How to minimize chance of being banned

Today I would like to discuss another aspect of botting/cheating which is avoiding getting banned. Nowadays, with various pretty sophisticated anti-cheat systems in place, it may take a lot of finesse to avoid being hit by the mighty ban hammer. There is very little confirmed information about how most of them work, but there are some general rules to follow to lower the chances of being detected by them. Hopefully, after reading this you will understand why a 100% undetectable bot/cheat is like a unicorn. I will try to keep it short and not delve too much into technical details.

Inhuman precision

While simplest methods of botting consisting of pure image analysis are considered the safest because there is no direct connection between them and "cheated" game, they still can be detected by analyzing player behavior.

The easiest one is detecting clicking at the very same pixel every time when clicking (especially when clicking UI elements). The easiest solution to this problem is randomly offsetting click position within safe parameters.

A similar issue arises when clicking on enemies. For example, in Diablo bot I convert a monster position in a world to 2D coordinates on screen (screen space) and then click a few pixels above it. That could be easily detected as well if I keep the same vertical offset from monster's pivot every time I click. Again, adding a small random should fix that.

Another way to distinguish human from bot is by analyzing mouse cursor movement. Most of the input simulation solutions move a mouse cursor in a straight line with constant speed or even instantly. That is super easy to detect, fortunately, that is also super easy to fix by applying small deviations to both movement direction and speed when faking mouse move.

This is highly unlikely that a game is using this kind of tracking but still, you need to consider implementing some of these solutions if you suspect that might be the case.

Sending fake inputs

Real mouse/keyboard inputs can be distinguished from fake ones inside global hook that anyone can register to be called when an input is generated. That used to be the case in Dead by Daylight. There are multiple solutions to try to get around this issue. One we have already discussed, which is registering your own hook and not call any remaining hooks so they cannot detect your fake inputs. That solution may also easily be detected since a game will be receiving inputs while their hook is not being called. It shouldn't result in being banned but the game could handle it somehow by showing some information and not allowing to continue playing. The proper solution would be using/implementing your own driver responsible for sending fake inputs. Since this time they are sent by an alleged device, they won't be flagged as fake.

Extreme endurance

Next thing to keep in mind is to make bot behave credibly. For example, playing 24h straight is not really an often behavior for humans. Try to implement some random 3-20 minute breaks every now and then (to act like someone is grabbing something to drink, easting, smoking or using washroom) and long breaks like 6-9 hours every day. This is, of course, relevant mostly for unattended bots that can be left to run for long periods of time.

Both short term and long term solution could benefit from random clicking pace changes since it's really difficult for a human to keep a constant interval between pressing key or mouse clicking. Throwing in a random to sleeps between sending fake inputs is always a good idea.

Running known bots

Even the best human behaving bot can still be detected when devs are aware of its existence. When a certain program gains enough popularity it may show up on a "radar". In that case, it's highly probable that its signature (a unique byte sequence of its executable code in memory) will be added to a list of known cheating programs. I won't get into too much detail, but it basically works the same way as identifying and detecting a malicious software by anti-viruses. The best way to avoid that is not distributing your bot/cheat publicly (that's why private solutions are so expensive). Another way out would be modifying executable (file or dynamically in memory) so it works the same but its signature will be different every time. This technique is commonly used by popular paid-bot providers.

Interacting with game process

Nowadays, many anti-cheat systems won't allow any interaction between an external application (unless whitelisted) and a game (that is the case with Easy Anti Cheat for example). Opening process handle is the very first step in doing any memory based botting. Assuming that it is not blocked it can still be detected (Blizzard's Warden has been updated some time ago to allow that; however, I'm not familiar with more details). Having process handle allows us to do all sorts of things like hooking functions, reading/writing memory or injecting code in general. Usually doing any of these (perhaps with the exception of reading memory) is highly risky and should be performed by people who know what they are doing.

Overlaying

Even if you followed all above steps and took the safest route it is still possible to be detected if you draw some. Some anti-cheat systems can take screenshots while playing a game for admins/devs to analyze. That usually is the case when you were reported by other player or automated system for suspicious behavior.

Overall, it's best to do a little research on what are the features of anti-cheat system in the game you are writing your bot for. You could also google bans reported by other players and plan your anti-anti-cheat features accordingly.