Concept:
1. To remain fully undetected from all current and future anti-cheats, we must remain external to the game. We are going a step further and becoming external to the computer itself, instead getting memory access through busses that provide Direct Memory Access (DMA) to the physical memory layout. Busses that provide that are FireWire, ExpressCard, Thunderbolt, PCI/PCI-E... so we will need a hardware device with a FPGA attached to do some processing work for us.
2. Those busses allow direct access to the entire physical memory. To make our lives easier we will need to be able to translate physical memory addresses to virtual memory addresses. We will need to find the CR3 register to do this. CR3 is on each processor, and points to the page directory which points to page tables which reference physical memory addresses. We can walk through each table and find a signature for our game, let's say hl2.exe. You have two choices now.
3a. Once we are at this point, we could do a couple things. If you wanted a total extern solution, we could just read the structures from the game, do processing on the FPGA, and output them through a DVI passthrough to overlay the game on-screen. We could output them to a secondary monitor or device. Aimbot could be achieved by doing USB HID emulation of a mouse to position the cursor above an enemy and fire, or as a triggerbot, etc.
3b. Alternatively we have the ability for arbitrary code execution on both x86 and x86_64 processors. On x86_64, we also have the problem of PatchGuard, so direct SSDT and IDT patches are out of question, so we would want to patch something that's not checked by PatchGuard. (see "A Catalog of Windows Local Kernel-mode Backdoor Techniques" by skape and Skywing). This is not exactly the fully external as described above, and you will want to exercise caution, as modifying the physical memory is probably not advisable due to anti-cheats detecting your code or memory modifications.
Shortfalls: Hypervisor (this would be extremely limiting to the user), RAM encryption
References:
Aumaitre, D., & Devine, C. (2010, July). Subverting windows 7 x64 kernel with dma attacks. Presentation delivered at Hitb2010 amsterdam. Retrieved from http://esec-lab.sogeti.com/dotclear/...dmaattacks.pdf
Hoglung, G., & Butler, J. (2006). Rootkits: Subverting the windows kernel. Upper Saddle River, NJ: Addison-Wesley.
Skywing & skape (2007). A catalog of windows local kernel-mode backdoor techniques. Uninformed, 8, Retrieved from http://uninformed.org/?v=8&a=2&t=pdf
1. To remain fully undetected from all current and future anti-cheats, we must remain external to the game. We are going a step further and becoming external to the computer itself, instead getting memory access through busses that provide Direct Memory Access (DMA) to the physical memory layout. Busses that provide that are FireWire, ExpressCard, Thunderbolt, PCI/PCI-E... so we will need a hardware device with a FPGA attached to do some processing work for us.
2. Those busses allow direct access to the entire physical memory. To make our lives easier we will need to be able to translate physical memory addresses to virtual memory addresses. We will need to find the CR3 register to do this. CR3 is on each processor, and points to the page directory which points to page tables which reference physical memory addresses. We can walk through each table and find a signature for our game, let's say hl2.exe. You have two choices now.
3a. Once we are at this point, we could do a couple things. If you wanted a total extern solution, we could just read the structures from the game, do processing on the FPGA, and output them through a DVI passthrough to overlay the game on-screen. We could output them to a secondary monitor or device. Aimbot could be achieved by doing USB HID emulation of a mouse to position the cursor above an enemy and fire, or as a triggerbot, etc.
3b. Alternatively we have the ability for arbitrary code execution on both x86 and x86_64 processors. On x86_64, we also have the problem of PatchGuard, so direct SSDT and IDT patches are out of question, so we would want to patch something that's not checked by PatchGuard. (see "A Catalog of Windows Local Kernel-mode Backdoor Techniques" by skape and Skywing). This is not exactly the fully external as described above, and you will want to exercise caution, as modifying the physical memory is probably not advisable due to anti-cheats detecting your code or memory modifications.
Shortfalls: Hypervisor (this would be extremely limiting to the user), RAM encryption
References:
Aumaitre, D., & Devine, C. (2010, July). Subverting windows 7 x64 kernel with dma attacks. Presentation delivered at Hitb2010 amsterdam. Retrieved from http://esec-lab.sogeti.com/dotclear/...dmaattacks.pdf
Hoglung, G., & Butler, J. (2006). Rootkits: Subverting the windows kernel. Upper Saddle River, NJ: Addison-Wesley.
Skywing & skape (2007). A catalog of windows local kernel-mode backdoor techniques. Uninformed, 8, Retrieved from http://uninformed.org/?v=8&a=2&t=pdf
Comment