I'm researching into game anti-cheat solutions so I can get a better grasp at how such security works. An approach used by many cheats is to use OpenProcess to open a process handle so they can use ReadProcessMemory to directly read data:
var procHandle = Kernel32.OpenProcess(
ProcessAccessRights.MemoryRead,
false, process.Id
);
(snippet from a C# game cheat)
This can be used to, for example, retrieve the positions of various entities in the game world, without needing to inject any kind of DLL; cheats that use this approach are called "external" cheats (as opposed to "internal" cheats that inject a DLL into the process).
In my anti-cheat engine, I want to detect such operations. I haven't been able to find any WinAPI methods that would call any kind of callback when a new kernel process handle is opened. If such method doesn't exist, I'm willing to use polling and enumeration (go through every single process handle to see if it's referring to my game process, and if it has the PROCESS_VM_READ access right. However, I couldn't find a function to get all such handles as well.
I'm pretty sure anti-cheat engines like Valve Anti-Cheat or BattleEye use this kind of detection; so, I think this would be possible from user-mode, since VAC does not install any kind of kernel driver, from my knowledge. If that is also not possible, a notification to when ReadProcessMemory is called would also work, but I doubt that's possible.
Any reference to a WinAPI method in the documentation that can accomplish such task would be appreciated, or a snippet ( in any language that can use WinAPI, I don't really mind :) ) that would demonstrate such behavior.