ayla Nov 8, 2022

The whole ‘bypassing AC is harder than bypassing EDR’ statement annoys me. There’s a whole lot of factors that matter between the two that determine if or if not one is harder than the other.

ring3 based AC’s are easier to bypass compared to bypassing EDR.
ring0 based AC’s are far from easy, it’s like a little monitor that checks everything.

I dunno, I’m rambling.

Show threadRairii 

@ayla with physical access you can run code in hypervisor or VTL1 with secure boot enabled and TPM measurements looking fine...

all the ACs requiring secure boot on and TPM present don't understand their threat model at all.

Nov 8, 2022 at 8:50pmWeb
Show threadRairii Nov 8, 2022
@ayla and by the way, that's not even exploiting any windows bootloader bug, of which there are plenty
Show threadayla Nov 8, 2022
@Rairii I just had to check and it seems a few ACs are actually requiring these things now. I’m puzzled.
Show threadRairii Nov 8, 2022

@ayla Yeah, I know at least 2 are.

I think they only require them on Windows 11 because it's Unsupported to run it on a system without both, but still.

Show threadayla Nov 8, 2022

@Rairii I’ve been away from anticheats and game hacking in general for a while. HyperV w/ KVM (at the cost of your performance) was a useful way to bypass ACs for a little but afaik, BattlEye and the sort are very against it.
You could hide the QEMU HV with spoofing some things and patching RDTSC(?) and get away with it but I don’t think that works anymore.

Man, I have a lot of catching up to do. A lot has changed.   
I think I messed some details up as well but it’s been a little while.