Calypso icon indicating copy to clipboard operation
Calypso copied to clipboard

Published 20 hours ago verified publisher icon 3a1

Detected!

Open ghost opened this issue 10 months ago • 9 comments

ghost avatar Jan 05 '25 16:01 ghost

detected!

ghost avatar Jan 05 '25 16:01 ghost

hi, its not made to be undetected.

3a1 avatar Jan 05 '25 23:01 3a1

I know bro!

Zebra

ghost avatar Jan 05 '25 23:01 ghost

@BufferOverlord . Detected by...? Microsoft Defender?

doutor123 avatar Jan 09 '25 01:01 doutor123

LOOK my github. i begin upload easy bootkit

ghost avatar Jan 14 '25 22:01 ghost

hi, its not made to be undetected.

I know. Here are a list of things you forget to do:

  1. mechanism to remove your image from memory.
  2. boot order. people probaly use grub menu, because its allow you to sign your own code with shim. try to remove your cheat from boot order list.
  3. everything seems ok, but one thing thats not ok, is the runtime function hook. You need to inject your code into the system in a legal process or driver, instead of patch a system component... hook a legit driver or create a extra system thread in that driver.
  4. Make sure the Image is removed from memory...
  5. YOUR BIGGEST MISTAKE!!!!: Every legit signed driver gets detected, because the way, they accessing memory on is logged by the operation system and this anti cheats, scans that list for forbidden code...

ghost avatar Jan 22 '25 15:01 ghost

hi, its not made to be undetected.

I know. Here are a list of things you forget to do:

  1. mechanism to remove your image from memory.
  2. boot order. people probaly use grub menu, because its allow you to sign your own code with shim. try to remove your cheat from boot order list.
  3. everything seems ok, but one thing thats not ok, is the runtime function hook. You need to inject your code into the system in a legal process or driver, instead of patch a system component... hook a legit driver or create a extra system thread in that driver.
  4. Make sure the Image is removed from memory...
  5. YOUR BIGGEST MISTAKE!!!!: Every legit signed driver gets detected, because the way, they accessing memory on is logged by the operation system and this anti cheats, scans that list for forbidden code...

Yeah thats good points for those who will want to improve the bootkit for anticheat bypass or anything else, ty. I think you repeated 1 and 4. What did u mean in 5? Can u explain more?

I have a good ability to remember peoples writing styles, didnt u that guy that im texting with on telegram about faceit cheat? :)

3a1 avatar Jan 22 '25 18:01 3a1

yes im jonas from telegram...

everytime a driver allocate memory or use the system api to do so, the anti cheat monitoring all process memory access. they see you allocating illegal memory. so instead, use direct assembly: cr3 change and atomic operation in real time for prevent they can read the last stack data from your process in memory then context switch happend, os save current register of a program to memory and begin executing other threads. that how process works. so by during this, you should be safe

ghost avatar Jan 23 '25 18:01 ghost

yes im jonas from telegram...

everytime a driver allocate memory or use the system api to do so, the anti cheat monitoring all process memory access. they see you allocating illegal memory. so instead, use direct assembly: cr3 change and atomic operation in real time for prevent they can read the last stack data from your process in memory then context switch happend, os save current register of a program to memory and begin executing other threads. that how process works. so by during this, you should be safe

Yeah, now i better know what u mean, ty Overall i think for now there is no really need to aim to the full stealth or something. There are many antiviruses that scan other process memories, drivers, etc. I mean my point is to trying make the cheat looks like LEGIT process/driver, not STEALTH.

For example I have made in this month a driver cheat for faceit, that works with all 3 stages enabled (SB, TPM, HVCI) It doesnt use any really advanced methods, like it was only using one zero-day exploit for r/w and one public exploit for making memory translation, but thats not the case. I mean the point is my cheat working not because it is something very stealth(its not), but it is working because it looks like it is a legit software.

one example i can give is a thread spoofing/hiding. if u use a driver and tries to unlink a thread to make it stealth like some years ago people doing, your driver will be insta flagged as suspicious. its because no one legit driver is unlinking their thread, like why some driver needs to do it.(only in rare examples antiviruses driver can have abilities to do this type of things). and for now in 2025 its really more undetected if u doesnt do anything with your thread, because u cant fully hide it without disabling KPP. so my philosophy is to make cheats that looks like it is legit software, and not aim to make it full stealth from anticheats because for me it looks like an infinity game.

3a1 avatar Jan 23 '25 21:01 3a1