search

sondernextdoor / Poseidon

Stealthy UM <-> KM communication system without creating any system threads, permanent hooks, driver objects, section objects or device objects.
354 stars 68 forks source link

Violations #7

Closed elchoky closed 3 years ago

elchoky commented 3 years ago

For test purpose i test on simple game with EAC. Should work, but include that is a super low game. With EAC. Include with a simple BaseAddress read from the process and all running correct, the EAC end at same. Is detected or need another type of security to work on eac

sondernextdoor commented 3 years ago

Just tested on EAC (Fortnite), it works fine. As stated in the readme, it needs to be set up before the anticheat. This includes mapping the driver, starting the client, and calling Client::Connect() all before the anticheat is running.

The security violation EAC is giving is due to the detection of the temporary hook in the kernel. This gets unhooked when you call Client::Connect(), which is why it's imperative that you do that before the anticheat is running.

In addition, the driver isn't meant to be fully UD in its current state, only the communication method is. There's still a big pool of allocated memory in the kernel that will likely result in a flag if it's not freed.

elchoky commented 3 years ago

Yeah my error, thanks for the reply for some reaso before testing and after i build my detected proccess in the driver, to find when the procces is running i move my conection fk stp* that i am.

elchoky commented 3 years ago

Any case looks like work perfect, just movin that and tested, you talk about another part of the kernel. There is any help point where i should start looking?

sondernextdoor commented 3 years ago

glad everything's working good! :D

this thread has a bunch of info + some code about clearing the big pool table: https://www.unknowncheats.me/forum/anti-cheat-bypass/428976-removing-mapped-driver-systembigpoolinformation.html

It's probably not enough to get banned, but it's definitely suspicious enough to warrant further investigation by EAC.

elchoky commented 3 years ago

Idk but i think i dont doe nothing wrong yet. But looks like the response from the driver affect some functions for me. Where normal without driver work correct, while read, looks like take some ms, that uncontroll my loops

zhqu1148980644 commented 2 years ago

Just tested on EAC (Fortnite), it works fine. As stated in the readme, it needs to be set up before the anticheat. This includes mapping the driver, starting the client, and calling Client::Connect() all before the anticheat is running.

The security violation EAC is giving is due to the detection of the temporary hook in the kernel. This gets unhooked when you call Client::Connect(), which is why it's imperative that you do that before the anticheat is running.

In addition, the driver isn't meant to be fully UD in its current state, only the communication method is. There's still a big pool of allocated memory in the kernel that will likely result in a flag if it's not freed.

How to mapping the driver? any documents ?