Guide How to Bypass Kernel Anticheat & Develop Drivers

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,383
78,998
2,414
Game Name
N/A
Anticheat
N/A
How long you been coding/hacking?
4 Years holler
Coding Language
C++
All popular games are utilizing kernel anticheat, in this cat and mouse game, the hackers must now enter kernel mode as well. Kernel Anticheat is very effective in preventing usermode cheats. This guide will provide you everything you need to know to start learning how to bypass kernel anticheat. If you have not finished the Guided Hacking Bible, do not waste your time on kernel anticheat, you're not ready.

The information provided in this guide will cover:
  • Kernel Mode vs Usermode
  • How to learn kernel driver development
  • A video tutorial series covering kernel mode cheats
  • How to exploit vulnerable drivers
  • Common vulnerable drivers & tools
  • An overview of the common functionality of kernel anticheats
  • Detection of kernel cheats
Anticheats Utilizing Kernel Modules
BattleEye, Xigncode, Easy Anti Cheat, Vanguard

What is a kernel mode driver & Kernel Mode vs User Mode

A processor in a Windows computer has two different modes: kernel mode and user mode. The processor switches between the two modes depending on what type of code is running. Normal .exe programs run in user mode & core operating system components run in kernel mode. The Usermode & Kernelmode construct is built into the CPU. The low level core functionality of the operating system is done in kernel mode, which is a privileged part of memory that is not accessible from user mode and executes with privileged status on the CPU. Drivers are not just limited to Hardware Drivers, you can make a .sys driver to do anything you want in kernel mode, including bypass anticheat and perform cheat functionality.

A user mode process resides in it's own personal virtual address space that is private and doesn't interact with other processes's memory normally. Each application runs in isolation, if a regular program crashes, the crash is limited to that one application. Other applications and the operating system are not affected by the crash.

All code that runs in kernel mode shares a single virtual address space. This means that a kernel-mode driver is not isolated from other drivers and the operating system itself. If a kernel-mode driver accidentally writes to the wrong virtual address, data that belongs to the operating system or another driver could be compromised. If a kernel-mode driver crashes, the entire operating system crashes.

Many of the privelages things you need to do in game hacking rely on the kernel performing those tasks for you. When you call WriteProcessMemory() for example, that function is exported by NTDLL.DLL and that request to write to the memory of another process is passed on to the kernel through NTDLL. You application isn't actually doing it, the kernel is, your program is just making the request. View the image below to understand how kernel mode and usermode are separated.

1597801853730.png


User mode processes don't have access to kernel mode processes and memory. That is how the CPU and Operating System are designed.

How does this apply to bypassing Anticheat?

If you are dealing with a strong usermode anticheat, you can write a kernel mode driver to bypass it. Because you are in the kernel and the anticheat is not, you can modify the anticheat to stop it's detection or you can hide your usermode module from it entirely. A user mode anticheat has no idea what you're doing in kernel.

If the anticheat has a kernel driver then you must also be in kernel mode, because nothing you do in usermode is going to be able to bypass or hide from a kernel anticheat. Generally speaking, kernel mode drivers are not necessary to hack 99% of games. In fact, kernel mode drivers are very easy to detect by anticheat if not done correctly.

Coding a kernel driver is much more complicated than user mode applications, for which reason your functionality which provides the "bypass" is done in the kernel but in most cases, the actual cheat logic is done in a usermode module. In this situation, you load your driver, enable your "bypass" functionality and then inject your DLL. Alternatively you can write your entire hack to run in kernel mode, which is more difficult.

But Rake, I don't want to learn, I just want to paste some crap and bypass anticheat!

