mirror-ac/README.md

# ac

open source anti cheat (lol) which I made for fun.

# features

- Attached thread detection
- Process module .text section integrity checks
- NMI and APC stackwalking
- IPI stackwalking which is a relatively unknown method compared to NMIs and APCs
- Handle stripping via obj callbacks
- Process handle table enumeration
- System module verification
- System module .text integrity checks (see known issues)
- Unlinked process detection
- Hidden thread detection via KPRCB
- Hidden thread detection via PspCid table
- Dispatch routine validation
- Extraction of hardware identifiers
- EPT hook detection (currently detects hyperdbg and DdiMon)
- Driver integrity checks both locally and over server
- Test signing detection
- Hypervisor detection

# planned features

- Heartbeat
- ntoskrnl integrity checks, or atleast a small subset of the kernel encompasing critical functions
- spoofed stack identifier
- process module inline hook detection (this would include checking whether the hook is valid, as many legimate programs hook user mode modules such as discord, nvidia overlay etc.)
- cr3 protection 
- string, packet and other encryption
- tpm ek extraction
- tpm spoofer detection
- pcileech firmware detection 
- testing program to test the features

# example

- I have recorded an example of the program running with CS2. Note that vac was obviously disabled. *If you decide to test with a steam game do not forget to launch in insecure mode*
- Shown are the kernel `VERBOSE` level logs in DebugView along with the usermode application console.
- You can find the video here

# known issues

- [See the issues page](https://github.com/donnaskiez/ac/issues)
- Feel free to open a new issue if you find any bugs

# windows versions tested:

- Win10 22H2
- Win11 22H2

# how to build

Requires [Visual Studio](https://visualstudio.microsoft.com/downloads/) and the [WDK](https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk) for compilation.

add test signing thing here

1. Open the project in visual studio
2. Select `Release - No Server`
3. Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
	- `Inf2Cat -> General -> Use Local Time` to `Yes`
	- `C/C++ -> Treat Warnings As Errors` to `No`
	- `C/C++ -> Spectre Mitigation` to `Disabled`
4. Move the `driver.sys` file located in `ac\x64\Release` into the `Windows\System32\Drivers` directory
	- You can rename the driver if you would like
5. Use the [OSR Loader](https://www.osronline.com/article.cfm%5Earticle=157.htm) and select `driver.sys` (or whatever you named it) that you moved to the Windows drivers folder. DO NOT REGISTER THE SERVICE YET.
6. Under `Service Start` select `System`. This is VERY important!
7. Click `Register Service`. *Do NOT click* `Start Service`!
8. Restart Windows. 
9. Once restarted, open the program you would like to protect. This could be anything i.e game, notepad etc.
10. Open your dll injector program of choice as administrator (I simply use [Process Hacker](https://processhacker.sourceforge.io/))
11. Inject the dll found in `ac\x64\Release` named `user.dll` into the target program

Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.

Note: The server is not needed for the program to function properly.

# how to configure kernel debugging output

The kernel driver is setup to log at 4 distinct levels:

```C
#define LOG_ERROR_LEVEL  
#define LOG_WARNING_LEVEL
#define LOG_INFO_LEVEL   
#define LOG_VERBOSE_LEVEL
```

As the names suggest, `ERROR_LEVEL` is for errors, `WARNING_LEVEL` is for warnings. `INFO_LEVEL` is for general information regarding what requests the driver is processing and `VERBOSE_LEVEL` contains very detailed information for each request.

## creating the registry key

If you are unfamiliar with the kernel debugging mask, you probably need to set one up. If you already have a debugging mask setup, you can skip to `setting the mask` below.

1. Open the Registry Editor
2. Copy and pase `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager` into the bar at the top and press enter
3. On the left hand side, right click `Session Manager` and select `New -> Key`
4. Name the key `Debug Print Filter`
5. On the left hand side you should now see `Debug Print Filter`, right click and select `New -> DWORD (32 bit) Value`
6. Name the key `DEFAULT`

## setting the mask

1. Within the `Debug Print Filter` registry, double click the key named `DEFAULT`
2. Determine the level(s) of logging you would like to see. For most people interested I would set either `INFO_LEVEL` or `VERBOSE_LEVEL`. Remember that if you set `INFO_LEVEL`, you will see all `INFO_LEVEL`, `WARNING_LEVEL` and `ERROR_LEVEL` logs. Ie you see all logs above and including your set level.

```
ERROR_LEVEL    = 0x3
WARNING_LEVEL  = 0x7
INFO_LEVEL     = 0xf
VERBOSE_LEVEL  = 0x1f
```

3. Enter the value for the given logging level (seen above)
4. Click `Ok` and restart Windows.

## filtering debug output

If you choose to use `INFO_LEVEL` or `VERBOSE_LEVEL` there may be many logs from the kernel so we want to filter them out.

### windbg

With WinDbg connected to the target:

1. Pause the target using the `Break` button
2. Use the command: `.ofilter donna-ac*`

### debugview

1. Click `Edit -> Filter/Highlight`
2. Set the `Include` string to `donna-ac*`

# contact

feel free to dm me on discord or uc @donnaskiez