From 9cf8c84744d5fbb2530e46b2f6cc52479a163421 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Thu, 1 Jul 2021 00:27:05 +0000 Subject: [PATCH] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 92443d6..32cf791 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ Thus a hook is placed on this SHA1 hash function and spoofed results are compute ### Solution, Possible Alternatives -* 1.) If EasyAntiCheat were to patch their own driver using `MmMapIoSpaceEx` - `PAGE_READWRITE` (for HVCI support), they could compute a SHA1 hash, then revert the changes, compute a second SHA1 hash... If the hashes are the same, then you know someone is hooking SHA1, or hooking `READQ/DW/B` virtual instructions... ***When i say patch i mean, change some padding/alignment bytes at the end of an unwriteable section***... +* 1.) If EasyAntiCheat were to patch their own driver using `MmMapIoSpaceEx` - `PAGE_READWRITE` (for HVCI support), they could compute a SHA1 hash, then revert the changes, compute a second SHA1 hash... If the hashes are the same, then you know someone is hooking SHA1, or hooking `READQ/DW/B` virtual instructions... In other words, instead of checking for patches, check to see if your patches result in a different hash... ***When i say patch i mean, change some padding/alignment bytes at the end of an unwriteable section***... * 2.) Map the driver into the usermode service as READONLY, this way the usermode service can just read the mapping and compute a hash... This has its own attack vectors considering it would require calling out to ntoskrnl/external code, however the idea is what matters, having multiple sources of integrity checking is ideal.