Ok before we go to far I will give you a simple 6 step process that is the easiest way to paste your way into kernel:
  1. Video Tutorial - How to Make a Windows Kernel Mode Driver Tutorial
  2. Video Tutorial - Kernel 2 - Usermode Communication - IOCTL Tutorial
  3. Video Tutorial - How to Write Memory from Kernel - MmCopyVirtualMemory Tutorial
  4. Experiment with this source code Source Code - CSGO Kernel Driver Multihack
  5. Use kdmapper which uses a vulnerable Intel driver to manually map your kernel driver (make sure anticheat is not loaded yet)
  6. Start the game and use your usermode application to write to the game memory
With those 5 steps, you can start writing to the memory of games with anticheat. But EAC and other strong kernel anticheats can detect this easily, so keep reading to learn more.

Kernel Driver Development
To get started with driver development start with these resources:

Driver Signing & Test Signing

Windows security would certainly be lacking if you could just load any kernel driver you wanted. This is why Windows requires your kernel mode driver to be signed with a security certificate in order for the OS to load it, but don't worry you don't need to pay 200$ for a certificate. You need to enable Test Signing if you want to load a driver you're actively developing.

In the past you could disable Driver Signing by running these commands as admin and rebooting:
C++:
bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON
On Windows 8 and 10 you may need to do this by accessing the Advanced Boot Options menu by pressing F8 during boot. Windows 10 has disabled the F8 hotkey, to re-enable it:
C++:
bcdedit /set {default} bootmenupolicy legacy
Then reboot, and press F8 before Windows loads and you will see a menu in which you can Disable Driver Signing. Alternatively on Windows 10 you can hold SHIFT when you click Restart, and this menu will appear. But it only works for that one reboot, you need to do it every time because Windows 10 resets it back to default value.

Kernel Anticheats Prevent games from loading when Test Signing is enabled

The kernel anticheat developers got wise to this, and now they prevent you from playing the game if Test Signing is enabled. So you're forced to enable Driver Signing.

Then how do you load your driver? Keep reading my young padawan.

Exploiting Kernel Drivers

Kernel drivers are very common not just for hardware drivers, many different types of software utilize them. Driver security is very poor and there are many vulnerable drivers. The drivers expose functions to their usermode applications, to make development easy and cheap, they often expose too much or provide functionality that is too dangerous.

Any driver that takes data from usermode and does something with it in kernel is potentially vulnerable. Many have buffer overflows which can be leveraged, or even worse an arbitrary kernel write vulnerability. These vulnerabilities can be exploited from usermode to execute your code, ideally providing a simple method to load your own driver.

But you can't just load your driver, you need to manually map it because it is not digitally signed. These vulnerable kernel drivers must have valid security certificates. By utilizing a valid & certified driver, you can manually map your unsigned driver without issue. Microsoft or the Certificate Authorities can decide to reject these certificates at any time, making them no longer work, but that is extremely rare.

For learning purposes learn to use KDMapper first, and then learn how to use KDU

KDMapper
KDMapper is used by hundreds of pay cheat providers and for good reason, it's super paste friendly.
  • Utilizes an embedded vulnerable Intel driver
  • Manually Maps your driver
  • Provides a simple command line interface
  • You just pass it 1 argument and you're driver is loaded
KDMapper comes embedded with the vulnerable iqvw64e.sys Intel Ethernet diagnostics driver driver. The driver is embedded as a byte array in intel_driver_resource.hpp

The driver was signed in 2013. The vulnerability was officially published in 2015 as CVE-2015-2291 with a severity score of 7.8. Amazingly it's certificate has not been revoked yet.

iqvw64e.sys
Code:
sha256            :     B2B2A748EA3754C90C83E1930336CF76C5DF9CBB1E3EEC175164BB01A54A4701
date            :     empty
language        :     English-United States
code-page        :     Unicode UTF-16    :      little endian
CompanyName        :     Intel Corporation
FileDescription    :     Intel(R) Network Adapter Diagnostic Driver
FileVersion        :     1.03.0.7 built by WinDDK
InternalName    :     iQVW64.SYS
LegalCopyright    :     Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.
OriginalFilename:     iQVW64.SYS
ProductName        :     Intel(R) iQVW64.SYS
ProductVersion    :     1.03.0.7
iqvw64e.sys Main Intel Signature
1597805754509.png

But wait it's not valid after 2015! Wrong! Windows still loads it.

