- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 754
- Reaction score
- 457
Why spend weeks fighting kernel protections when the anti-cheat developers hand you a signed backdoor on a silver platter? We are seeing a public disclosure regarding a recently released title using a Chinese AC driver that is essentially a signed rootkit with zero internal security.
The developers behind this specific driver ignored multiple warning emails regarding the vulnerabilities, leading to this public drop. For anyone doing kernel-level work, these drivers are goldmines—they often allow for arbitrary memory R/W or can be abused to map unsigned drivers without triggering standard OS-level flags.
Technical Context
Most of these regional AC implementations suffer from identical architectural flaws. Instead of proper isolation, they expose high-privilege IOCTLs that can be reached from usermode with minimal effort. This disclosure highlights yet another case where the "protection" is actually the biggest security hole on the user's system.
APC + LoadLibrary:
Kernel Manual Map Shellcode + APC:
Potential Exploitation Vectors
If you are planning to reverse this, start by dumping the driver and looking for the dispatch routine. The IOCTL codes are usually easy to spot and rarely have any form of caller verification or obfuscation. Just be careful—running these on your main system is a liability if the AC eventually gets a blacklisted certificate.
Anyone already started fuzzing the IOCTLs for this specific build?
The developers behind this specific driver ignored multiple warning emails regarding the vulnerabilities, leading to this public drop. For anyone doing kernel-level work, these drivers are goldmines—they often allow for arbitrary memory R/W or can be abused to map unsigned drivers without triggering standard OS-level flags.
Technical Context
Most of these regional AC implementations suffer from identical architectural flaws. Instead of proper isolation, they expose high-privilege IOCTLs that can be reached from usermode with minimal effort. This disclosure highlights yet another case where the "protection" is actually the biggest security hole on the user's system.
APC + LoadLibrary:
You cant view this link please login.
You cant view this link please login.
Kernel Manual Map Shellcode + APC:
You cant view this link please login.
You cant view this link please login.
The full technical breadcrumbs and original disclosure can be found here:
Potential Exploitation Vectors
- Manual mapping using the driver's own RW primitives to bypass DSE.
- Direct memory manipulation (RPM/WPM) without ever loading your own vulnerable driver.
- Bypassing game-specific integrity checks by operating within the AC's own memory context.
If you are planning to reverse this, start by dumping the driver and looking for the dispatch routine. The IOCTL codes are usually easy to spot and rarely have any form of caller verification or obfuscation. Just be careful—running these on your main system is a liability if the AC eventually gets a blacklisted certificate.
Anyone already started fuzzing the IOCTLs for this specific build?
