VAC

by danielkrupinski

danielkrupinski / VAC

Source code of Valve Anti-Cheat obtained from disassembly of compiled modules

206 Stars 36 Forks Last release: Not found MIT License 217 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

VAC 🛡️

This repository contains parts of source code of Valve Anti-Cheat for Windows systems recreated from machine code.

Introduction

Valve Anti-Cheat (VAC) is user-mode noninvasive anti-cheat system developed by Valve. It is delivered in form of modules (dlls) streamed from the remote server.

steamservice.dll
loaded into
SteamService.exe
(or
Steam.exe
if run as admin) prepares and runs anti-cheat modules. Client VAC infrastructure is built using
C++
(indicated by many
thiscall
convention functions present in disassembly) but this repo contains
C
code for simplicity. Anti-cheat binaries are currently
32-bit
.

Modules

| ID | Purpose | .text section raw size | Source folder | | --- | --- | --- | --- | | 1 | Collect information about system configuration.
This module is loaded first and sometimes even before any VAC-secured game is launched. | 0x5C00 | Modules/SystemInfo | 2 | Enumerate running processes and handles.
This module is loaded shortly after game is launched but also repeatedly later. | 0x4A00 | Modules/ProcessHandleList | 3 | Collect

VacProcessMonitor
data from filemapping created by
steamservice.dll
. It's the first module observed to use
virtual methods (polymorphism)
. | 0x6600 | Modules/ProcessMonitor

Encryption / Hashing

VAC uses several encryption / hashing methods: - MD5 - hashing data read from process memory - ICE - decryption of imported functions names and encryption of scan results - CRC32 - hashing table of WinAPI functions addresses - Xor - encryption of function names on stack, e.g

NtQuerySystemInformation
. Strings are xor-ed with
^
or
>
or
&
char.

Module Description

#1 - SystemInfo

This module is loaded first and sometimes even before any VAC-secured game is launched.

At first module invokes

GetVersion
function to retrieve major and build system version e.g

0x47BB0A00
- which means: - 0x47BB - build version (decimal
18363‬
) - 0x0A00 - major version (decimal
10
)

The module calls

GetNativeSystemInfo
function and reads fields from resultant
SYSTEM_INFO
struct: - wProcessorArchitecture - dwProcessorType

Then it calls

NtQuerySystemInformation
API function with following

SystemInformationClass
values (in order they appear in code): - SystemTimeOfDayInformation - returns undocumented
SYSTEM_TIMEOFDAY_INFORMATION
struct, VAC uses two fields: - LARGEINTEGER CurrentTime - LARGEINTEGER BootTime - SystemCodeIntegrityInformation - returns
SYSTEM_CODEINTEGRITY_INFORMATION
, module saves
CodeIntegrityOptions
field - SystemDeviceInformation - returns
SYSTEM_DEVICE_INFORMATION
, module saves
NumberOfDisks
field - SystemKernelDebuggerInformation - returns
SYSTEM_KERNEL_DEBUGGER_INFORMATION
, VAC uses whole struct - SystemBootEnvironmentInformation - returns
SYSTEM_BOOT_ENVIRONMENT_INFORMATION
, VAC copies
BootIdentifier
GUID - SystemRangeStartInformation - returns
SYSTEM_RANGE_START_INFORMATION
which is just
void*
. Anti-cheat saves returned kernel space start address and sign bit of that address (to check if executable inside which VAC is running is linked with
LARGEADDRESSAWARE
option)

For more information about

SYSTEM_INFORMATION_CLASS
enum see Geoff Chappell's page.

Next, anti-cheat calls

GetProcessImageFileNameA
function to retrieve path of current executable and reads last 36 characters (e.g.

\Program Files (x86)\Steam\Steam.exe
).

Later VAC retrieves system directory path (e.g

C:\WINDOWS\system32
) using
GetSystemDirectoryW
, converts it from wide-char to multibyte string, and stores it (max length of multibyte string - 200). Anti-cheat queries folder FileID (using
GetFileInformationByHandleEx
) and volume serial number (
GetVolumeInformationByHandleW
). Further it does the same with windows directory got from
GetWindowsDirectoryW
API.

Module reads

NtDll.dll
file from system directory and does some processing on it (not reversed yet).

VAC saves handles (base addresses) of imported system dlls (max 16, this VAC module loads 12 dlls) and pointers to WINAPI functions (max 160, module uses 172 functions‬). This is done to detect import address table hooking on anti-cheat module, if function address is lower than corresponding module base, function has been hooked.

Anti-cheat gets self module base by performing bitwise and on return address (

_ReturnAddress() & 0xFFFF0000
). Then it collects: - module base address - first four bytes at module base address (from DOS header) - DWORD at module base + 0x114 - DWORD at module base + 0x400 (start of .text section)

Next it enumerates volumes using

FindFirstVolumeW
/
FindNextVolumeW
API. VAC queries volume information by calling
GetVolumeInformationW
,
GetDriveTypeW
and
GetVolumePathNamesForVolumeNameW
functions and fills following struct with collected data:
struct VolumeData {
    UINT volumeGuidHash;
    DWORD getVolumeInformationError;
    DWORD fileSystemFlags;
    DWORD volumeSerialNumber;
    UINT volumeNameHash;
    UINT fileSystemNameHash;
    WORD driveType;
    WORD volumePathNameLength;
    DWORD volumePathNameHash;
}; // sizeof(VolumeData) == 32

VAC gathers data of max. 10 volumes.

If this module was streamed after VAC-secured game had started, it attemps to get handle to the game process (using

OpenProcess
API).

Eventually, module encrypts data (2048 bytes), DWORD by DWORD XORing with key received from server (e.g 0x1D4855D3)

#2 - ProcessHandleList

To be disclosed...

#3 - ProcessMonitor

This module seems to be relatively

new
or was disabled for a long time. First time I saw this module in
January 2020
. It has an ability to perform many different types of scans (currently
3
). Further scans depends on the results of previous ones.

Each scan type implements

four methods
of a base class.

Initially VAC server instructs client to perform

scan #1
.

Scan #1 - VacProcessMonitor filemapping

First scan function attemps to open

Steam_{E9FD3C51-9B58-4DA0-962C-734882B19273}_Pid:%000008X
filemapping. The mapping has following layout:
struct VacProcessMonitorMapping {
    DWORD magic; // when initialized - 0x30004
    PVOID vacProcessMonitor;
}; // sizeof(VacProcessMonitorMapping) == 8

VacProcessMonitorMapping::vacProcessMonitor
is a pointer to the
VacProcessMonitor
object (size of which is
292 bytes
).

VAC then reads the whole

VacProcessMonitor
object (292 bytes) and its VMT (Virtual Method Table) containing pointers to
6
methods (24 bytes). The base address of
steamservice.dll
is also gathered.

These data are probably used on VAC servers to detect hooking

VacProcessMonitor
. The procedure may be following:
cpp
if (method_ptr & 0xFFFF0000 != steamservice_base)
    hook_detected();

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.