Counter Signer Symantec Time Signature
1597805670487.png


What happens in December 2020? Nothing! Microsoft will continue to load it as long as it is not revoked!

The vulnerability exists due to insufficient input buffer validation when the driver processes IOCTL codes 0x80862013, 0x8086200B, 0x8086200F, 0x80862007 using METHOD_NEITHER and due to insecure permissions allowing everyone read and write access to privileged use only functionality.

KdMapper utilizes IOCTL code 0x80862007 for arbitrary kernel execute
1597808025899.png


KDMapper is very easy to detect by anticheat - The driver is well documented, everyone knows what it is. But it's a good start to get you exposed to kernel hacking. Read more @ Download - KDMapper - Manually Map Kernel Drivers CVE-2015-229

List of vulnerable drivers
There are probably thousands of vulnerable drivers, here are some we know about. Learn more about this list @ Discuss - New vulnerable kernel drivers
  • iqvw64e.sys
  • gpcidrv64.sys
  • AsUpIO64.sys
  • AsrDrv10.sys
  • AsrDrv101.sys
  • AsrDrv102.sys
  • AsrDrv103.sys
  • BSMEMx64.sys
  • BSMIXP64.sys
  • BSMIx64.sys
  • BS_Flash64.sys
  • BS_HWMIO64_W10.sys
  • BS_HWMIo64.sys
  • BS_I2c64.sys
  • GLCKIO2.sys
  • GVCIDrv64.sys
  • HwOs2Ec10x64.sys
  • HwOs2Ec7x64.sys
  • MsIo64.sys
  • NBIOLib_X64.sys
  • NCHGBIOS2x64.SYS
  • NTIOLib_X64.sys
  • PhlashNT.sys
  • Phymemx64.sys
  • UCOREW64.SYS
  • WinFlash64.sys
  • WinRing0x64.sys
  • amifldrv64.sys
  • atillk64.sys
  • dbk64.sys
  • mtcBSv64.sys
  • nvflash.sys
  • nvflsh64.sys
  • phymem64.sys
  • rtkio64.sys
  • rtkiow10x64.sys
  • rtkiow8x64.sys
  • segwindrvx64.sys
  • superbmc.sys
  • semav6msr.sys
  • piddrv64.sys
  • RTCore64
  • Gdrv
  • ATSZIO64
  • MICSYS
  • GLCKIO2
  • EneIo
  • WinRing0x64
  • EneTechIo

Vulnerable Driver Resources

Everything from hfiref0x is amazing

WOW LOOK AT ME, I BYPASSED KERNEL ANTICHEAT!


You literally did nothing except paste. Stop saying "I have a bypass", you have the same bypass that another 100,000 people are using and all you did was download kdmapper. You're not special, so just shut up please, we're not impressed. Saying "I have a bypass" when you're using kdmapper is like saying "I have Cheat Engine".

General Functionality of Kernel Anticheats
  • All the normal usermode detections
  • Blocking / stripping of process handles
  • Detection of test signing
  • Detection of usermode hooks
  • Detection of injected modules
  • Detection of manually mapped modules
  • Detection of kernel drivers
  • Detecting of traces of manually mapped drivers
  • Detection of virtual machines and emulation

Manually Mapped Driver Detection
You must bypass these things, clear PiDDBCacheTable & MmUnloadedDrivers, and stop the enumeration of your own system pools & threads.
  • PiDDBCacheTable & MmUnloadedDrivers
  • system pool detection
  • system thread detection
Source Code - How to Clear PiDDBCache Table / PiDDBLock


PatchGuard
PatchGuard detects patches in the kernel, you can't just patch the anticheat's kernel driver

What Next?
So you can manually map your driver, and you can read and write memory, what do you do next?

