Anti-Cheat R&D
Developed a kernel mode anti-cheat with cheat detection measures similar to those found in the most popular anti-cheats on the market (Battle-Eye, Easy Anti-Cheat). Although it never made it to the market, it taught me extremely valuable information about the windows OS, cyber security and reverse engineering.
Protections included:
• Scanning for vulnerable drivers present and previously unloaded.
• Signature scanning the full memory of the system for malicious code signatures/strings.
• Detecting rouge system threads executing unsigned kernel shellcode using multiple methods including bruteforcing the PspCidTable entries, monitoring the KPRCBs, using NMIs and IPIs then subsequently stack walking the thread's call stack and analyzing the validity of the current IP.
• Stripping read/write access from handles opened in usermode to a protected process.
• Detecting DKOM attempts on opaque kernel structures such as the PspCidTable, EPROCESS->ActiveProcessLinks and ETHREAD->ThreadListHead in attempts to hide a process or thread.
• Detecting process-specific kernel patches/rogue allocations achieved through modifying a process's upper 256 PML4E values, redirecting the MmPfnDatabase entries then nulling the original entries in the kernel DTB.
• Detecting blatant .text patches in a protected process by comparing the loaded bytes in memory vs the valid, signed binary on disk.
• Using multiple hooking techniques to take control of context swaps (ntoskrnl->SwapContext without triggering PG) in order to protect a specific virtual address range from non-whitelisted threads accessing it.
• Setup usermode traps on protected variables to detect outside modifications.
• Setup a kernel-mode rendering and input system without calling win32gdi functions.
• Constantly evolved an exploit to bypass all of these protections to help simulate the never-ending cat and mouse game of cheaters vs anti-cheats.
