|
Driver detection
I will paraphrase why it’s not a good idea to listen to the “prestigious” people on this forum because frankly they tend to be very bad copy pasters and then give lectures to others, in this instance. For one, there’s no reason why some ring3 bypasses that get handles or goes on to use some shit like ‘loadlibrary’ would somehow be more undetectable at all. Once you get something like ‘loadlibrary’ to work or even manual map partially in ring3 you’ll still have problems that ACs like EAC or BE can easily pick up on and transcended these problems years ago. Even someone learning the kernel and using BB as a reference (as I did once) is at least taking a good step in the right direction to create hobbyist malware for their game. Also sorry to break it to you but “black bone’s injection methods being detected” is a false statement that proves you don’t know how to even read source code. If you can’t read opensource, you’d be pretty deluded to say you reverse-engineered something. The APC queuing injections or ‘non-thread creation’ modes given by the author still creates a useless worker thread and shit that is not needed; things unique enough to be flagged by callbacks, but are also easily removed. You don’t even need that however as there’s far easier ways to get your code called, refer to thread hijacking or hooking concepts. Frankly anything that helps hide drivers or explains how X AC detects them is pretty useful info, but the honest answer to the poster is there’s rarely anyone here who know sanything (except me of course or a few wanderers) and you’d prolly be better fiddling around on your own through trial-and-error. I’d be interested if anyone here knew there’d be any trace of CapCom.sys or CPUZ.sys (common exploit drivers) once removed from the MmUnloadedDrivers as well that AC’s actually have evidence of using. Frankly tho I always end up doing this shit myself too and then keeping it quiet, or then coming here giving a lecture like this to explain “the thing you said was broken for like 2-3 years isn’t really ‘broken’ but whatever”. |
|