Well you didn't really bypass the anticheat. All you did was load a cheat they didn't detect yet, and now it's very likely they have seen your modules. If the same modules are detected on multiple machines, you may find yourself in the next ban wave. Just making a driver and mapping it doesn't bypass anything. Kernel anticheats are incredibly invasive and they can detect everything that's happening on your system. If you're doing something that looks malicious, they can easily detect it and ban you.

Kernel Anticheat typically are used in combination with a usermode module, which is manually mapped into the game and obfuscated. Your next step is to dump both the kernel module and the usermode module and reverse engineer them. Then you will have a very good idea of how they operate, and what else you need to do completely bypass the anticheat.

Remember, you can't patch the kernel anticheat, so you need to go around it.

Next you want to patch all the usermode detections so you can attach a debugger, especially Cheat Engine & Reclass so you can start reversing the game.

From kernel you can patch or hook all the detection mechanisms in the anticheat's usermode module, and you can use your own kernel module to protect & hide your own usermode module. Essentially you want to block the anticheat from accessing any of your modules address range. Once you've taken care of all of that, you can inject your usermode module without any trouble.

Detection of Kernel Cheats
It's super easy for them to detect vulnerable drivers, the anticheat devs have the same list of vulnerable drivers that we have and they are actively scanning for the most popular ones. If they find your module they will upload it to their server, analyze it and build detection for it.

EAC for example has some very good detection methods, regardless of which anticheat you're trying to bypass you should read our EAC thread to learn more.

A manually mapped driver cannot be detected using the normal methods, but mapping your driver does leave traces behind. Make sure you clear PiDDBCacheTable and anything else your driver leaves behind.

Guided Hacking Kernel Videos
  1. Video Tutorial - How to Make a Windows Kernel Mode Driver Tutorial
  2. Video Tutorial - Kernel 2 - Usermode Communication - IOCTL Tutorial
  3. Video Tutorial - How to Write Memory from Kernel - MmCopyVirtualMemory Tutorial
GH Resources
External Resources
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,305
37,938
270
Test signing via bcdedit still works just dandy

on the same note, while its trivial to detect test signing being enabled in many ways, since youre the kernel, you can attempt to hook their own detections/spoof them and then things work just fine (thats how i used to load my driver vs EAC some years ago)

PatchGuard
===========

In the times of old, everyone and their dead dog would patch the windows kernel, place hooks on whatever APIs they wanted, and this caused lots of system instability when users would download something that decided to put its dick everywhere.

In comes patchguard, microsoft's way of saying "stop fucking with our OS". So certain modifications will cause (eventually) a BSOD. This includes, but is not limted to: modification of some MSRs (Model specific registers), hooks on certain functions (such as NTAPIs), modification of PatchGuard itself, modification of critical linked lists (such as the EPROCESS list, so you cant hide entire processes from UM enumeration)

Of course, there are ways to disable it, but in every new edition of windows it gets more and more aids. Simple google searches can get you started if thats what youre into.

Development
===========

Im always a big advocate for "try shit and brick stuff", use a VM when coding your drivers so oyu dont brick your acutal PC and can just restore from a snapshot or whatever. Also enables actual debugging of your driver rather than crawling crash dumps.

my main disclaimer for anyone wishing to write a driver. If you ask an issue that i can find an answer to in a single google search then i will ignore you until you show the ability to properly attempt steps of debugging and research.

Example of a good way to ask a question, "Hey, im trying to stop ObRegisterCallbacks in an anticheat and ive noticed that you can try to collide with their altitude. How would one find a specific driver's altitude?"

or

"Hey, i want to stop a driver from loading, ive read that you can do this via LoadImageNotifyRoutines and i've got mine setup. But i dont understand where to go from there."

not

"Hey can you show me how to make a manual mapper in kernel"
"Hi how do i read memory from kernel"
 
Last edited by a moderator:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,383
78,998
2,414
Crosspost from @iPower who put together a cool list of info:

To get started with reversing kernel mode anticheat you MUST know about:

-How Anti-Cheats work in general (prior experience with other anti-cheats);
-Packing and Obfuscation techniques;
-How code virtualization works and how to reverse virtualized code (most of anti-cheats virtualize critical parts);
-Kernel Debugging;
-Anti-Debugging (including Kernel Anti-Debugging);
-How Operating Systems work;
-Windows Kernel Basics;
-How Kernel-Mode drivers work and be able to write one;

If you don't know about any of these topics you're gonna have a hard time reversing EAC/BE.

