Guide Kernel Mode Drivers Info for Anticheat Bypass

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,573
78,998
2,316
Game Name
N/A
Anticheat
N/A
How long you been coding/hacking?
4 Years holler
Coding Language
C++
Guided Hacking Kernel Mode Driver Overview
(read entire thread, lots of good info)​

What is a kernel mode driver & Kernel Mode vs Usermode

Regular .exe you run, execute in UserMode. The core functionality of the operating system and Input/Output is done in kernel mode, which is a privelages part of memory that is not accesible from usermode and executes with privelaged status on the CPU. The Usermode/Kernelmode construct is built into the CPU. Drivers are not just limited to Hardware Drivers, you can make a .sys driver to do anything you want in kernel mode.

Usermode processes don't have access to kernel mode processes and memory. That is how the CPU and Operating System are designed. If an anticheat is in usermode and has very good protections, you can write a kernel mode driver to either bypass those protections in user mode by patching the anticheat or by hiding your usermode cheat from it. Because coding for the kernel is more complicated and difficult, it's easiest just to use your kernel mode module to bypass the anticheat or hide your usermode cheat, and then do your regular cheating logic in your usermode module. Alternatively you can write your entire hack to run in kernel mode, which is more difficult.

Driver Signing

The problem currently is that with the latest versions of Windows your kernel mode driver needs to be signed with a security certificate in order for the OS to load it. In the past you could disable Driver Signing by running these commands as admin and rebooting:

bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON


On Windows 8 and 10 I believe you need to enable the ability to press F8 during boot to get to the Advanced Boot Options menu:
bcdedit /set {default} bootmenupolicy legacy
Then reboot, and press F8 before Windows loads and you will see a menu in which you can Disable Driver Signing. Alternatively on Windows 10 you can hold SHIFT when you click Restart, and this menu will appear. But it only works for that one reboot, you need to do it every time because Windows 10 resets it back to default value.

The problem is that kernel mode anticheats and even usermode ones can detect that Driver Signing is disabled and disable the game from running, because they know you're trying to use a kernel mode hack. So you're forced to enable Driver Signing.

At this point you must buy a Security Certificate, which can be at least $200.

Exploiting Kernel Drivers

Alternatively you find a vulnerable kernel mode driver that has a vulnerability, which you can exploit from usermode. The purpose of the exploit is to get the vulnerable driver to either execute your code, or more simply, load your kernel mode driver. These vulnerable kernel drivers must have valid security certificates. Microsoft or the Certificate Authorities can decide to reject these certificates at any time, making them no longer work.

Over the years a few vulnerable drivers have been found, the Capcom driver is the easiest to exploit because there is a public Proof of Concept
EvanMcBroom/EoPs
Escaping SMEP Hell: Exploiting Capcom Driver In a Safe Manner
can1357/safe_capcom
notscimmy/libcapcom
Bypassing Anti-Cheats - Part 1 - Exploiting Razer Synapse Driver - Niemand - Cyber Security

I believe SpeedFan also had a vulnerable driver and recently read that the Xigncode driver itself is vulnerable. Any system driver that takes input from usermode could potentially have a vulnerability. Finding one would require expertise in binary exploitation and understanding of the Windows kernel.

Privelage escalation using vulnerable drivers:
Weaponizing vulnerable driver for privilege escalation— Gigabyte Edition!

But generally speaking, kernel mode drivers are not necessary to hack 99% of games. In fact kernel mode drivers are very easy to detect by anticheat. It's almost always easier to do it in usermode. The only real exception to that is if the anticheat's kernel mode driver is very basic and only uses something like ObjRegisterCallbacks or whatever to strip OpenProcess() process handles of their permissions. In which case writing a simple driver that just disables that so you can call OpenProcess() and inject your usermode module into the game.

I have also heard that sometimes hijacking a handle from a elevated SYSTEM process is all you need to hack some of the well protected usermode processes. Here are some readings regarding Protected Processes Light which is somewhat related and very interesting.
Mattiwatti/PPLKiller
The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1 « Alex Ionescu’s Blog

PatchGuard
Guide - Kernel Mode Drivers Info for Anticheat Bypass Anyone can elaborate on how it plays into all this?

