Skip to content

ssnob/hidden_syscall_monitoring

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
sys_monitor
sys_monitor
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
game.png
game.png
 
 
pic.png
pic.png
 
 
sys_monitor.sln
sys_monitor.sln
 
 

Repository files navigation

hidden syscall monitoring

monitors hidden syscalls called from call of duty anticheat via exception hooking

poc

the anticheat does not call NtAllocateVirtualMemory for these, they have a large spot in the .text section and they call NtProtectVirtualMemory with PAGE_EXECUTE_READWRITE on it.

example

int main(int argc, char** argv)
{
	sys_monitor::init();

	while (true)
	{
		const auto syassasd = (unsigned __int64)GetProcAddress(LoadLibraryA("ntdll"), "NtTerminateProcess");
		const auto spoof_start = (unsigned __int64)GetProcAddress(LoadLibraryA("ntdll"), "NtOpenFile");
		syscall_spoofer::spoof_syscall(spoof_start, syassasd, (HANDLE)-1, 1337);

		Sleep(5000);
	}

	getchar();
	return 0;
}

output

image info

game

image info

we can see their favorite functions

About

monitors hidden syscalls called from call of duty anticheat

Resources

Readme

License

Apache-2.0 license
Activity

Stars

70 stars

Watchers

4 watching

Forks

15 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages