Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools?...
Transcript of Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools?...
![Page 1: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/1.jpg)
Unveiling the underground world of
ANTI-CHEATSJoel Noguera
Security Consultant at Immunity Inc
@niemand_sec
![Page 2: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/2.jpg)
Anti-Cheats
Cheats
Analyzing Anti-Cheats
Conclusions& Results
What are we going to talk about?
![Page 3: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/3.jpg)
FIRST RULE OF THE GAMING CLUB, YOU
DON'T CHEAT(or get caught doing it)
![Page 4: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/4.jpg)
![Page 5: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/5.jpg)
GIF DEL PIBE QUE LO ENCUENTRA CON WORD.exe en medio del torneo
![Page 6: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/6.jpg)
Anti Cheats
![Page 7: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/7.jpg)
An
ti-C
hea
ts
![Page 8: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/8.jpg)
Let’s see some numbers...
336.500.000EAC
275.000.000
XC3
500.000
BE
30.000.000
VAC
31.000.000
Monthly Active Users
![Page 9: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/9.jpg)
![Page 10: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/10.jpg)
![Page 11: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/11.jpg)
![Page 12: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/12.jpg)
![Page 13: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/13.jpg)
Anti-Cheat Components
![Page 14: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/14.jpg)
Kernel Driver
[·] Handle stripping/Access Control
[·] Register kernel callbacks
[·] Rejection of Kernel/User mode debugging
[·] Analysis of privileged process (lsass and csrss)
[·] Block blacklisted/unsigned drivers
[·] Monitoring of kernel function calls
![Page 15: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/15.jpg)
DLL inside Games
[·] Control of access flags to different sections
[·] Identification of hooks
[·] Thread Hijacking
[·] DLL Injection
[·] Function signatures
[·] VEH/SEH modification
[·] Game resources modification
[·] Detection of virtual environment
![Page 16: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/16.jpg)
[·] Process/File Controls
[·] Blacklisted programs detection
[·] Manage logic from Driver
[·] Control of game client and DLL hashes
[·] Multi-client detection
[·] Program integrity controls
External Ring 3 Process
![Page 17: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/17.jpg)
Cheats
![Page 18: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/18.jpg)
Pros Cons
External
[·] Quick for small patches[·] Easy to master[·] Can be closed in certain cases
[·] Slow[·] Easy to detect[·] Limited potential[·] Requires a Handle (usually)
Internal[·] Great performance[·] Direct access to memory[·] Hard to detect if you are good enough
[·] Hard to master[·] Easier to detect if you mess it up
Internal (DLL) vs External (Process)
![Page 19: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/19.jpg)
AimbotsWallhack/ESP
![Page 20: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/20.jpg)
Pro players getting caught? Why not
![Page 21: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/21.jpg)
Parallel Market
![Page 22: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/22.jpg)
Parallel Market
![Page 23: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/23.jpg)
Apex claims:
[·] More than 770k players banned [·] Over 300K account creations blocked [·] Over than 4k cheat sellers accounts (spammers) banned in 20 days
Are they fighting back?
https://unknowncheats.me/
![Page 24: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/24.jpg)
Analyzing Anti-Cheats
![Page 25: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/25.jpg)
Goal:
[·] Read/Write/Alloc Memory (Internal & External)
[·] Run Code inside Game’s Process
[·] Be as stealthy as possible
Methodology
![Page 26: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/26.jpg)
AC usually control/block/reject new HANDLEs to the game process:
[·] Driver that protects game and AC processes
Some process need to be whitelisted: lsass, csrss, AC
Hijacking techniques come to our rescue:
[·] Handle Hijacking
[·] Stealth Handle Hijacking
[·] Hooking
Hijacking Techniques
![Page 27: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/27.jpg)
Hijacking Techniques
![Page 28: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/28.jpg)
Hijacking Techniques - NamedPipe
“\Device\NamedPiped\270F59B0075AA3D3”
![Page 29: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/29.jpg)
![Page 30: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/30.jpg)
Hijacking Techniques - NamedPipeDisadvantages
![Page 31: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/31.jpg)
Imagine a world where our shared memory does not leave an open HANDLE and we can cover better our tracks.
Hijacking Techniques - FileMapping
![Page 32: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/32.jpg)
“File mapping object does not close until all references to it are released”
We can call CloseHandle without calling to UnmapViewOfFile.
