Easy Anti-Cheat:
Easy Anti Cheat Capabilities
Because EAC is a kernel anti-cheat, it can detect anything and everything. You must load your kernel driver first before the anti-cheat starts to prevent it.
Block all interaction with game process
Block creation of process handles
Scan for hidden processes & modules
Scan for known suspicious DLL modules
Scan for known suspicious drivers
Get a list of all open handles
Scan for disks & devices
Log all loaded drivers
Gather HWID information
Detect debuggers
Find manually mapped drivers
Detect manually mapped driver traces
check for kernel patches
Find handles to physical memory
detect modules using VirtualProtect
dumps suspect strings from regions not backed by actual modules
scans for possible syscall stubs in regions that are not backed by modules (edited)
does window enumeration to detect suspect overlays
enumerates suspect shared memory sections
Detect hooks
Checks all services
Scan all threads & system threads
Stack walking
Detection of manually mapped modules
Turla Driver Loader detection
Hypervisor & VM detection
DbgUiRemoteBreakin patch
PsGetProcessDebugPort
Set HideFromDebugger flag manually
Reads DR6 and DR7
Instrumentation callbacks
Here is a list of suspicious modules that EAC logs and some drivers it looks for;
Dumper.dll
Glob.dll
mswsock.dll
perl512.dll
vmclientcore.dll
vmwarewui.dll
virtualbox.dll
qtcorevbox4.dll
vboxvmm.dll
netredirect.dll
atmfd.dll
cdd.dll
rdpdd.dll
vga.dll
workerdd.dll
msvbvm60.dll
Dbgv.sys
PROCMON23.sys
dbk64.sys
EAC always gets your hard disk serial on boot up of their driver. They also get your mac address as well. This is always happening for any game, but the scans they do after this is different i think for each eac build/game.
They seem to do different scanning for different games/eac builds between the games. They have this array of numbers which points to the scan to be performed. and they loop though it. It seems to be static/hardcoded but probably changes for each game.
hese are the keys and path strings they can grab. I don't know why there isn't number 7, so don't ask me please.
below are listed:
1 = \Registry\Machine\System\CurrentControlSet\Control\SystemInformation
2 = ComputerHardwareId
3 = \Registry\Machine\Hardware\Description\System\BIOS
4 = BIOSVendor
5 = BIOSReleaseDate
6 = SystemManufacturer
8 = SystemProductName
9 = \Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
10 = Identifier
11 = SerialNumber
12 = \Registry\Machine\Hardware\Description\System\CentralProcessor\0
13 = ProcessorNameString
14 = <\Registry\Machine\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000
15 = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
16 = InstallDate
17 = DriverDesc
18 = ProductId
19 = \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
20 = SusClientId
21 = \Registry\Machine\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001
Hardware Scan Id 4 = Find all Drivers running and get checksum version info (resource editor) in .sys file
EAC and Battleye for example, are not running at boot. To bypass them, you manually map your driver before the anticheat loads. So, load your driver, then load the game with the anticheat services set to "manual load" in services.msc. It's a race to load first, if you can load first, you can hide from the anti-cheats. This is the majority of the reason why these anti-cheats are bypassed easily.
This isn't a full tutorial, and I am never planning on releasing one that is. If you don't know how to figure out the rest, you shouldn't even be reading this. I gave everything you need to basically 100% bypass this anti-cheat. And the driver I am providing here, is most likely detected so don't use it. It's attached so you can learn from it. (It's 4 years old)
if you want to work on the driver, you need to have "Windowns Driver Kit" installed. You can download it from here:
This anti-cheat is praised far too much, and I'm hoping that it's going to end in the future. Kernel driver anti-cheats can easily be bypassed if you know what you're doing. Also, you can exploit certain kernel anti-cheats (battleye) to bypass other anti-cheats for example eac and vanguard. Won't be diving into that more, since it will be patched faster. Figure it out yourself!
Easy Anti Cheat Capabilities
Because EAC is a kernel anti-cheat, it can detect anything and everything. You must load your kernel driver first before the anti-cheat starts to prevent it.
Block all interaction with game process
Block creation of process handles
Scan for hidden processes & modules
Scan for known suspicious DLL modules
Scan for known suspicious drivers
Get a list of all open handles
Scan for disks & devices
Log all loaded drivers
Gather HWID information
Detect debuggers
Find manually mapped drivers
Detect manually mapped driver traces
check for kernel patches
Find handles to physical memory
detect modules using VirtualProtect
dumps suspect strings from regions not backed by actual modules
scans for possible syscall stubs in regions that are not backed by modules (edited)
does window enumeration to detect suspect overlays
enumerates suspect shared memory sections
Detect hooks
Checks all services
Scan all threads & system threads
Stack walking
Detection of manually mapped modules
Turla Driver Loader detection
Hypervisor & VM detection
DbgUiRemoteBreakin patch
PsGetProcessDebugPort
Set HideFromDebugger flag manually
Reads DR6 and DR7
Instrumentation callbacks
Here is a list of suspicious modules that EAC logs and some drivers it looks for;
Dumper.dll
Glob.dll
mswsock.dll
perl512.dll
vmclientcore.dll
vmwarewui.dll
virtualbox.dll
qtcorevbox4.dll
vboxvmm.dll
netredirect.dll
atmfd.dll
cdd.dll
rdpdd.dll
vga.dll
workerdd.dll
msvbvm60.dll
Dbgv.sys
PROCMON23.sys
dbk64.sys
EAC always gets your hard disk serial on boot up of their driver. They also get your mac address as well. This is always happening for any game, but the scans they do after this is different i think for each eac build/game.
They seem to do different scanning for different games/eac builds between the games. They have this array of numbers which points to the scan to be performed. and they loop though it. It seems to be static/hardcoded but probably changes for each game.
hese are the keys and path strings they can grab. I don't know why there isn't number 7, so don't ask me please.
below are listed:
1 = \Registry\Machine\System\CurrentControlSet\Control\SystemInformation
2 = ComputerHardwareId
3 = \Registry\Machine\Hardware\Description\System\BIOS
4 = BIOSVendor
5 = BIOSReleaseDate
6 = SystemManufacturer
8 = SystemProductName
9 = \Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
10 = Identifier
11 = SerialNumber
12 = \Registry\Machine\Hardware\Description\System\CentralProcessor\0
13 = ProcessorNameString
14 = <\Registry\Machine\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000
15 = \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
16 = InstallDate
17 = DriverDesc
18 = ProductId
19 = \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
20 = SusClientId
21 = \Registry\Machine\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001
Hardware Scan Id 4 = Find all Drivers running and get checksum version info (resource editor) in .sys file
EAC and Battleye for example, are not running at boot. To bypass them, you manually map your driver before the anticheat loads. So, load your driver, then load the game with the anticheat services set to "manual load" in services.msc. It's a race to load first, if you can load first, you can hide from the anti-cheats. This is the majority of the reason why these anti-cheats are bypassed easily.
This isn't a full tutorial, and I am never planning on releasing one that is. If you don't know how to figure out the rest, you shouldn't even be reading this. I gave everything you need to basically 100% bypass this anti-cheat. And the driver I am providing here, is most likely detected so don't use it. It's attached so you can learn from it. (It's 4 years old)
if you want to work on the driver, you need to have "Windowns Driver Kit" installed. You can download it from here:
You must be registered for see links
This anti-cheat is praised far too much, and I'm hoping that it's going to end in the future. Kernel driver anti-cheats can easily be bypassed if you know what you're doing. Also, you can exploit certain kernel anti-cheats (battleye) to bypass other anti-cheats for example eac and vanguard. Won't be diving into that more, since it will be patched faster. Figure it out yourself!
