- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 519
- Reaction score
- 7
Anyone currently digging into the EFT kernel space knows the struggle. If you are trying to push an internal for Tarkov using a manual mapper, you've likely hit the same brick wall: instant flags or delayed bans despite having no registry traces.
The Current Setup
The logic being used here is a classic C++ internal base mapped via kdmapper. It relies on iqvw64e.sys to get into kernel space, then attempts to establish communication with a usermode client.
Technical Meat: Why You're Getting Clapped
While manual mapping hides you from the standard loaded module list, BattlEye is far from stupid. If you are using IoCreateDriver or IoCreateDevice within a manually mapped driver, you are creating an unbacked device object.
BattlEye iterates through the DeviceObject list. When it finds a device that points to memory not associated with a legitimate, signed module in the PsLoadedModuleList, it's an instant detection. Renaming the device name to something "neutral" like "\Device\NvidiaGfx" won't save you if the dispatch routine points to raw, unallocated memory.
Kernel-Side Logic
Usermode Wrapper
The Path Forward
If you want to stay UD in Tarkov, stop using IOCTL for communication. Look into cleaner methods like hijacking a pointer in a legitimate driver's data section or using shared memory (communication without a device object). Also, make sure your Usermode client isn't using CreateFile on a suspicious symlink, as BE monitors handle creation to unknown devices.
Drop your crash logs or your communication logic below if you're still hitting flags.
The Current Setup
The logic being used here is a classic C++ internal base mapped via kdmapper. It relies on iqvw64e.sys to get into kernel space, then attempts to establish communication with a usermode client.
- Manual mapping with kdmapper (Intel vulnerable driver exploit).
- Using IoCreateDriver to create a driver object and a symlink.
- Communication via DeviceIoControl (IOCTL).
- Memory operations handled by MmCopyVirtualMemory.
Technical Meat: Why You're Getting Clapped
While manual mapping hides you from the standard loaded module list, BattlEye is far from stupid. If you are using IoCreateDriver or IoCreateDevice within a manually mapped driver, you are creating an unbacked device object.
BattlEye iterates through the DeviceObject list. When it finds a device that points to memory not associated with a legitimate, signed module in the PsLoadedModuleList, it's an instant detection. Renaming the device name to something "neutral" like "\Device\NvidiaGfx" won't save you if the dispatch routine points to raw, unallocated memory.
Kernel-Side Logic
Code:
MmCopyVirtualMemory(
s_TargetProcess, (PVOID)buffer->Address,
PsGetCurrentProcess(), (PVOID)buffer->Buffer,
buffer->Size, KernelMode, &copied
);Usermode Wrapper
Code:
template <typename T>
T Read(uint64_t address) {
IO_REQUEST req{};
req.Address = address;
req.Buffer = (uint64_t)&buffer;
req.Size = sizeof(T);
DeviceIoControl(m_handle, IOCTL_READ_MEMORY, &req, sizeof(req), ...);
return buffer;
}1. IOCTL Hooking: If you hook a dispatch routine of a legitimate driver, BE checks the integrity of that driver's .text section.
2. Vulnerable Driver Traces: Even if you map successfully, iqvw64e.sys leaves traces in PiDDBCacheTable and MmUnloadedDrivers. You must clear these or BE will flag the mapper before your driver even starts.
3. Unbacked Device Objects: As mentioned, having a device object without a backing module is a death sentence.
2. Vulnerable Driver Traces: Even if you map successfully, iqvw64e.sys leaves traces in PiDDBCacheTable and MmUnloadedDrivers. You must clear these or BE will flag the mapper before your driver even starts.
3. Unbacked Device Objects: As mentioned, having a device object without a backing module is a death sentence.
The Path Forward
If you want to stay UD in Tarkov, stop using IOCTL for communication. Look into cleaner methods like hijacking a pointer in a legitimate driver's data section or using shared memory (communication without a device object). Also, make sure your Usermode client isn't using CreateFile on a suspicious symlink, as BE monitors handle creation to unknown devices.
Drop your crash logs or your communication logic below if you're still hitting flags.
