noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity
kernel mode anti cheat
216 commits 1 branch 0 tags 3.3 MiB
C 91.6%
C++ 8.2%
Assembly 0.2%
Find a file
lhodges1 f82364e5c8 fix readme
2023-12-25 12:31:13 +11:00
driver logging + readme + other 2023-12-24 05:52:55 +11:00
server c: 2023-10-04 03:03:55 +11:00
service some stuffffffff 2023-09-24 21:13:20 +10:00
testcli fix bug 2023-11-18 21:40:22 +11:00
testdrv update tutorial readme 2023-11-01 20:48:14 +11:00
user fix bug 2023-11-18 21:40:22 +11:00
.clang-format some formatting. Smiley face 2023-12-13 15:06:27 +11:00
.gitattributes Add .gitattributes, .gitignore, and README.md. 2023-08-15 22:02:15 +10:00
.gitignore Add .gitattributes, .gitignore, and README.md. 2023-08-15 22:02:15 +10:00
ac.sln DIE 2023-11-01 03:22:04 +11:00
dblayout.drawio e 2023-09-08 03:49:36 +10:00
README.md fix readme 2023-12-25 12:31:13 +11:00

README.md

ac

open source anti cheat (lol) which I made for fun.

features

  • Attached thread detection
  • Process module .text section integrity checks
  • NMI and APC stackwalking
  • IPI stackwalking which is a relatively unknown method compared to NMIs and APCs
  • Handle stripping via obj callbacks
  • Process handle table enumeration
  • System module verification
  • System module .text integrity checks (see known issues)
  • Unlinked process detection
  • Hidden thread detection via KPRCB
  • Hidden thread detection via PspCid table
  • Dispatch routine validation
  • Extraction of hardware identifiers
  • EPT hook detection (currently detects hyperdbg and DdiMon)
  • Driver integrity checks both locally and over server
  • Test signing detection
  • Hypervisor detection

planned features

  • Heartbeat
  • ntoskrnl integrity checks, or atleast a small subset of the kernel encompasing critical functions
  • spoofed stack identifier
  • process module inline hook detection (this would include checking whether the hook is valid, as many legimate programs hook user mode modules such as discord, nvidia overlay etc.)
  • cr3 protection
  • string, packet and other encryption
  • tpm ek extraction
  • tpm spoofer detection
  • pcileech firmware detection
  • testing program to test the features

known issues

windows versions tested:

  • Win10 22H2
  • Win11 22H2

how to build

Requires Visual Studio and the WDK for compilation.

  1. Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
    • Inf2Cat -> General -> Use Local Time to Yes
    • C/C++ -> Treat Warnings As Errors to No
    • C/C++ -> Spectre Mitigation to Disabled
  2. Move the driver.sys file located in ac\x64\Release into the Windows\System32\Drivers directory
  3. Use the OSR Loader and select driver.sys that you moved to the Windows drivers folder. DO NOT REGISTER THE SERVICE YET.
    • driver must be named "driver.sys" (sorry.. will be fixed soon (i am lazy))
  4. Under Service Start select System. This is VERY important!
  5. Click Register Service. Do NOT click Start Service!
  6. Restart Windows.
  7. Once restarted, open the program you would like to protect as Administrator.
    • Yes I understand this is not realistic
  8. Open your dll injector program of choice as administrator (I simply use Process Hacker)
  9. Inject the dll found in ac\x64\Release named user.dll into the target program

Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.

Note: The server is not needed for the program to function properly.

how to configure kernel debugging output

The kernel driver is setup to log at 4 distinct levels:

#define DPFLTR_ERROR_LEVEL  
#define DPFLTR_WARNING_LEVEL
#define DPFLTR_INFO_LEVEL   
#define DPFLTR_VERBOSE_LEVEL

As the names suggest, ERROR_LEVEL is for errors, WARNING_LEVEL is for warnings. INFO_LEVEL is for general information regarding what requests the driver is processing and VERBOSE_LEVEL contains very detailed information for each request.

creating the registry key

If you are unfamiliar with the kernel debugging mask, you probably need to set one up. If you already have a debugging mask setup, you can skip to setting the mask below.

  1. Open the Registry Editor
  2. Copy and pase Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager into the bar at the top and press enter
  3. On the left hand side, right click Session Manager and select New -> Key
  4. Name the key Debug Print Filter
  5. On the left hand side you should now see Debug Print Filter, right click and select New -> DWORD (32 bit) Value
  6. Name the key DEFAULT

setting the mask

  1. Within the Debug Print Filter registry, double click the key named DEFAULT
  2. Determine the level(s) of logging you would like to see. For most people interested I would set either INFO_LEVEL or VERBOSE_LEVEL. Remember that if you set INFO_LEVEL, you will see all INFO_LEVEL, WARNING_LEVEL and ERROR_LEVEL logs. Ie you see all logs above and including your set level.
ERROR_LEVEL    = 0x2
WARNING_LEVEL  = 0x8
INFO_LEVEL     = 0xf
VERBOSE_LEVEL  = 0x1f
  1. Enter the value for the given logging level (seen above)
  2. Click Ok and restart Windows.

filtering debug output

If you choose to use INFO_LEVEL or VERBOSE_LEVEL there may be many logs from the kernel so we want to filter them out.

windbg

With WinDbg connected to the target:

  1. Pause the target using the Break button
  2. Use the command: .ofilter donna-ac*

debugview

  1. Click Edit -> Filter/Highlight
  2. Set the Include string to donna-ac*

contact

feel free to dm me on discord or uc @donnaskiez