- Attached thread detection
- Process module .text section integrity checks
- NMI and APC stackwalks (to allow excellent system coverage)
- Handle stripping via obj callbacks
- Process handle table enumeration
- System module verification
- Unlinked process detection via PTE walking and checking against a robust process structure signature
- Hidden thread detection via KPRCB
- Dispatch routine validation
- Extraction of hardware identifiers via SMBIOS parsing and PhysicalDriveN querying
- EPT hook detection (currently detects hyperdbg and DdiMon)
- Driver integrity checks both locally and over server
- Test signing detection
- Hypervisor detection via instruction emulation testing and timing checks
- open source anticheat (oxymoron)
- currently only tested on 10 19045 and since offsets are currently hardcoded u may experience technical difficulties. This will be fixed in the future when i either finish the debuglib or just use a pdb parser or maybe another method ;)
- as a passion project i am really only implementing methods which i find enjoyable to either research or build which is why you see a lack of hooks and other such. Maybe in the future c:
- There is still a plethora of work to do with regards to anti tamper, such as packet encryption, string encryption, binary virtualization etc.
- There is also still much work to be done with regards to the prevention toolset, I would like to implement some form of cr3 protection in the near future.
- use the osr loader to load the driver at "system" load.
- inject dll into program you want to protect, i used notepad for testing
- logs will be printed to dbgview and the usermode dll via stdout
driver must be named "driver.sys" (sorry.. will be fixed soon (i am lazy))