-
Dec 17, '24: Fixed DetectOpenHandlesToProcess to not warn for whitelisted processes
-
Nov 28, '24: Added registry key modification notifications via
RegNotifyChangeKeyValuefor some important keys -
Nov 23, '24: Added signature/byte pattern scanning on newly created processes
-
Nov 23, '24: Added anti-debugger method which creates a remote thread inside common debuggers which calls their
ExitProcessroutine -
Oct 27, '24: Added process creation monitoring using WMI to detect blacklisted processes being opened
-
Oct 24, '24: Started to change important class object pointers to
std::unique_ptr, and fixed an memory-related unhandled exception issue at cleanup/program ending. The main focus going forwards for this project will be to make better use of C++ concepts, in order to make the code more readable and scale better. -
Oct 3, '24: Fixed
IsTextSectionWritableroutine, which now checks all pages in the .text section for protections other than PAGE_EXECUTE_READ. Further development of this project will likely be much slower than normal, as I'm busy with other projects. -
Sept 6, '24: Added checks on TLS callback structure for anomalies (number of TLS callbacks, TLS data directory address, TLS callback addresses outside of main module, etc)
-
Aug 23, '24: Added
Settingsclass for compile-time configurations, along with Hypervisor checks -
Aug 8, '24: Added secure boot enforcement to prevent bootloader cheats
-
June 25, '24: Added simple window title & class name checks to help determine if the user is running Cheat Engine, x64dbg, etc. This should be considered an extra data point and not solely responsible for detecting attackers.
-
June 20, '24: Added hash lists for all loaded modules
.textsections such that specific modules can later on be checked for memory modifications. This was used to add checks onWINTRUST.dllto detect any hooks on signature-related routines. Since it's a bit expensive to check all loaded module hashes constantly, specific modules should be checked periodically. -
June 19, '24: Added DLL load notifications/callbacks and proper signature checks on any loaded modules (thanks to github user
discriminatingfor this contribution). -
June 13, '24: Added NT header tampering for its members
NumberOfSections,SizeOfImage,AddressOfEntryPoint, which results in dynamic info lookups from attackers on these variables to be incorrect. -
May 29. '24: Added 'process mitigation policies' in the Preventions class
-
May 28, '24: Program can now block APC injection by patching over ntdll.dll's Ordinal8 (called by KiUserApcDispatcher). This routine can also be hooked to reveal the injected APC payload's address. If your game/program relies on APC for normal execution, this technique might not be suitable.
-
May 28, '24: Added
retpatch over first byte of executed thread function in TLS callbacks if the address is not in a whitelisted range. Similar method to what was added on May 25, but will apply to any thread function trying to execute since we directly patch it inside the TLS callback. For example, if CreateRemoteThread is called on address 0x12345, the TLS callback will place aretat 0x12345. -
May 25, '24: Added extended defenses against Cheat Engine's VEH debugger by patching over the first byte of
InitializeVEHand renaming the module name ofvehdebug-x86_64.dll. -
May 23, '24: Added open process handle checking. Our program can now detect external programs which have called
OpenProcessto our process. -
May 20, '24: Added splash screen to make the program feel like commercial AC, added return address check functionality to prevent remote function calling, added checks on thread suspension
-
May 10, '24: Client and server now communicate correctly, heartbeats will be sent every 60s to the client. Server code will be posted in the "Server" directory of the project, and will be its own C# program. Design will soon be changed to integrate the
AntiCheatclass to the networking portions. -
May 4, '24: Added TLS callback spoofing, which is compiling the program with a fake TLS callback and then modifying the pointer at runtime to our real callback.
-
April 30, '24: Fixed any memory & threading issues, removed PEB spoofing & exported function renaming to ensure program works smoothly for everyone - export function renaming can sometimes pop up an error box to the end user about "Entry Point Not Found", if this error box can be supressed somehow then we can re-add the technique since it successfully prevents DLL Injection. PEB spoofing was found to create issues with thread creation at random occurences.
-
April 24, '24: IAT hook checking, further code cleanup and error checking
-
April 7, '24: Added TestSigning / Windows 'test mode' detection to prevent unsigned drivers
-
April 3, '24: Added WINAPI hook checking, blacklisted process checking
-
March 31, '24: Detection methods have been moved to Detections class, techniques/prevention methods have been moved into Preventions class. Thus we have a set of detections and a set of preventions. Added detection looping to make the program feel more like a commercial AC. Code structure is closer now to where I had aimed originally. There's still much that can be added, stay tuned.
-
March 25, '24: Beginning to move tests into their proper places and making use of the API class. Future updates will improve code structure and add threaded & looping support to make the program feel more like a commercial AC product and less like a techniques testing suite
-
March 24, '24: A full re-upload was done along with various bug fixes. The program should compile without issues in x64 (x86 not supported yet, apologies). I plan on continuing work on this project in the near future. As it's been some time since making this project, lots more can be added soon with new knowledge and techniques acquired in the time between then and now. Stay tuned for further updates!