mirror-ac/README.md

157 lines
6.1 KiB
Markdown
Raw Normal View History

2023-10-09 18:27:04 +02:00
# ac
2023-12-23 19:52:55 +01:00
open source anti cheat (lol) which I made for fun.
2023-10-13 18:20:59 +02:00
# features
- Attached thread detection
- Process module .text section integrity checks
2023-12-29 17:20:32 +01:00
- NMI stackwalking via isr iretq
2024-08-04 07:15:37 +02:00
- APC, DPC stackwalking
2024-07-13 07:43:50 +02:00
- Return address exception hooking detection
- Chained .data pointer detection (iffy)
2023-10-13 18:20:59 +02:00
- Handle stripping via obj callbacks
- Process handle table enumeration
2024-01-01 17:45:40 +01:00
- System module device object verification
2024-01-11 10:16:55 +01:00
- System module .text integrity checks
2024-08-04 07:15:37 +02:00
- Removal of threads cid table entry detection
- Driver dispatch routine validation
- Extraction of various hardware identifiers
2024-01-11 10:16:55 +01:00
- EPT hook detection
2024-08-04 07:15:37 +02:00
- Various image integrity checks both of driver + module
2023-10-30 12:57:24 +01:00
- Hypervisor detection
2024-01-01 17:45:40 +01:00
- HalDispatch and HalPrivateDispatch routine validation
2024-02-14 17:56:03 +01:00
- Dynamic import resolving & encryption
- Malicious PCI device detection via configuration space scanning
2024-05-04 17:43:01 +02:00
- Win32kBase_DxgInterface routine validation
# architecuture
2024-07-13 07:43:50 +02:00
- todo!
2023-10-30 12:57:24 +01:00
# planned features
2024-05-04 17:43:01 +02:00
Theres a long list of features I still want to implement, the question is whether I can be bothored implementing them. I would say I'd accept pull requests for new features but I would expect high quality code and thorough testing with verifier (both inside a vm and bare metal).
2023-10-30 12:57:24 +01:00
2023-12-27 04:35:46 +01:00
# example
- I have recorded an example of the program running with CS2. Note that vac was obviously disabled. *If you decide to test with a steam game do not forget to launch in insecure mode*
2023-12-27 05:09:06 +01:00
- Shown are the kernel `VERBOSE` level logs in DebugView along with the usermode application console and some additional performance benchmarking things.
- (You can find the video here)[https://youtu.be/b3mH7w8pOxs]
2023-12-27 04:35:46 +01:00
2023-10-30 12:57:24 +01:00
# known issues
2023-12-23 19:52:55 +01:00
- [See the issues page](https://github.com/donnaskiez/ac/issues)
- Feel free to open a new issue if you find any bugs
2023-10-13 18:20:59 +02:00
2023-11-01 16:21:13 +01:00
# windows versions tested:
2023-10-09 18:27:04 +02:00
2023-11-01 16:21:13 +01:00
- Win10 22H2
- Win11 22H2
2023-10-12 18:33:39 +02:00
2023-12-23 19:52:55 +01:00
# how to build
2023-11-01 18:42:15 +01:00
2023-12-23 19:52:55 +01:00
Requires [Visual Studio](https://visualstudio.microsoft.com/downloads/) and the [WDK](https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk) for compilation.
2023-10-12 18:33:39 +02:00
2023-12-27 05:09:06 +01:00
## test signing mode
2023-12-27 04:35:46 +01:00
2023-12-27 05:09:06 +01:00
Before we continue, ensure you enable test signing mode as this driver is not signed.
1. Open a command prompt as Administrator
2. Enter the following commands:
```bash
bcdedit -set TESTSIGNING on
bcdedit /debug on
```
2023-12-29 17:20:32 +01:00
3. Restart Windows
2023-12-27 05:09:06 +01:00
## building and running the project
1. Clone the project i.e `git clone git@github.com:donnaskiez/ac.git`
2. Open the project in visual studio
2024-01-14 05:31:19 +01:00
3. Select `Release - No Server - Win10` or `Release - No Server - Win11` depending on the version of Windows you will be running the driver on.
