open source anti cheat (lol) which I made for fun.
- Attached thread detection
- Process module .text section integrity checks
- NMI stackwalking via isr iretq
- APC, DPC stackwalking
- Return address exception hooking detection
- Chained .data pointer detection (iffy)
- Handle stripping via obj callbacks
- Process handle table enumeration
- System module device object verification
- System module .text integrity checks
- Removal of threads cid table entry detection
- Driver dispatch routine validation
- Extraction of various hardware identifiers
- EPT hook detection
- Various image integrity checks both of driver + module
- Hypervisor detection
- HalDispatch and HalPrivateDispatch routine validation
- Dynamic import resolving & encryption
- Malicious PCI device detection via configuration space scanning
- Win32kBase_DxgInterface routine validation
- todo!
Theres a long list of features I still want to implement, the question is whether I can be bothored implementing them. I would say I'd accept pull requests for new features but I would expect high quality code and thorough testing with verifier (both inside a vm and bare metal).
- I have recorded an example of the program running with CS2. Note that vac was obviously disabled. If you decide to test with a steam game do not forget to launch in insecure mode
- Shown are the kernel
VERBOSE
level logs in DebugView along with the usermode application console and some additional performance benchmarking things. - (You can find the video here)[https://youtu.be/b3mH7w8pOxs]
- See the issues page
- Feel free to open a new issue if you find any bugs
- Win10 22H2
- Win11 22H2
Requires Visual Studio and the WDK for compilation.
Before we continue, ensure you enable test signing mode as this driver is not signed.
- Open a command prompt as Administrator
- Enter the following commands:
bcdedit -set TESTSIGNING on
bcdedit /debug on
- Restart Windows
- Clone the project i.e
git clone git@github.com:donnaskiez/ac.git
- Open the project in visual studio
- Select
Release - No Server - Win10
orRelease - No Server - Win11
depending on the version of Windows you will be running the driver on. - Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
Inf2Cat -> General -> Use Local Time
toYes
C/C++ -> Treat Warnings As Errors
toNo
C/C++ -> Spectre Mitigation
toDisabled
- Move the
driver.sys
file located inac\x64\Release - No Server\
into theWindows\System32\Drivers
directory- You can rename the driver if you would like
- Use the OSR Loader and select
driver.sys
(or whatever you named it) that you moved to the Windows drivers folder. DO NOT REGISTER THE SERVICE YET. - Under
Service Start
selectSystem
. This is VERY important! - Click
Register Service
. Do NOT clickStart Service
! - Restart Windows.
- Once restarted, open the program you would like to protect. This could be anything i.e cs2, notepad etc.
- if you do use a game to test, ensure the games anti-cheat is turned off before testing
- Open your dll injector of choice (I simply use Process Hacker)
- Inject the dll found in
ac\x64\Release - No Server\
nameduser.dll
into the target program
Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.
Note: The server is not needed for the program to function properly.
The kernel driver is setup to log at 4 distinct levels:
#define LOG_ERROR_LEVEL
#define LOG_WARNING_LEVEL
#define LOG_INFO_LEVEL
#define LOG_VERBOSE_LEVEL
As the names suggest, ERROR_LEVEL
is for errors, WARNING_LEVEL
is for warnings. INFO_LEVEL
is for general information regarding what requests the driver is processing and VERBOSE_LEVEL
contains very detailed information for each request.
If you are unfamiliar with the kernel debugging mask, you probably need to set one up. If you already have a debugging mask setup, you can skip to setting the mask
below.
- Open the Registry Editor
- Copy and pase
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
into the bar at the top and press enter - On the left hand side, right click
Session Manager
and selectNew -> Key
- Name the key
Debug Print Filter
- On the left hand side you should now see
Debug Print Filter
, right click and selectNew -> DWORD (32 bit) Value
- Name the key
DEFAULT
- Within the
Debug Print Filter
registry, double click the key namedDEFAULT
- Determine the level(s) of logging you would like to see. For most people interested I would set either
INFO_LEVEL
orVERBOSE_LEVEL
. Remember that if you setINFO_LEVEL
, you will see allINFO_LEVEL
,WARNING_LEVEL
andERROR_LEVEL
logs. Ie you see all logs above and including your set level.
ERROR_LEVEL = 0x3
WARNING_LEVEL = 0x7
INFO_LEVEL = 0xf
VERBOSE_LEVEL = 0x1f
- Enter the value for the given logging level (seen above)
- Click
Ok
and restart Windows.
If you choose to use INFO_LEVEL
or VERBOSE_LEVEL
there may be many logs from the kernel so we want to filter them out.
With WinDbg connected to the target:
- Pause the target using the
Break
button - Use the command:
.ofilter donna-ac*
- Click
Edit -> Filter/Highlight
- Set the
Include
string todonna-ac*
We have decided to put this Project under AGPL-3.0! https://choosealicense.com/licenses/agpl-3.0/
feel free to dm me on discord or uc @donnaskiez