From 315ac3967cd9b3124da3ad8368e723a5b28e944a Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Thu, 1 Jul 2021 00:02:17 +0000 Subject: [PATCH] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d61db3e..9bbde1e 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,9 @@ Thus a hook is placed on this SHA1 hash function and spoofed results are compute ### Solution, Possible Alternatives -If EasyAntiCheat were to patch their own driver using `MmMapIoSpaceEx` - `PAGE_READWRITE` (for HVCI support), they could compute a SHA1 hash, then revert the changes, compute a second SHA1 hash... +* 1.) If EasyAntiCheat were to patch their own driver using `MmMapIoSpaceEx` - `PAGE_READWRITE` (for HVCI support), they could compute a SHA1 hash, then revert the changes, compute a second SHA1 hash... If the hashes are the same, then you know someone is hooking SHA1, or hooking `READQ/DW/B` virtual instructions... -If the hashes are the same, then you know someone is hooking SHA1, or hooking `READQ/DW/B` virtual instructions... +* 2.) Map the driver into the usermode service as READONLY, this way the usermode service can just read the mapping and compute a hash... This has its own attack vectors considering it would require calling out to ntoskrnl/external code, however the idea is what matters, having multiple sources of integrity checking is ideal. ### How To Update