*******Might be forgetting smth but I'm tired rn********

Gonna be dropping links to some of these topics

Packing, Obfuscation and Code Virtualization:
https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf
Unpacking, Reversing, Patching
Unpacking Dynamically Allocated Code »
Homepage of Peter Ferrie
OALabs
https://pdfs.semanticscholar.org/e50a/3cbd2061acc747faef6282b71dc1b450f97f.pdf
https://www2.cs.arizona.edu/~debray/Publications/ccs-unvirtualize.pdf
http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf
Obfuscation (software) - Wikipedia
https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Code-obfuscation.pdf
Breaking Obfuscated Programs with Symbolic Execution
Reverse Engineering simple VM crackme

Anti-Cheats stuff:
How to Get Started with AntiCheat Bypass - Guided Hacking
Kernel Mode Drivers Info for Anticheat Bypass - Guided Hacking
How To Bypass VAC Valve Anti Cheat Info - Guided Hacking
How to bypass XignCode Anticheat? - Guided Hacking
MTA: SA's kernel mode anticheat is a joke (information) - Guided Hacking -> Example of reversing a Kernel-Mode Anti-Cheat

Operating Systems, Windows Kernel, Kernel Debugging and Driver Developmentl:
Operating System Basics - Guided Hacking
Kernel (operating system) - Wikipedia
Windows Internals Book - Windows Sysinternals
Sample chapters: Windows Internals, Sixth Edition, Part 1
Architecture of Windows NT - Wikipedia
One Windows Kernel - Microsoft Tech Community - 267142
Basics of Windows Kernel Debugging - Assistanz
Setting Up Kernel-Mode Debugging of a Virtual Machine Manually using a Virtual COM Port - Windows drivers
https://www.codeproject.com/Articles/9504//Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers
Getting started with Windows drivers - Windows drivers
OSR Whitepaper: Getting Started Writing Windows Drivers

Hope this helps you
 

ELExTrO

Newbie
Full Member
Dec 4, 2012
26
444
0
seems like everyone has forgotten about the driver with the most vulnerabilities accross windows wich is UEFI it can easily be xploited, hard to detect your shit since it loads before the OS does in my humble opinion there is no need on developing hard shit to get rid of Kernel Anticheats just make your own dropper xploit UEFI and thats all
 

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
500
6,253
25
While efi comes to mind, programming for efi is different and can be quite quirky (stupid) at points...
Also to interact with your efi you have to either go driver or use some strange flag triggering.
And don't forget bricking your board if you fuck up in efi ;D (better get a programmer and dump the fw beforehand)
 

dretax

CIL Expert
Dank Tier VIP
Fleep Tier Donator
Mar 28, 2020
111
8,673
0
Example of a good way to ask a question, "Hey, im trying to stop ObRegisterCallbacks in an anticheat and ive noticed that you can try to collide with their altitude. How would one find a specific driver's altitude?"
This. ^
This is indeed a good question. I have been looking at exploiting driver's hooks, but the first driver I wanted to test on is missing from here.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
I'm looking for FairPlayKD.sys's altitude. I suppose not without reversal, so iPower's partially reversed file could contain the answer. (Unless it was changed since then)
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,305
37,938
270
This. ^
This is indeed a good question. I have been looking at exploiting driver's hooks, but the first driver I wanted to test on is missing from here.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
I'm looking for FairPlayKD.sys's altitude. I suppose not without reversal, so iPower's partially reversed file could contain the answer. (Unless it was changed since then)
idk anything about fiarplay, if their site is this: http://fairplay.ac/ , seems really old so probably from a time before MS logged these on msdn, only became a thing in 2016 i believe
but you can indeed find them in the driver as well
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,383
78,998
2,414
If you're using kdmapper, consider upgrading to hfiref0x/KDU

