Scribd
Upload
187 views57 pages

Unveiling The Underground World Of: Anti-Cheats

This document summarizes techniques used by cheat developers to bypass anti-cheat systems and discusses methods used by anti-cheats to detect cheats. It describes how cheat developers hijack handles, hook functions, and even write their own drivers to read and write game memory directly from the kernel level. It also outlines tools in open source projects that can be used to test anti-cheat systems by implementing these bypass techniques.

Uploaded by

enigmazooo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
187 views57 pages

Unveiling The Underground World Of: Anti-Cheats

This document summarizes techniques used by cheat developers to bypass anti-cheat systems and discusses methods used by anti-cheats to detect cheats. It describes how cheat developers hijack handles, hook functions, and even write their own drivers to read and write game memory directly from the kernel level. It also outlines tools in open source projects that can be used to test anti-cheat systems by implementing these bypass techniques.

Uploaded by

enigmazooo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 57

Unveiling the

underground world of
ANTI-CHEATS
Joel Noguera
Security Consultant at Immunity Inc
@niemand_sec
What are we going to talk about?

Conclusions
Cheats
& Results

Anti-Cheats

Analyzing
Anti-Cheats
FIRST RULE OF THE
GAMING CLUB, YOU
DON'T CHEAT
(or get caught doing it)
GIF DEL PIBE QUE LO ENCUENTRA CON
WORD.exe en medio del torneo
Anti Cheats
Anti-Cheats
Let’s see some numbers...

336.500.000 Monthly Active Users

EAC XC3 BE VAC

275.000.000 500.000 30.000.000 31.000.000


Anti-Cheat Components
Kernel Driver

[·] Handle stripping/Access Control Analysis of privileged process (lsass


[·]
and csrss)
[·] Register kernel callbacks
[·] Block blacklisted/unsigned drivers
Rejection of Kernel/User mode
[·]
debugging [·] Monitoring of kernel function calls
DLL inside Games
[·] Control of access flags to different sections

[·] Identification of hooks

[·] Thread Hijacking

[·] DLL Injection

[·] Function signatures

[·] VEH/SEH modification

[·] Game resources modification

[·] Detection of virtual environment


External Ring 3 Process
[·] Process/File Controls [·] Control of game client and
DLL hashes
[·] Blacklisted programs
detection [·] Multi-client detection

[·] Manage logic from Driver [·] Program integrity controls


Cheats
Internal (DLL) vs External (Process)
Pros Cons

[·] Quick for small patches [·] Slow


[·] Easy to master [·] Easy to detect
External
[·] Can be closed in certain [·] Limited potential
cases [·] Requires a Handle (usually)

[·] Great performance


[·] Hard to master
Internal [·] Direct access to memory
[·] Hard to detect if you are [·] Easier to detect if you mess
good enough it up
Wallhack/ESP Aimbots
Pro players getting caught? Why not
Parallel Market
Parallel Market
Are they fighting back?
Apex claims:

[·] More than 770k players banned


[·] Over 300K account creations blocked
[·] Over than 4k cheat sellers accounts (spammers) banned in 20 days

https://unknowncheats.me/
Analyzing Anti-Cheats
Methodology
Goal:

[·] Read/Write/Alloc Memory (Internal & External)

[·] Run Code inside Game’s Process

[·] Be as stealthy as possible


Hijacking Techniques
AC usually control/block/reject new HANDLEs to the game process:

[·] Driver that protects game and AC processes

Some process need to be whitelisted: lsass, csrss, AC

Hijacking techniques come to our rescue:

[·] Handle Hijacking

[·] Stealth Handle Hijacking

[·] Hooking
Hijacking Techniques
Hijacking Techniques - NamedPipe

“\Device\NamedPiped\270F59B0075AA3D3”
Hijacking Techniques - NamedPipe
Disadvantages
Hijacking Techniques - FileMapping
Imagine a world where our shared memory does not leave an open
HANDLE and we can cover better our tracks.
Hijacking Techniques - FileMapping
“File mapping object does not close until all references to it are released”

We can call CloseHandle without calling to UnmapViewOfFile.


Hijacking Techniques - FileMapping

We can make it even


better by delaying
the execution

Manual spinlocks to
avoid
mutex/semaphores
HANDLEs
Hijacking Techniques - FileMapping
Disadvantages
Hijacking Techniques - Bypass Hooks
EAC also hook functions on lsass.exe:

Why?

- Validate/Control/Track each action done against the game


Hijacking Techniques - Bypass Hooks
Hijacking Techniques - Bypass Hooks
Disadvantages
Hooking
Hooking
Hooking Graphic Engines:

[·] IAT hooking

[·] JMPs on Prolog functions

What about 3rd party libraries?

[·] Steam Overlay

[·] Open Broadcaster Software


Steam Overlay

Redirects execution to gameoverlayrenderer64.dll:$8A480

Open Broadcaster Software

Redirects to graphics-hook64.7FFEB97AE4D0
Hooking - Code Caves and NamedPipes?
Refresher- Bypass Hooks
Disadvantages
Moving to
kernel...Drivers
Drivers
Cheat developers also develop their own to fight inside the kernel.
Loading a Driver:

[·] Test Mode

[·] Sign your own Driver ($$$$$$$$)

[·] Abuse of another driver

GIGABYTE Driver

[·] CVE-2018-19320 (ring0 memcpy with VA)

[·] CVE-2018-19321 (read/write arbitrary physical memory)


EAC downgrading the HANDLE
Driver - DKOM
1) Search for EPROCESS Struct in kernel
typedef struct { CHAR ImageFileName[15]; DWORD PriorityClass; }
2) Obtain the ObjectTable (HANDLE_TABLE)
3) Use ExpLookupHandleTableEntry(HandleTable, Handle)
4) Retrieve HANDLE
5) Modify GrantedAccess
6) Overwrite kernel memory
7) Profit
Refresher- Bypass Hooks
Disadvantages
One Last
Attempt
Driver - Just do it from kernel!
1) Leak handle pointers using NtQuerySystemInformation
SystemExtendedHandleInformation (0x40) as SYSTEM_INFORMATION_CLASS
2) Locate valid KPROCESS pointer
_KPROCESS.Header == 0x00B60003
3) Traverse linked list -> _EPROCESS.ActiveProcessLinks
4) Obtain DirectoryBaseTable -> _EPROCESS.PEB.DirectoryBaseTable
5) Obtain target Base Address -> _EPROCESS.SectionBaseAddress
6) Dereference Ring3 virtual addresses
7) Directly modify/read memory
DEMO
What about the
tools?
Black Hat Sound Bytes

[·] Fight at kernel level vs Trivial Bypasses

[·] Blacklisting all drivers is impossible

[·] Compatibility with Windows and 3rd applications is a problem


Open Source Projects
ReClass Plugin - Driver Reader

niemand-sec/ReClass.NET-DriverReader

AntiCheat-Testing-Framework

niemand-sec/AntiCheat-Testing-Framework

[·] CheatHelper & DriverHelper


[·] DriverDisabler & Synapse Driver exploit (Razer)
[·] HandleHijackingDLL and HandleHijackingMaster
[·] NamePipes and FileMapping
[·] WinApi Hooking Bypass & Lua Hooking
[·] Handle Elevation and External Driver
THANK YOU!

@niemand_sec
niemand-sec/AntiCheat-Testing-Framework
niemand-sec/ReClass.NET-DriverReader

You might also like