Vazzupov / KACE

Emulate Drivers in RING3 with self context mapping or unicorn

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

This got leaked to EAC, they added specific check for KACE, won't update this publicly anymore, use it as a learning tool. No custom detection for it on VGK/BE yet.

Kernel Anti-Cheat Emulator SOON(tm)

Current state of the emulator won't properly load most drivers because most important functions aren't implemented.

What KACE achieved so far:

  • Detect a new sneaky way of EAC detecting unloaded driver (Using WDF)
  • VGKs bruteforcing self-entry/ref of CR3's VA

What's done:

  • Mapping of driver in usermode and start a thread on it
  • Resolving of IAT/EAT
  • API to monitor Write/Read to any structures
  • SEH handling
  • Some Anti-debug/emulation check by VGK pass now
  • VCPU for privileged instructions
  • Modulable memory mapping

Next steps:

  • Kernel memory allocation (being done by DarkC)

Emulation detection :

  • Checking if RIP is in kernel range, can be fixed by modifying pte and exposing kernel memory, will require a vuln driver. If someone wants to implement this feature, PR welcome
  • EPROCESS/ETHREAD/KPCR/PRCB structure are implemented, which creates the illusion that the usermode thread is a kernel thread for the emulated driver. Those structures are not entirely filled and can probably be improved, PR welcome
  • Wrong behavior of some API, for instance RtlRandomEx has different behavior in kernel and usermode, this can be checked to check for emulation behavior, I fixed it but if you know of any difference between ntoskrnl/ntdll that can be used to check for emulation, PR!
  • Checking if current code is in ring3/ring0, can probably sigscan for such pattern.
  • PTE checking, can be emulated the second there's any access to cr3, we get notified anyway.

About

Emulate Drivers in RING3 with self context mapping or unicorn


Languages

Language:C 78.0%Language:C++ 21.6%Language:Assembly 0.4%