- Notifications
You must be signed in to change notification settings - Fork114
donnaskiez/ac
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
open source anti cheat (lol) which I made for fun.
- Attached thread detection
- Process module .text section integrity checks
- NMI stackwalking via isr iretq
- APC, DPC stackwalking
- Return address exception hooking detection
- Chained .data pointer detection (iffy)
- Handle stripping via obj callbacks
- Process handle table enumeration
- System module device object verification
- System module .text integrity checks
- Removal of threads cid table entry detection
- Driver dispatch routine validation
- Extraction of various hardware identifiers
- EPT hook detection
- Various image integrity checks both of driver + module
- Hypervisor detection
- HalDispatch and HalPrivateDispatch routine validation
- Dynamic import resolving & encryption
- Malicious PCI device detection via configuration space scanning
- Win32kBase_DxgInterface routine validation
- todo!
Theres a long list of features I still want to implement, the question is whether I can be bothored implementing them. I would say I'd accept pull requests for new features but I would expect high quality code and thorough testing with verifier (both inside a vm and bare metal).
- I have recorded an example of the program running with CS2. Note that vac was obviously disabled.If you decide to test with a steam game do not forget to launch in insecure mode
- Shown are the kernel
VERBOSE
level logs in DebugView along with the usermode application console and some additional performance benchmarking things. - (You can find the video here)[https://youtu.be/b3mH7w8pOxs]
- See the issues page
- Feel free to open a new issue if you find any bugs
- Win10 22H2
- Win11 22H2
RequiresVisual Studio and theWDK for compilation.
Before we continue, ensure you enable test signing mode as this driver is not signed.
- Open a command prompt as Administrator
- Enter the following commands:
bcdedit -set TESTSIGNING onbcdedit /debug on
- Restart Windows
- Clone the project i.e
git clone git@github.com:donnaskiez/ac.git
- Open the project in visual studio
- Select
Release - No Server - Win10
orRelease - No Server - Win11
depending on the version of Windows you will be running the driver on. - Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
Inf2Cat -> General -> Use Local Time
toYes
C/C++ -> Treat Warnings As Errors
toNo
C/C++ -> Spectre Mitigation
toDisabled
- Move the
driver.sys
file located inac\x64\Release - No Server\
into theWindows\System32\Drivers
directory- You can rename the driver if you would like
- Use theOSR Loader and select
driver.sys
(or whatever you named it) that you moved to the Windows drivers folder.DO NOT REGISTER THE SERVICE YET. - Under
Service Start
selectSystem
. This is VERY important! - Click
Register Service
.Do NOT clickStart Service
! - Restart Windows.
- Once restarted, open the program you would like to protect. This could be anything i.e cs2, notepad etc.
- if you do use a game to test, ensure the games anti-cheat is turned off before testing
- Open your dll injector of choice (I simply useProcess Hacker)
- Inject the dll found in
ac\x64\Release - No Server\
nameduser.dll
into the target program
Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.
Note: The server is not needed for the program to function properly.
The kernel driver is setup to log at 4 distinct levels:
#defineLOG_ERROR_LEVEL #define LOG_WARNING_LEVEL#defineLOG_INFO_LEVEL #define LOG_VERBOSE_LEVEL
As the names suggest,ERROR_LEVEL
is for errors,WARNING_LEVEL
is for warnings.INFO_LEVEL
is for general information regarding what requests the driver is processing andVERBOSE_LEVEL
contains very detailed information for each request.
If you are unfamiliar with the kernel debugging mask, you probably need to set one up. If you already have a debugging mask setup, you can skip tosetting the mask
below.
- Open the Registry Editor
- Copy and pase
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
into the bar at the top and press enter - On the left hand side, right click
Session Manager
and selectNew -> Key
- Name the key
Debug Print Filter
- On the left hand side you should now see
Debug Print Filter
, right click and selectNew -> DWORD (32 bit) Value
- Name the key
DEFAULT
- Within the
Debug Print Filter
registry, double click the key namedDEFAULT
- Determine the level(s) of logging you would like to see. For most people interested I would set either
INFO_LEVEL
orVERBOSE_LEVEL
. Remember that if you setINFO_LEVEL
, you will see allINFO_LEVEL
,WARNING_LEVEL
andERROR_LEVEL
logs. Ie you see all logs above and including your set level.
ERROR_LEVEL = 0x3WARNING_LEVEL = 0x7INFO_LEVEL = 0xfVERBOSE_LEVEL = 0x1f
- Enter the value for the given logging level (seen above)
- Click
Ok
and restart Windows.
If you choose to useINFO_LEVEL
orVERBOSE_LEVEL
there may be many logs from the kernel so we want to filter them out.
With WinDbg connected to the target:
- Pause the target using the
Break
button - Use the command:
.ofilter donna-ac*
- Click
Edit -> Filter/Highlight
- Set the
Include
string todonna-ac*
We have decided to put this Project underAGPL-3.0!https://choosealicense.com/licenses/agpl-3.0/
feel free to dm me on discord or uc @donnaskiez
About
kernel mode anti cheat
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Releases
Packages0
Uh oh!
There was an error while loading.Please reload this page.