2023-12-27 05:09:06 +01:00
4. Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
2023-11-01 16:21:13 +01:00
- `Inf2Cat -> General -> Use Local Time` to `Yes`
- `C/C++ -> Treat Warnings As Errors` to `No`
- `C/C++ -> Spectre Mitigation` to `Disabled`
2023-12-29 17:20:32 +01:00
5. Move the `driver.sys` file located in `ac\x64\Release - No Server\` into the `Windows\System32\Drivers` directory
2023-12-27 04:35:46 +01:00
- You can rename the driver if you would like
2023-12-29 17:20:32 +01:00
6. Use the [OSR Loader](https://www.osronline.com/article.cfm%5Earticle=157.htm) and select `driver.sys` (or whatever you named it) that you moved to the Windows drivers folder. *DO NOT REGISTER THE SERVICE YET*.
2023-12-27 05:09:06 +01:00
7. Under `Service Start` select `System`. This is VERY important!
8. Click `Register Service`. *Do NOT click* `Start Service`!
9. Restart Windows.
10. Once restarted, open the program you would like to protect. This could be anything i.e cs2, notepad etc.
- if you do use a game to test, ensure the games anti-cheat is turned off before testing
2023-12-29 17:20:32 +01:00
11. Open your dll injector of choice (I simply use [Process Hacker](https://processhacker.sourceforge.io/))
12. Inject the dll found in `ac\x64\Release - No Server\` named `user.dll` into the target program
2023-12-23 19:52:55 +01:00
Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.
Note: The server is not needed for the program to function properly.
# how to configure kernel debugging output
The kernel driver is setup to log at 4 distinct levels:
```C
2023-12-27 04:35:46 +01:00
#define LOG_ERROR_LEVEL
#define LOG_WARNING_LEVEL
#define LOG_INFO_LEVEL
#define LOG_VERBOSE_LEVEL
2023-12-23 19:52:55 +01:00
```
As the names suggest, `ERROR_LEVEL` is for errors, `WARNING_LEVEL` is for warnings. `INFO_LEVEL` is for general information regarding what requests the driver is processing and `VERBOSE_LEVEL` contains very detailed information for each request.
## creating the registry key
If you are unfamiliar with the kernel debugging mask, you probably need to set one up. If you already have a debugging mask setup, you can skip to `setting the mask` below.
1. Open the Registry Editor
2. Copy and pase `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager` into the bar at the top and press enter
3. On the left hand side, right click `Session Manager` and select `New -> Key`
4. Name the key `Debug Print Filter`
5. On the left hand side you should now see `Debug Print Filter`, right click and select `New -> DWORD (32 bit) Value`
6. Name the key `DEFAULT`
## setting the mask
1. Within the `Debug Print Filter` registry, double click the key named `DEFAULT`
2. Determine the level(s) of logging you would like to see. For most people interested I would set either `INFO_LEVEL` or `VERBOSE_LEVEL`. Remember that if you set `INFO_LEVEL`, you will see all `INFO_LEVEL`, `WARNING_LEVEL` and `ERROR_LEVEL` logs. Ie you see all logs above and including your set level.
```
2023-12-25 02:34:21 +01:00
ERROR_LEVEL = 0x3
WARNING_LEVEL = 0x7
2023-12-23 19:52:55 +01:00
INFO_LEVEL = 0xf
VERBOSE_LEVEL = 0x1f
```
3. Enter the value for the given logging level (seen above)
4. Click `Ok` and restart Windows.
## filtering debug output
If you choose to use `INFO_LEVEL` or `VERBOSE_LEVEL` there may be many logs from the kernel so we want to filter them out.
### windbg
With WinDbg connected to the target:
1. Pause the target using the `Break` button
2. Use the command: `.ofilter donna-ac*`
### debugview
1. Click `Edit -> Filter/Highlight`
2. Set the `Include` string to `donna-ac*`
2023-10-12 18:33:39 +02:00
2024-05-15 14:23:31 +02:00
## License
We have decided to put this Project under **AGPL-3.0**!
https://choosealicense.com/licenses/agpl-3.0/
2023-11-01 16:21:13 +01:00
# contact
2024-05-15 14:23:31 +02:00
feel free to dm me on discord or uc @donnaskiez