![]() The advent of hypervisors (VMM) brought with it a lot of hype in the security research community. This isn’t related to hypervisors, but we figured while we investigated - why not? We’ll conclude the article with some dumps of miscellaneous data from NtDeviceIoControlFile/IofCallDriver calls in the two anti-cheats. This is intended to help those interested in understanding how both sides operate, and the various ways attackers/defenders can defeat/employ virtualization detections. They perform their job pretty well, and like any software have holes. This is by no means a jab at the anti-cheats as keeping up with the technology and latest ways to abuse the technology is difficult. We will cover improvements that could be made, and general efficacy of their methods. The more interesting part covers the actual methods used by BattlEye and EasyAntiCheat. We’ll then get into some OS specific methods that abuse some mishandling of descriptor table information in WoW64, and ways to block custom methods of syscall hooking like technique documented on the Reverse Engineering blog. We’ll then get into a side-channel attack that can be employed - platform agnostic - that is highly efficient. This post will cover a few standard detection methods that can be used for both Intel/AMD offering an explanation, a mitigation, and a general rating of efficacy. To kick off the article it’s important for those outside of the game hacking arena to understand the usage of hypervisors for cheating, and the importance of anti-cheats staying on top of cheat providers using them. Daax, iPower, ajkhoury, drew Apr 13, 2020Īs our first article addressing the various methods of detecting the presence of VMMs, whether commercial or custom, we wanted to be thorough and associate it with our research on popular anti-cheat vendors.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |