Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detected! #16

Open
BufferOverlord opened this issue Jan 5, 2025 · 9 comments
Open

Detected! #16

BufferOverlord opened this issue Jan 5, 2025 · 9 comments

Comments

@BufferOverlord
Copy link

No description provided.

@BufferOverlord
Copy link
Author

detected!

@3a1
Copy link
Owner

3a1 commented Jan 5, 2025

hi, its not made to be undetected.

@BufferOverlord
Copy link
Author

I know bro!

Zebra

@doutor123
Copy link

@BufferOverlord . Detected by...? Microsoft Defender?

@BufferOverlord
Copy link
Author

LOOK my github. i begin upload easy bootkit

@BufferOverlord
Copy link
Author

hi, its not made to be undetected.

I know. Here are a list of things you forget to do:

  1. mechanism to remove your image from memory.
  2. boot order. people probaly use grub menu, because its allow you to sign your own code with shim. try to remove your cheat from boot order list.
  3. everything seems ok, but one thing thats not ok, is the runtime function hook. You need to inject your code into the system in a legal process or driver, instead of patch a system component... hook a legit driver or create a extra system thread in that driver.
  4. Make sure the Image is removed from memory...
  5. YOUR BIGGEST MISTAKE!!!!: Every legit signed driver gets detected, because the way, they accessing memory on is logged by the operation system and this anti cheats, scans that list for forbidden code...

@3a1
Copy link
Owner

3a1 commented Jan 22, 2025

hi, its not made to be undetected.

I know. Here are a list of things you forget to do:

  1. mechanism to remove your image from memory.
  2. boot order. people probaly use grub menu, because its allow you to sign your own code with shim. try to remove your cheat from boot order list.
  3. everything seems ok, but one thing thats not ok, is the runtime function hook. You need to inject your code into the system in a legal process or driver, instead of patch a system component... hook a legit driver or create a extra system thread in that driver.
  4. Make sure the Image is removed from memory...
  5. YOUR BIGGEST MISTAKE!!!!: Every legit signed driver gets detected, because the way, they accessing memory on is logged by the operation system and this anti cheats, scans that list for forbidden code...

Yeah thats good points for those who will want to improve the bootkit for anticheat bypass or anything else, ty.
I think you repeated 1 and 4.
What did u mean in 5? Can u explain more?

I have a good ability to remember peoples writing styles, didnt u that guy that im texting with on telegram about faceit cheat? :)

@BufferOverlord
Copy link
Author

yes im jonas from telegram...

everytime a driver allocate memory or use the system api to do so, the anti cheat monitoring all process memory access. they see you allocating illegal memory. so instead, use direct assembly: cr3 change and atomic operation in real time for prevent they can read the last stack data from your process in memory then context switch happend, os save current register of a program to memory and begin executing other threads. that how process works. so by during this, you should be safe

@3a1
Copy link
Owner

3a1 commented Jan 23, 2025
edited
Loading

yes im jonas from telegram...

everytime a driver allocate memory or use the system api to do so, the anti cheat monitoring all process memory access. they see you allocating illegal memory. so instead, use direct assembly: cr3 change and atomic operation in real time for prevent they can read the last stack data from your process in memory then context switch happend, os save current register of a program to memory and begin executing other threads. that how process works. so by during this, you should be safe

Yeah, now i better know what u mean, ty
Overall i think for now there is no really need to aim to the full stealth or something.
There are many antiviruses that scan other process memories, drivers, etc.
I mean my point is to trying make the cheat looks like LEGIT process/driver, not STEALTH.

For example I have made in this month a driver cheat for faceit, that works with all 3 stages enabled (SB, TPM, HVCI)
It doesnt use any really advanced methods, like it was only using one zero-day exploit for r/w and one public exploit for making memory translation, but thats not the case. I mean the point is my cheat working not because it is something very stealth(its not), but it is working because it looks like it is a legit software.

one example i can give is a thread spoofing/hiding. if u use a driver and tries to unlink a thread to make it stealth like some years ago people doing, your driver will be insta flagged as suspicious. its because no one legit driver is unlinking their thread, like why some driver needs to do it.(only in rare examples antiviruses driver can have abilities to do this type of things). and for now in 2025 its really more undetected if u doesnt do anything with your thread, because u cant fully hide it without disabling KPP.
so my philosophy is to make cheats that looks like it is legit software, and not aim to make it full stealth from anticheats because for me it looks like an infinity game.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@3a1 @BufferOverlord @doutor123