Kernel Mode Development

Now if you're gonna write a driver you need to be very familiar with how to code one, here are some resources:
Getting started with Windows drivers
Download the Windows Driver Kit (WDK)
Windows Driver Development - Windows Hardware Dev Center
Write a universal Hello World driver (KMDF)
Driver Development Part 1: Introduction to Drivers - CodeProject

I recommend taking a University level class on Operating Systems, you can find lots of these classes on Youtube, such as this one UMass-Operating-System - YouTube

A bunch of NTDLL undocumented functions and structs you might need for lower level stuff is available at: NTAPI Undocumented Functions

Many parts of the Windows Operating System are not documented at length at MSDN, the supplement is this book Windows Internals Book - Windows Sysinternals


Anticheats with Kernel Modules:
BattleEye, Xigncode, EasyAntiCheat, Valorant Vanguard

Guided Hacking Kernel Videos

Other Resources
Tutorial - MTA: SA's kernel mode anticheat is a joke (information)
hacksysteam/HackSysExtremeVulnerableDriver
Zer0Mem0ry/ntoskrnl
FuzzySecurity/Capcom-Rootkit
tandasat/ExploitCapcom
SamLarenN/CapcomDKOM
BlueSkeye/CapcomDriver
zerosum0x0/ShellcodeDriver
Easy Anti-Cheat (EAC) Unpacked Modules + Dumps

I'm not an expert on this topic, can everyone please submit corrections and additional information and resources so we can make this a proper guide?
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,279
37,938
268
Test signing via bcdedit still works just dandy

on the same note, while its trivial to detect test signing being enabled in many ways, since youre the kernel, you can attempt to hook their own detections/spoof them and then things work just fine (thats how i used to load my driver vs EAC some years ago)


PatchGuard
===========

In the times of old, everyone and their dead dog would patch the windows kernel, place hooks on whatever APIs they wanted, and this caused lots of system instability when users would download something that decided to put its dick everywhere.

In comes patchguard, microsoft's way of saying "stop fucking with our OS". So certain modifications will cause (eventually) a BSOD. This includes, but is not limted to: modification of some MSRs (Model specific registers), hooks on certain functions (such as NTAPIs), modification of PatchGuard itself, modification of critical linked lists (such as the EPROCESS list, so you cant hide entire processes from UM enumeration)

Of course, there are ways to disable it, but in every new edition of windows it gets more and more aids. Simple google searches can get you started if thats what youre into.

Development
===========

Im always a big advocate for "try shit and brick stuff", use a VM when coding your drivers so oyu dont brick your acutal PC and can just restore from a snapshot or whatever. Also enables actual debugging of your driver rather than crawling crash dumps.

Anticheats
===========
idk i dont keep up



may edit tihs to add more if i think of shit

my main disclaimer for anyone wishing to write a driver. If you ask an issue that i can find an answer to in a single google search then i will ignore you until you show the ability to properly attempt steps of debugging and research.

Example of a good way to ask a question, "Hey, im trying to stop ObRegisterCallbacks in an anticheat and ive noticed that you can try to collide with their altitude. How would one find a specific driver's altitude?"

or

"Hey, i want to stop a driver from loading, ive read that you can do this via LoadImageNotifyRoutines and i've got mine setup. But i dont understand where to go from there."

not

"Hey can you show me how to make a manual mapper in kernel"
"Hi how do i read memory from kernel"
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,573
78,998
2,316
Crosspost from @iPower who put together a cool list of info:

To get started with reversing kernel mode anticheat you MUST know about:

-How Anti-Cheats work in general (prior experience with other anti-cheats);
-Packing and Obfuscation techniques;
-How code virtualization works and how to reverse virtualized code (most of anti-cheats virtualize critical parts);
-Kernel Debugging;
-Anti-Debugging (including Kernel Anti-Debugging);
-How Operating Systems work;
-Windows Kernel Basics;
-How Kernel-Mode drivers work and be able to write one;

If you don't know about any of these topics you're gonna have a hard time reversing EAC/BE.

*******Might be forgetting smth but I'm tired rn********

Gonna be dropping links to some of these topics

Packing, Obfuscation and Code Virtualization:
https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf
Unpacking, Reversing, Patching
Unpacking Dynamically Allocated Code »
Homepage of Peter Ferrie
OALabs
https://pdfs.semanticscholar.org/e50a/3cbd2061acc747faef6282b71dc1b450f97f.pdf
https://www2.cs.arizona.edu/~debray/Publications/ccs-unvirtualize.pdf
http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf
Obfuscation (software) - Wikipedia
https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Code-obfuscation.pdf
Breaking Obfuscated Programs with Symbolic Execution
Reverse Engineering simple VM crackme

Anti-Cheats stuff:
How to Get Started with AntiCheat Bypass - Guided Hacking
Kernel Mode Drivers Info for Anticheat Bypass - Guided Hacking
How To Bypass VAC Valve Anti Cheat Info - Guided Hacking
How to bypass XignCode Anticheat? - Guided Hacking
MTA: SA's kernel mode anticheat is a joke (information) - Guided Hacking -> Example of reversing a Kernel-Mode Anti-Cheat

