BattlEye, a popular anti-cheat, has been detecting unknown cheats by using heuristics in combination with the x86 trap flag. This was done to specifically target "The Perfect Injector" by @_can1357 from usermode.
https://vmcall.blog/battleye-kernel-single-step/ …
-
Show this thread
-
while one could get into an arms race w/ scanning the functions for trap instructions, is there a reason why clean syscall stubs can't simply be embedded directly into the "inaccessible" memory already being used for injected code (and then called instead of the poisoned ones)?
1 reply 0 retweets 2 likes
Replying to @ChaosDatumz @_can1357
that’s totally possible and this wouldn’t catch it
1:04 AM - 13 Jan 2020
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.