search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.87k stars 718 forks source link

Detections by Anticheats #152

Closed mmollet closed 4 years ago

mmollet commented 4 years ago

Hi, i know that mainly your product wasnt ment to be used for this special scenario.

I just wondering how anticheats could detect this. Iam trying to give the most informations possible to understand why i still got hit by a ban for having the screamer in my PC yesterday at 9pm by a banwave of EFT. Yes, iam a bad boy.

My system is: Asus Maximus Extreme Z490 Intel Core i9 10900k Palit GamingPro OC 3090 Asus Essence STI 2 2 x 2TB Corsair MP600 (Raid 0) and a Screamer M.2 R02 (Non USB-C version)

i need to add the information. i NEVER was banned on that system before or on that IP address.

Software side, its Windows 1909 fully patched. Windows Defender is on. No modifications. Installed 4 games on it: Pubg (not banned) eft (banned) crysis remastered (not banned) Among us (not banned)

For the Screamer, ive used lspci to read my Elgato 4k MK2 Streaming card and made a perfect clone of it in Vivado. I used the right Vendor and Device ID. I used the right Config Space I used the right DSN I used the right category and type of card. I used the right amount of BARs I have not installed any drivers on the DMA PC nor any Tools, everything was done from the attacking PC.

So, what could have been the detection ? iam not the only one who got hit, alot of others got hit too, and iam not only asking @ufrisk, iam asking to everyone who knows more when it comes to FPGA and PCIleech. Are there any other precautions that needed to be taken when for example the connection is established from attacking PC to dma PC, are there any traces left in the memory, i often heard the word masteraborts. Are there any other detection flaws, vectory, points, what ever you wanna call them how an Anticheat in kernelmode could access the Xilinx chip to see what it really does ? Maybe using some kind of initialization commands to the pcibus or what else could be the issue and more important, how to solve this ...

ufrisk commented 4 years ago

I did not create these tools with the intention of cheating. I know it's being used for that purpose by some people and that's the way things are. With that being said I feel this question, while being interesting, belong better on other forums more dedicated to cheating.

I have no intention of actively developing cheating tools and I prefer my issues section reflect this. I'm therefore closing this thread.

I wish you good luck with your future DMA investigations - but for your specific use cases on another forum. Thanks for understanding.