Hijacking Techniques - FileMapping
![Page 33: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/33.jpg)
Hijacking Techniques - FileMapping
We can make it even better by delaying the execution
Manual spinlocks to avoid mutex/semaphores HANDLEs
![Page 34: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/34.jpg)
![Page 35: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/35.jpg)
Hijacking Techniques - FileMappingDisadvantages
![Page 36: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/36.jpg)
EAC also hook functions on lsass.exe:
Why?
- Validate/Control/Track each action done against the game
Hijacking Techniques - Bypass Hooks
![Page 37: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/37.jpg)
Hijacking Techniques - Bypass Hooks
![Page 38: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/38.jpg)
Hijacking Techniques - Bypass HooksDisadvantages
![Page 39: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/39.jpg)
Hooking
![Page 40: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/40.jpg)
Hooking
Hooking Graphic Engines:
[·] IAT hooking
[·] JMPs on Prolog functions
What about 3rd party libraries?
[·] Steam Overlay
[·] Open Broadcaster Software
![Page 41: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/41.jpg)
Redirects execution to gameoverlayrenderer64.dll:$8A480
Redirects to graphics-hook64.7FFEB97AE4D0
Steam Overlay
Open Broadcaster Software
![Page 42: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/42.jpg)
Hooking - Code Caves and NamedPipes?
![Page 43: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/43.jpg)
Refresher- Bypass HooksDisadvantages
![Page 44: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/44.jpg)
Moving to kernel...Drivers
![Page 45: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/45.jpg)
Cheat developers also develop their own to fight inside the kernel.Loading a Driver:
[·] Test Mode
[·] Sign your own Driver ($$$$$$$$)
[·] Abuse of another driver
GIGABYTE Driver
[·] CVE-2018-19320 (ring0 memcpy with VA)
[·] CVE-2018-19321 (read/write arbitrary physical memory)
Drivers
![Page 46: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/46.jpg)
EAC downgrading the HANDLE
![Page 47: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/47.jpg)
1) Search for EPROCESS Struct in kerneltypedef struct { CHAR ImageFileName[15]; DWORD PriorityClass; }
2) Obtain the ObjectTable (HANDLE_TABLE)
3) Use ExpLookupHandleTableEntry(HandleTable, Handle)
4) Retrieve HANDLE
5) Modify GrantedAccess
6) Overwrite kernel memory
7) Profit
Driver - DKOM
![Page 48: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/48.jpg)
![Page 49: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/49.jpg)
Refresher- Bypass HooksDisadvantages
![Page 50: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/50.jpg)
One Last Attempt
![Page 51: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/51.jpg)
1) Leak handle pointers using NtQuerySystemInformationSystemExtendedHandleInformation (0x40) as SYSTEM_INFORMATION_CLASS
2) Locate valid KPROCESS pointer
_KPROCESS.Header == 0x00B60003
3) Traverse linked list -> _EPROCESS.ActiveProcessLinks4) Obtain DirectoryBaseTable -> _EPROCESS.PEB.DirectoryBaseTable5) Obtain target Base Address -> _EPROCESS.SectionBaseAddress6) Dereference Ring3 virtual addresses
7) Directly modify/read memory
Driver - Just do it from kernel!
![Page 52: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/52.jpg)
DEMO
![Page 53: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/53.jpg)
What about thetools?
![Page 54: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/54.jpg)
![Page 55: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/55.jpg)
[·] Fight at kernel level vs Trivial Bypasses
[·] Blacklisting all drivers is impossible
[·] Compatibility with Windows and 3rd applications is a problem
Black Hat Sound Bytes
![Page 56: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/56.jpg)
ReClass Plugin - Driver Reader
AntiCheat-Testing-Framework
[·] CheatHelper & DriverHelper[·] DriverDisabler & Synapse Driver exploit (Razer)[·] HandleHijackingDLL and HandleHijackingMaster
[·] NamePipes and FileMapping[·] WinApi Hooking Bypass & Lua Hooking[·] Handle Elevation and External Driver
Open Source Projects
niemand-sec/ReClass.NET-DriverReader
niemand-sec/AntiCheat-Testing-Framework
![Page 57: Security Consultant at Immunity Inc Joel Noguera · 2019. 12. 11. · DEMO. What about the tools? [·] Fight at kernel level vs Trivial Bypasses ... [·] DriverDisabler & Synapse](https://reader035.fdocuments.us/reader035/viewer/2022071608/61464b648f9ff81254202c55/html5/thumbnails/57.jpg)
niemand-sec/ReClass.NET-DriverReader
THANK YOU!
@niemand_sec
niemand-sec/AntiCheat-Testing-Framework