Handle_File;\n  \n  BattleyeReport(&amp;report, reportSize, 0);\n\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">  Report report     = {};<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  <\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">Unknown<\/span><span style=\"color: #D4D4D4\">    = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  <\/span><span style=\"color: #9CDCFE\">report<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">ReportType<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #4EC9B0\">ReportType<\/span><span style=\"color: #D4D4D4\">::DetectedAbnormalWindow_Handle_File;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  <\/span><span style=\"color: #DCDCAA\">BattleyeReport<\/span><span style=\"color: #D4D4D4\">(&amp;report, reportSize, <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Integrity checks<\/h3>\n\n\n\n<p>The integrity first checks for simple hooks on <strong>GetWindowLongA <\/strong>by examining its prologue for immediate moves or early returns. Failing that, it recursively resolves jump <strong>CALL <\/strong>and follows <strong>JMP <\/strong>instructions across <strong>GetTopWindow<\/strong>, <strong>GetWindow<\/strong>, and <strong>GetWindowLongA<\/strong>. If targetFunctionAddr is valid at the end, then its reported to the server with <strong>DetectedAbnormalWindow_Handle_File<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"void PerformIntegrityChecks()\n{\n    \/\/ Get addresses of relevant functions from user32.dll\n    uintptr_t getWindowLongAAddr = (uintptr_t)GetProcAddress(GetModuleHandleA(&quot;user32.dll&quot;), &quot;GetWindowLongA&quot;);\n    uintptr_t getWindowAddr      = (uintptr_t)GetProcAddress(GetModuleHandleA(&quot;user32.dll&quot;), &quot;GetWindow&quot;);\n    uintptr_t getTopWindowAddr   = (uintptr_t)GetProcAddress(GetModuleHandleA(&quot;user32.dll&quot;), &quot;GetTopWindow&quot;);\n\n    uintptr_t targetFunctionAddr = NULL;\n\n    \/\/ Checks GetWindowLongA \n    if (*(uint8_t*)getWindowLongAAddr == 0xB8 ||\n        *(uint16_t*)getWindowLongAAddr == 0xb848 ||\n        *(uint8_t*)getWindowLongAAddr == 0xC3) \/\/ RET\n    {\n        targetFunctionAddr = getWindowLongAAddr;\n    }\n    else\n    {\n        \/\/ If GetWindowLongA seems unmodified, check other functions\n        uintptr_t currentFunctionAddr = NULL;\n\n        for (int functionIndex = 0; functionIndex &lt; 3; ++functionIndex)\n        {\n            \/\/ Select function to check based on the loop index\n            if (functionIndex == 0)\n                currentFunctionAddr = getTopWindowAddr;\n            else if (functionIndex == 1)\n                currentFunctionAddr = getWindowAddr;\n            else\n                currentFunctionAddr = getWindowLongAAddr;\n\n            \/\/ Follow jump instructions to find the actual function address\n            for (uintptr_t instructionPtr = currentFunctionAddr; ; targetFunctionAddr = instructionPtr)\n            {\n                \/\/ Follow JMP (0xE9) or CALL (0xE8) instructions\n                while (*(uint8_t*)instructionPtr == 0xE9 || *(uint8_t*)instructionPtr == 0xE8)\n                {\n                    instructionPtr += *(int32_t*)(instructionPtr + 1) + 5;\n                    targetFunctionAddr = instructionPtr;\n                }\n\n                \/\/ Check for JMP [RIP+disp32] instruction (0x25FF)\n                if (*(uint16_t*)instructionPtr != 0x25FF)\n                    break;\n\n                \/\/ Follow the jump\n                instructionPtr = *(uintptr_t*)(instructionPtr + *(int32_t*)(instructionPtr + 2) + 6);\n            }\n        }\n    }\n\n    \/\/ if targetFunctionAddris valid, then it found a hook and its reported to the server.\n}\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">void<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">PerformIntegrityChecks<\/span><span style=\"color: #D4D4D4\">()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Get addresses of relevant functions from user32.dll<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\"> getWindowLongAAddr = (<\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\">)<\/span><span style=\"color: #DCDCAA\">GetProcAddress<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #DCDCAA\">GetModuleHandleA<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;user32.dll&quot;<\/span><span style=\"color: #D4D4D4\">), <\/span><span style=\"color: #CE9178\">&quot;GetWindowLongA&quot;<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\"> getWindowAddr      = (<\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\">)<\/span><span style=\"color: #DCDCAA\">GetProcAddress<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #DCDCAA\">GetModuleHandleA<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;user32.dll&quot;<\/span><span style=\"color: #D4D4D4\">), <\/span><span style=\"color: #CE9178\">&quot;GetWindow&quot;<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\"> getTopWindowAddr   = (<\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\">)<\/span><span style=\"color: #DCDCAA\">GetProcAddress<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #DCDCAA\">GetModuleHandleA<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;user32.dll&quot;<\/span><span style=\"color: #D4D4D4\">), <\/span><span style=\"color: #CE9178\">&quot;GetTopWindow&quot;<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\"> targetFunctionAddr = <\/span><span style=\"color: #569CD6\">NULL<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ Checks GetWindowLongA <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (*(<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">*)getWindowLongAAddr == <\/span><span style=\"color: #B5CEA8\">0xB8<\/span><span style=\"color: #D4D4D4\"> ||<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        *(<\/span><span style=\"color: #569CD6\">uint16_t<\/span><span style=\"color: #D4D4D4\">*)getWindowLongAAddr == <\/span><span style=\"color: #B5CEA8\">0xb848<\/span><span style=\"color: #D4D4D4\"> ||<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        *(<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">*)getWindowLongAAddr == <\/span><span style=\"color: #B5CEA8\">0xC3<\/span><span style=\"color: #D4D4D4\">)<\/span><span style=\"color: #6A9955\"> \/\/ RET<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        targetFunctionAddr = getWindowLongAAddr;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #C586C0\">else<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">        \/\/ If GetWindowLongA seems unmodified, check other functions<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\"> currentFunctionAddr = <\/span><span style=\"color: #569CD6\">NULL<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">for<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">int<\/span><span style=\"color: #D4D4D4\"> functionIndex = <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">; functionIndex &lt; <\/span><span style=\"color: #B5CEA8\">3<\/span><span style=\"color: #D4D4D4\">; ++functionIndex)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">            \/\/ Select function to check based on the loop index<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (functionIndex == <\/span><span style=\"color: #B5CEA8\">0<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                currentFunctionAddr = getTopWindowAddr;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">else<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (functionIndex == <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                currentFunctionAddr = getWindowAddr;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">else<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                currentFunctionAddr = getWindowLongAAddr;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">            \/\/ Follow jump instructions to find the actual function address<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #C586C0\">for<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\"> instructionPtr = currentFunctionAddr; ; targetFunctionAddr = instructionPtr)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">                \/\/ Follow JMP (0xE9) or CALL (0xE8) instructions<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                <\/span><span style=\"color: #C586C0\">while<\/span><span style=\"color: #D4D4D4\"> (*(<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">*)instructionPtr == <\/span><span style=\"color: #B5CEA8\">0xE9<\/span><span style=\"color: #D4D4D4\"> || *(<\/span><span style=\"color: #569CD6\">uint8_t<\/span><span style=\"color: #D4D4D4\">*)instructionPtr == <\/span><span style=\"color: #B5CEA8\">0xE8<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    instructionPtr += *(<\/span><span style=\"color: #569CD6\">int32_t<\/span><span style=\"color: #D4D4D4\">*)(instructionPtr + <\/span><span style=\"color: #B5CEA8\">1<\/span><span style=\"color: #D4D4D4\">) + <\/span><span style=\"color: #B5CEA8\">5<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    targetFunctionAddr = instructionPtr;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">                \/\/ Check for JMP [RIP+disp32] instruction (0x25FF)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                <\/span><span style=\"color: #C586C0\">if<\/span><span style=\"color: #D4D4D4\"> (*(<\/span><span style=\"color: #569CD6\">uint16_t<\/span><span style=\"color: #D4D4D4\">*)instructionPtr != <\/span><span style=\"color: #B5CEA8\">0x25FF<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                    <\/span><span style=\"color: #C586C0\">break<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">                \/\/ Follow the jump<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                instructionPtr = *(<\/span><span style=\"color: #569CD6\">uintptr_t<\/span><span style=\"color: #D4D4D4\">*)(instructionPtr + *(<\/span><span style=\"color: #569CD6\">int32_t<\/span><span style=\"color: #D4D4D4\">*)(instructionPtr + <\/span><span style=\"color: #B5CEA8\">2<\/span><span style=\"color: #D4D4D4\">) + <\/span><span style=\"color: #B5CEA8\">6<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6A9955\">    \/\/ if targetFunctionAddris valid, then it found a hook and its reported to the server.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>This analysis of window detection mechanisms is just the first part of a broader investigation into its anti-cheat system. While we&#8217;ve uncovered sophisticated techniques for identifying suspicious windows, BattlEye&#8217;s protection extends far beyond this. Future posts will delve into other aspects of its strategy, providing a more comprehensive understanding of its approach to maintaining game integrity. So stay tuned for future posts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">References<\/h2>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-gettopwindow\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-gettopwindow<\/a><br><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-getwindow\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winuser\/nf-winuser-getwindow<\/a><br><a href=\"https:\/\/learn.microsoft.com\/pt-br\/windows\/win32\/api\/winuser\/nf-winuser-getwindowlonga\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/learn.microsoft.com\/pt-br\/windows\/win32\/api\/winuser\/nf-winuser-getwindowlonga<br><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction This research delves into Battleye&#8217;s detection mechanisms, this part 1 is focused on identifying and analyzing suspicious windows. This analysis aims to understand these methods for research purposes only,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":2293,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2257","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/posts\/2257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/comments?post=2257"}],"version-history":[{"count":127,"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/posts\/2257\/revisions"}],"predecessor-version":[{"id":2386,"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/posts\/2257\/revisions\/2386"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/media\/2293"}],"wp:attachment":[{"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/media?parent=2257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/categories?post=2257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/reversingthread.info\/index.php\/wp-json\/wp\/v2\/tags?post=2257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}