Operating Systems, Windows Kernel, Kernel Debugging and Driver Developmentl:
Operating System Basics - Guided Hacking
Kernel (operating system) - Wikipedia
Windows Internals Book - Windows Sysinternals
Sample chapters: Windows Internals, Sixth Edition, Part 1
Architecture of Windows NT - Wikipedia
One Windows Kernel - Microsoft Tech Community - 267142
Basics of Windows Kernel Debugging - Assistanz
Setting Up Kernel-Mode Debugging of a Virtual Machine Manually using a Virtual COM Port - Windows drivers
https://www.codeproject.com/Articles/9504//Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers
Getting started with Windows drivers - Windows drivers
OSR Whitepaper: Getting Started Writing Windows Drivers

Hope this helps you
 

ELExTrO

Newbie
Full Member
Dec 4, 2012
26
274
0
seems like everyone has forgotten about the driver with the most vulnerabilities accross windows wich is UEFI it can easily be xploited, hard to detect your shit since it loads before the OS does in my humble opinion there is no need on developing hard shit to get rid of Kernel Anticheats just make your own dropper xploit UEFI and thats all
 

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
443
3,978
24
While efi comes to mind, programming for efi is different and can be quite quirky (stupid) at points...
Also to interact with your efi you have to either go driver or use some strange flag triggering.
And don't forget bricking your board if you fuck up in efi ;D (better get a programmer and dump the fw beforehand)
 

dretax

CIL Expert
Meme Tier VIP
Fleep Tier Donator
Mar 28, 2020
84
3,273
0
Example of a good way to ask a question, "Hey, im trying to stop ObRegisterCallbacks in an anticheat and ive noticed that you can try to collide with their altitude. How would one find a specific driver's altitude?"
This. ^
This is indeed a good question. I have been looking at exploiting driver's hooks, but the first driver I wanted to test on is missing from here.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
I'm looking for FairPlayKD.sys's altitude. I suppose not without reversal, so iPower's partially reversed file could contain the answer. (Unless it was changed since then)
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,279
37,938
268
This. ^
This is indeed a good question. I have been looking at exploiting driver's hooks, but the first driver I wanted to test on is missing from here.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
I'm looking for FairPlayKD.sys's altitude. I suppose not without reversal, so iPower's partially reversed file could contain the answer. (Unless it was changed since then)
idk anything about fiarplay, if their site is this: http://fairplay.ac/ , seems really old so probably from a time before MS logged these on msdn, only became a thing in 2016 i believe
but you can indeed find them in the driver as well
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,573
78,998
2,316
If you're using kdmapper, consider upgrading to hfiref0x/KDU

Also question for you guys, the intel driver kdmapper uses, not revoked and not expired:
1596325548362.png


the CVE for this vuln was from 2015 NVD - CVE-2015-2291

Are they not revoking it because it would break too many computers? I guess so

Are BE and EAC not detecting kdmapper? why? I guess if you load first, they would have a hard time detecting you
 
Last edited:

iPower

Piece of shit
Moderator
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
574
19,508
64
If you're using kdmapper, consider upgrading to hfiref0x/KDU

Also question for you guys, the intel driver kdmapper uses, not revoked and not expired:
View attachment 11182

the CVE for this vuln was from 2015 NVD - CVE-2015-2291

Are they not revoking it because it would break too many computers? I guess so

Are BE and EAC not detecting kdmapper? why? I guess if you load first, they would have a hard time detecting you
They do detect it if you don't clear the traces properly (like the usual unloaded drivers shit).
 
  • Like
Reactions: Lukor and Rake

dretax

CIL Expert
Meme Tier VIP
Fleep Tier Donator
Mar 28, 2020
84
3,273
0
If you're using kdmapper, consider upgrading to hfiref0x/KDU

Also question for you guys, the intel driver kdmapper uses, not revoked and not expired:
View attachment 11182

the CVE for this vuln was from 2015 NVD - CVE-2015-2291

Are they not revoking it because it would break too many computers? I guess so

Are BE and EAC not detecting kdmapper? why? I guess if you load first, they would have a hard time detecting you
They detect the vulnerable driver itself. Probably microsoft didn't give too many fucks about revoking It.
If you clear PiDDBCacheTable , and mmUnloadedDrivers you are basically good to go. That's what I do for fairplay too rn.
 
  • Like
Reactions: Lukor and XdarionX
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts