5 KiB
ac
open source anti cheat (lol) which I made for fun.
features
- Attached thread detection
- Process module .text section integrity checks
- NMI and APC stackwalking
- IPI stackwalking which is a relatively unknown method compared to NMIs and APCs
- Handle stripping via obj callbacks
- Process handle table enumeration
- System module verification
- System module .text integrity checks (see known issues)
- Unlinked process detection
- Hidden thread detection via KPRCB
- Hidden thread detection via PspCid table
- Dispatch routine validation
- Extraction of hardware identifiers
- EPT hook detection (currently detects hyperdbg and DdiMon)
- Driver integrity checks both locally and over server
- Test signing detection
- Hypervisor detection
planned features
- Heartbeat
- ntoskrnl integrity checks, or atleast a small subset of the kernel encompasing critical functions
- spoofed stack identifier
- process module inline hook detection (this would include checking whether the hook is valid, as many legimate programs hook user mode modules such as discord, nvidia overlay etc.)
- cr3 protection
- string, packet and other encryption
- tpm ek extraction
- tpm spoofer detection
- pcileech firmware detection
- testing program to test the features
known issues
- See the issues page
- Feel free to open a new issue if you find any bugs
windows versions tested:
- Win10 22H2
- Win11 22H2
how to build
Requires Visual Studio and the WDK for compilation.
- Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
Inf2Cat -> General -> Use Local Time
toYes
C/C++ -> Treat Warnings As Errors
toNo
C/C++ -> Spectre Mitigation
toDisabled
- Move the
driver.sys
file located inac\x64\Release
into theWindows\System32\Drivers
directory - Use the OSR Loader and select
driver.sys
that you moved to the Windows drivers folder. DO NOT REGISTER THE SERVICE YET.- driver must be named "driver.sys" (sorry.. will be fixed soon (i am lazy))
- Under
Service Start
selectSystem
. This is VERY important! - Click
Register Service
. Do NOT clickStart Service
! - Restart Windows.
- Once restarted, open the program you would like to protect as Administrator.
- Yes I understand this is not realistic
- Open your dll injector program of choice as administrator (I simply use Process Hacker)
- Inject the dll found in
ac\x64\Release
nameduser.dll
into the target program
Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.
Note: The server is not needed for the program to function properly.
how to configure kernel debugging output
The kernel driver is setup to log at 4 distinct levels:
#define DPFLTR_ERROR_LEVEL
#define DPFLTR_WARNING_LEVEL
#define DPFLTR_INFO_LEVEL
#define DPFLTR_VERBOSE_LEVEL
As the names suggest, ERROR_LEVEL
is for errors, WARNING_LEVEL
is for warnings. INFO_LEVEL
is for general information regarding what requests the driver is processing and VERBOSE_LEVEL
contains very detailed information for each request.
creating the registry key
If you are unfamiliar with the kernel debugging mask, you probably need to set one up. If you already have a debugging mask setup, you can skip to setting the mask
below.
- Open the Registry Editor
- Copy and pase
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
into the bar at the top and press enter - On the left hand side, right click
Session Manager
and selectNew -> Key
- Name the key
Debug Print Filter
- On the left hand side you should now see
Debug Print Filter
, right click and selectNew -> DWORD (32 bit) Value
- Name the key
DEFAULT
setting the mask
- Within the
Debug Print Filter
registry, double click the key namedDEFAULT
- Determine the level(s) of logging you would like to see. For most people interested I would set either
INFO_LEVEL
orVERBOSE_LEVEL
. Remember that if you setINFO_LEVEL
, you will see allINFO_LEVEL
,WARNING_LEVEL
andERROR_LEVEL
logs. Ie you see all logs above and including your set level.
ERROR_LEVEL = 0x3
WARNING_LEVEL = 0x7
INFO_LEVEL = 0xf
VERBOSE_LEVEL = 0x1f
- Enter the value for the given logging level (seen above)
- Click
Ok
and restart Windows.
filtering debug output
If you choose to use INFO_LEVEL
or VERBOSE_LEVEL
there may be many logs from the kernel so we want to filter them out.
windbg
With WinDbg connected to the target:
- Pause the target using the
Break
button - Use the command:
.ofilter donna-ac*
debugview
- Click
Edit -> Filter/Highlight
- Set the
Include
string todonna-ac*
contact
feel free to dm me on discord or uc @donnaskiez