This whole thing has been made for fun and for study. I did not invent anything new, Epic is aware of this "vulnerability" and does not consider this as such, this approach has been around for a good while now.
This a commit-squashed (because it included some sensitive information) copy of a project that has been private for ~2 years, which I haven't updated for a good while. Last supported UE version is 5.3 (IIRC) and I do not have any intention of updating it, or at least not in this public repo.
I felt bad keeping all of this private, so here it goes. Take it as learning material.
This is a long ass project that I've made to explore the possibilities of abusing privileged processes to read and write memory from EAC protected games. The idea is to hijack some process such as csrss's handles to our game and use them to read/write memory unbothered by the anticheat. I then overkilled this thing by writing a little unreal framework that would make any Rust enthusiast bleed from their eyes. I eventually got to the point where i had a little external radar/wallhack thingy going on and stopped there.
- Setup
- This program instructs csrss to process our memory read/write instructions. It requires csrss.exe's PPL to be turned off.
- Cheese
- This is the actual "cheat". Can run while the game is running and will communicate with csrss through shared memory to read and write the target process' memory.
- Shared
- This is just some shared functionalities between Cheese and Setup, it's overkilled in this simplified PoC but it's more useful in the extended version of this.
- windows-kernel-*
- Those are just rust bindings for win32 APIs, nothing interesting.
This is your average rust project, you should be able to just download & install Rust and install the nightly toolchains to be able to compile everything.
Once you are ready:
cargo build --bin setup && cargo build --bin cheese, you can find the executables into /target.
- Identify the target csrss.exe process, there's usually two and just one of them is suitable to be our target. This can be easily spotted by seeing which one of the two is doing some work. Process Hacker does a fantastic job at helping out here. In the screenshot below the target pid is 996 as it's the only one doing actual work.
- Disable PPL on the target PID. You can achieve this by using PPLcontrol or any other similar tool. I've wrapped PPLcontrol in a powershell script available in the /bin folder. Notice how PPLcontrol works by abusing of a vulnerable driver (MSI's RTCore64.sys) to patch a process's protection. The script will install and start the driver using sc.exe, call PPLcontrol with a target pid and wait until user input is provided to then proceed to remove the driver.
Using process hacker you can notice how PPL is disabled now.
- Run /bin/setup.exe with admin privileges, this should automatically be able to find the correct csrss.exe and start the hooking process.
- Proceed to restore csrss's PPL by pressing any key on the powershell script used in step 2. EAC won't start when csrss's protection is disabled (or when MSI's vulnerable driver is running?).
- Now start the target game, I will be using brawlhalla.
- Use process hacker to find the handle id to the target process.
- Finally call cheese.exe from an admin shell by passing the target process handle to it (in hex, without leading 0x):
cheese.exe --target-handle 1090
Feel free to try and access any other memory address. In a little more complex setup than this, I can run it on my EAC protected game and harvest all the in-game entities location and other data to then visualize through an external window.
