Question Valorant Reversing VGK IOCTL Handshake and PPL Protection

[byte_corvus]

Hey everyone,

Been banging my head against the wall trying to build a proper vgk emulator. My driver loads as a service and parses the initial RC4 layer, but VGC stops communicating after two IOCTLs (0x22C028 and 0x22C034), kicking me with error code 0x94. It's definitely looking for specific response payloads.

I'm hitting a wall with current debug/hooking methods:

1. PPL/Anti-Debug: Can't attach Frida to vgc.exe due to PPL protection.
2. IRPMon/Procmon: Fails to catch events because VGC uses direct NtDeviceIoControlFile calls.
3. WinDbg: Debugging triggers immediate detection; bcdedit /debug causes vgk to fail loading entirely.
4. Static Analysis: IDA/Ghidra are failing since IOCTL codes are generated at runtime.
5. Driver Hooks: ObReferenceObjectByName fails because I can't get the driver to load under test mode.

I'm stuck in a loop of kernel-level detection and anti-tamper. For those of you who have successfully emulated the handshake, what was your approach? Did you move to a hypervisor-level hook, find a way to manipulate ETW, or are you just brute-forcing the responses?

Curious to hear how you guys bypassed the PPL hurdle or if there's a reliable way to sniff those initial packets without triggering a flag.