/ac

kernel mode anti cheat

Primary LanguageC

ac

features

  • Attached thread detection
  • Process module .text section integrity checks
  • NMI and APC stackwalks (to allow excellent system coverage)
  • Handle stripping via obj callbacks
  • Process handle table enumeration
  • System module verification
  • Unlinked process detection via PTE walking and checking against a robust process structure signature
  • Hidden thread detection via KPRCB
  • Dispatch routine validation
  • Extraction of hardware identifiers via SMBIOS parsing and PhysicalDriveN querying
  • EPT hook detection (currently detects hyperdbg and DdiMon)
  • Driver integrity checks both locally and over server
  • Test signing detection
  • Hypervisor detection via instruction emulation testing and timing checks

some things to note:

  • open source anticheat (oxymoron)
  • currently only tested on 10 19045 and since offsets are currently hardcoded u may experience technical difficulties. This will be fixed in the future when i either finish the debuglib or just use a pdb parser or maybe another method ;)
  • as a passion project i am really only implementing methods which i find enjoyable to either research or build which is why you see a lack of hooks and other such. Maybe in the future c:
  • There is still a plethora of work to do with regards to anti tamper, such as packet encryption, string encryption, binary virtualization etc.
  • There is also still much work to be done with regards to the prevention toolset, I would like to implement some form of cr3 protection in the near future.

how 2 use

  1. use the osr loader to load the driver at "system" load.
  2. inject dll into program you want to protect, i used notepad for testing
  3. logs will be printed to dbgview and the usermode dll via stdout

driver must be named "driver.sys" (sorry.. will be fixed soon (i am lazy))