EasyAntiCheat KernelMode Driver Some Information
dumped time: 2020/6/2
game:apex legends
eac runtime import:[Eac Runtime__2020_6_2_Import]
hwid ioctl 转储
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:7c088 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:7c088 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->IoBuildDeviceIoControlRequest ret:FFFFF80CE7C816B7 Code:2d1400 InternalDeviceIoControl:0
EAC->NtDeviceIoControlFile ret:FFFFF80CE7CBAB68 Code:170002读取所有驱动程序可执行段 疑似对其进行效验和
Ac_MmCopyMemory: addressFFFFF80AECD5D000 NumberOfBytes:3000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD5E000 NumberOfBytes:2000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD5F000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC496000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7B000 NumberOfBytes:a5000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC497000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7C000 NumberOfBytes:a4000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7D000 NumberOfBytes:a3000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7E000 NumberOfBytes:a2000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC498000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD7F000 NumberOfBytes:a1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD80000 NumberOfBytes:a0000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC499000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD81000 NumberOfBytes:9f000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD82000 NumberOfBytes:9e000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD83000 NumberOfBytes:9d000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49A000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD84000 NumberOfBytes:9c000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD85000 NumberOfBytes:9b000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD86000 NumberOfBytes:9a000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49B000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD87000 NumberOfBytes:99000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD88000 NumberOfBytes:98000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD89000 NumberOfBytes:97000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49C000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8A000 NumberOfBytes:96000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8B000 NumberOfBytes:95000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49D000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8C000 NumberOfBytes:94000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8D000 NumberOfBytes:93000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8E000 NumberOfBytes:92000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49E000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD8F000 NumberOfBytes:91000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD90000 NumberOfBytes:90000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC49F000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD91000 NumberOfBytes:8f000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD92000 NumberOfBytes:8e000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD93000 NumberOfBytes:8d000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD94000 NumberOfBytes:8c000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A0000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD95000 NumberOfBytes:8b000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD96000 NumberOfBytes:8a000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A1000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A2000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD97000 NumberOfBytes:89000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD98000 NumberOfBytes:88000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A3000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD99000 NumberOfBytes:87000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AECD9A000 NumberOfBytes:86000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A4000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFF80AEC4A5000 NumberOfBytes:1000 MM_COPY_MEMORY_VIRTUAL
((void (__fastcall *)(signed __int64, _QWORD, signed __int64))loc_FFFFF801657D54F0)(
v30,
v10->crc_Table,
4i64 * v10->unsignedC);
v31 = *(_DWORD *)(v27 + 8 * v28 + 12);
if ( v31 )
{
v32 = 0;
if ( v31 )
{
v33 = 0i64;
do
{
++v32;
*(_DWORD *)(v33 + *(_QWORD *)(v27 + 8 * v28 + 16)) ^= *(_DWORD *)(v27 + 8 * v28);
v33 += 4i64;
}
while ( v32 < *(_DWORD *)(v27 + 8 * v28 + 12) );
}
}
dword_FFFFF801657F3AB8 = 1702630466;
}
v8 = v37;
}
MEMORY[0](-8790095216480i64);
}
v34 = get_driver_Crc(v10, v8, v7, *(_QWORD *)(v6 + 0x10), v5, a5);
v35 = v10->crc_Table;
v9 = v34 == 0 ? 0xC0000005 : 0;
if ( v35 )
free(v35);
free((__int64)v10);
LABEL_48:
if ( (v9 & 0x80000000) == 0 && *a5 )
return v9;
goto LABEL_50;
}
}
}
}
char __fastcall get_driver_Crc(struct_v8 *a1, __int64 a2, unsigned __int64 a3, __int64 a4, _QWORD *a5, _DWORD *a6)
{
unsigned __int64 v6; // rdi
char v7; // si
struct_v8 *v8; // r13
__int64 address; // r15
unsigned __int64 v10; // rdi
unsigned __int64 v11; // rbp
char *buffer; // rax
__int64 buffer_2; // r12
unsigned __int64 v14; // rbx
unsigned __int64 max_ptr; // rdi
unsigned __int64 local_ptr; // rsi
__int64 v17; // rdx
unsigned __int64 v19; // [rsp+60h] [rbp+8h]
char *buffer_1; // [rsp+68h] [rbp+10h]
__int64 v21; // [rsp+78h] [rbp+20h]
v21 = a4;
v6 = a1->unsigned8;
v7 = 0;
v8 = a1;
address = a2 & ~(v6 - 1);
v10 = a3 / v6 * v6;
if ( a3 % a1->unsigned8 )
v10 += a1->unsigned8;
v11 = address & 0xFFFFFFFFFFFFF000ui64;
buffer = (char *)allocate();
buffer_2 = (__int64)buffer;
buffer_1 = buffer;
if ( buffer )
{
if ( Eac_MemCopy(address & 0xFFFFFFFFFFFFF000ui64, (v10 + 0xFFF) & 0xFFFFFFFFFFFFF000ui64, buffer) == ((v10 + 0xFFF) & 0xFFFFFFFFFFFFF000ui64) )
{
v14 = address + buffer_2 - v11;
max_ptr = v14 + v10;
local_ptr = address + buffer_2 - v11;
if ( v14 < max_ptr )
{
do
{
v19 = (local_ptr - (buffer_2 - v11) - v21) / v8->unsigned8;
if ( v19 < v8->unsignedC
&& *(_DWORD *)(v8->crc_Table + 4 * v19) != (unsigned int)sub_FFFFF801657C5C80(
local_ptr,
v8->unsigned8,
0i64) )
{
v17 = (unsigned int)*a6;
*(_QWORD *)(*a5 + 8 * v17) = local_ptr - (buffer_2 - v11);
*a6 = v17 + 1;
}
local_ptr += v8->unsigned8;
}
while ( local_ptr < max_ptr );
buffer_2 = (__int64)buffer_1;
}
v7 = 1;
}
free(buffer_2);
}
return v7;
}申请大量用户模式内存 我只是截取了一小段 ps:内部反作弊模块的内存应该是这里申请的
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:0000000002EF0000 alloc_size:18000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0B0000 alloc_size:10000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0C0000 alloc_size:1000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0D0000 alloc_size:1000 Protect:64
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0E0000 alloc_size:1000 Protect:64
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E0F0000 alloc_size:1000 Protect:64
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E100000 alloc_size:1000 Protect:4
eAc alloc retaddress:FFFFF80AEFF8FCDF: alloc_ptr:000001F14E110000 alloc_size:1000 Protect:4在我的分析中 他们驱动程序启动时会进行读取piddb_cache里面已经加载的驱动程序 其结构包含 驱动程序镜像名 驱动程序时间戳
而之后游戏运行后 会稳定的读取18bytes 内存可能是映射过来的
eAc_MmCopyMemory: addressFFFFE60401CCE600 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604009141F0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401FDD160 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CE71F0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CDE060 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60402042070 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401BDDB70 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604020FA2C0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604067D9B00 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6041118C260 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401DFB2D0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CDD740 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6040215FBF0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE604055BFAD0 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60411280A70 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400DF9250 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60401EED570 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400CDD710 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6040208B090 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE60400D0D210 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
eAc_MmCopyMemory: addressFFFFE6041104C940 NumberOfBytes:18 MM_COPY_MEMORY_VIRTUAL
关于读取内存
__int64 __fastcall Eac_MemCopy(unsigned __int64 address, unsigned __int64 size, char *buffer)
{
__int64 v3; // rbx
char *v4; // rbp
unsigned __int64 v5; // rsi
__int64 v6; // r13
unsigned __int64 v7; // rcx
unsigned __int64 v8; // rdi
unsigned __int64 v9; // r8
unsigned __int64 v10; // rsi
unsigned int v11; // er12
int v12; // eax
unsigned __int64 v13; // r15
signed __int64 v14; // r14
__int64 v15; // rax
__int64 (__fastcall *v16)(__int64, signed __int64, signed __int64); // rdi
signed __int64 v17; // r8
__int64 v18; // rax
__int64 v19; // rdi
signed __int64 v20; // r14
int v22; // [rsp+20h] [rbp-48h]
unsigned __int64 v23; // [rsp+28h] [rbp-40h]
int v24; // [rsp+70h] [rbp+8h]
unsigned __int64 v25; // [rsp+88h] [rbp+20h]
v3 = 0i64;
v4 = buffer;
v5 = address;
if ( address && size > 0 && address > MEMORY[0] && buffer )
{
memset(buffer, 0, size);
if ( MEMORY[0xFFFFF7800000026C] > 6u || MEMORY[0xFFFFF7800000026C] == 6 && MEMORY[0xFFFFF78000000270] == 3 )//判断系统版本 如果 大于等于win8那么使用MmCopyMemory
{
v3 = Call_MmCopyMemory(address, size, buffer);
}
else
{
v6 = 0i64;
if ( address > MEMORY[0] )
{
v7 = address & 0xFFFFFFFFFFFFF000ui64;
v8 = v5 - (v5 & 0xFFFFFFFFFFFFF000ui64);
v25 = v5 & 0xFFFFFFFFFFFFF000ui64;
v9 = (((v5 + size + 4095) & 0xFFFFFFFFFFFFF000ui64) - (v5 & 0xFFFFFFFFFFFFF000ui64)) >> 12;
v10 = size + v5 - ((v5 + size) & 0xFFFFFFFFFFFFF000ui64);
v23 = v8;
v22 = v9;
v11 = 0;
if ( (unsigned int)v9 > 0 )
{
v12 = v9 - 1;
v24 = v9 - 1;
while ( 1 )
{
v13 = 0i64;
if ( !v11 )
v13 = v8;
if ( v11 != v12 || (v14 = v10) == 0 )
v14 = 4096i64;
if ( unk_FFFFF801657F3B20 )
{
v15 = unk_FFFFF801657F3B20(v7);
v7 = v25;
LODWORD(v9) = v22;
}
else
{
v15 = unk_FFFFF801657F3B18;
}
if ( !v15 )
goto LABEL_29;
v16 = qword_FFFFF801657F3B38;
if ( qword_FFFFF801657F3B38 )
break;
v16 = (__int64 (__fastcall *)(__int64, signed __int64, signed __int64))qword_FFFFF801657F3B30;
if ( qword_FFFFF801657F3B30 )
{
v17 = 1i64;
LABEL_24:
v18 = v16(v15, 4096i64, v17);
v19 = v18;
if ( v18 )
{
v20 = v14 - v13;
((void (__fastcall *)(char *, unsigned __int64, signed __int64))loc_FFFFF801657D54F0)(
&v4[v6],
v18 + v13,
v20);
v6 += v20;
if ( unk_FFFFF801657F3B40 )
unk_FFFFF801657F3B40(v19, 4096i64);
}
LODWORD(v9) = v22;
v7 = v25;
}
v8 = v23;
LABEL_29:
v12 = v24;
v7 += 4096i64;
++v11;
v25 = v7;
if ( v11 >= (unsigned int)v9 )
goto LABEL_30;
}
v17 = 4i64;
goto LABEL_24;
}
}
LABEL_30:
v3 = v6;
}
}
return v3;
}