Also question for you guys, the intel driver kdmapper uses, not revoked and not expired:
1596325548362.png


the CVE for this vuln was from 2015 NVD - CVE-2015-2291

Are they not revoking it because it would break too many computers? I guess so

Are BE and EAC not detecting kdmapper? why? I guess if you load first, they would have a hard time detecting you
 
Last edited:

iPower

Piece of shit
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
598
21,108
67
If you're using kdmapper, consider upgrading to hfiref0x/KDU

Also question for you guys, the intel driver kdmapper uses, not revoked and not expired:
1596325548362.png

the CVE for this vuln was from 2015 NVD - CVE-2015-2291

Are they not revoking it because it would break too many computers? I guess so

Are BE and EAC not detecting kdmapper? why? I guess if you load first, they would have a hard time detecting you
They do detect it if you don't clear the traces properly (like the usual unloaded drivers shit).
 
  • Like
Reactions: Lukor and Rake

dretax

CIL Expert
Dank Tier VIP
Fleep Tier Donator
Mar 28, 2020
111
8,673
0
If you're using kdmapper, consider upgrading to hfiref0x/KDU

Also question for you guys, the intel driver kdmapper uses, not revoked and not expired:
1596325548362.png

the CVE for this vuln was from 2015 NVD - CVE-2015-2291

Are they not revoking it because it would break too many computers? I guess so

Are BE and EAC not detecting kdmapper? why? I guess if you load first, they would have a hard time detecting you
They detect the vulnerable driver itself. Probably microsoft didn't give too many fucks about revoking It.
If you clear PiDDBCacheTable , and mmUnloadedDrivers you are basically good to go. That's what I do for fairplay too rn.
 
  • Like
Reactions: Lukor and XdarionX

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,383
78,998
2,414
I spent the last 6 hours learning stuff to re-write this guide, it's 1000x better than it was before, someone pass me a beer. Combined with our new EAC guide, it's got just about everything you need to know.

As you guys know, I've never even made a kernel driver so if you can provide any information or corrections please do and I will add them to the guide.

Also checkout @_xeroxz website for lots of good information xerox
 
Last edited:

Kix

Wannabe 1337
Meme Tier VIP
Trump Tier Donator
Full Member
Jan 18, 2018
281
4,848
16
I spent the last 6 hours learning stuff to re-write this guide, it's 1000x better than it was before, someone pass me a beer. Combined with our new EAC guide, it's got just about everything you need to know.

As you guys know, I've never even made a kernel driver so if you can provide any information or corrections please do and I will add them to the guide.

Also checkout @_xeroxz website for lots of good information xerox
🍺

System threads are also a detection vector for manually mapped drivers
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,383
78,998
2,414
Yeah I'm trying to reconcile the EAC thread with this one, without having too much crossover, iPower just gave me a bunch more information including your sneaky sneaky tip so I gotta work on that tomorrow, thanks
 
  • Like
Reactions: Kix

dretax

CIL Expert
Dank Tier VIP
Fleep Tier Donator
Mar 28, 2020
111
8,673
0
Quick note to consider "fix" or re-clarify: Again, not kdmapper is detectable, It is the vulnerable driver that was loaded in that flags a detection.
 

XdarionX

Dying Light Hacker
Dank Tier VIP
Dank Tier Donator
Mar 30, 2018
878
24,608
116
Quick note to consider "fix" or re-clarify: Again, not kdmapper is detectable, It is the vulnerable driver that was loaded in that flags a detection.
also creating device that has ioctl outside any valid kernel module or creating system thread with outside start address (eg in manually mapped drv) will get reported and surrounding memory region dumped and sent to their servers for analysis
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods