A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass

In the evolving landscape of digital security, two prominent challenges emerge that pose significant threats to the integrity of online systems and user data: anti-cheat bypass and EDR bypass. These concepts revolve around circumventing protective measures designed to ensure fair play in the realm of online gaming and to safeguard computer systems against malicious software, respectively. This post will delve into the goals of anti-cheat bypass and EDR bypass, exploring the motivations behind these activities and their implications, and will draw a distinction between legitimate security research and illicit activities. 
在不断发展的数字安全环境中,出现了两个突出的挑战,对在线系统和用户数据的完整性构成了重大威胁:反作弊绕过和 EDR 绕过。这些概念围绕着规避保护措施,这些措施旨在确保在线游戏领域的公平竞争,并分别保护计算机系统免受恶意软件的侵害。本文将深入探讨反作弊绕过和 EDR 绕过的目标,探讨这些活动背后的动机及其影响,并将区分合法的安全研究和非法活动。

Aspect 方面 Anti-Cheat Bypass 防作弊旁路 EDR Bypass EDR 旁路
Target Environment  目标环境 Gaming applications and platforms 
General computing environments and systems 
Objective  目的 Evade detection in multiplayer games 
Circumvent EDR software detection 
规避 EDR 软件检测
Techniques  技术 Code injection, hooking, packet manipulation 
Polymorphic malware, rootkits, code obfuscation 
Detection Mechanisms  检测机制 Heuristic analysis, behavior monitoring 
Signature-based detection, heuristics, sandboxing 
Impact on Users  对用户的影响 Unfair advantages in games, potential for game exploitation 
Compromised system integrity, data theft, and malware infections 
Legal Implications  法律影响 Violation of terms of service in gaming platforms 
Unlawful activities, data breaches, and legal consequences 
Ecosystem Impact  生态系统影响 Degraded gaming experience, loss of revenue for developers 
Widespread malware outbreaks, compromised user data 
Countermeasures  对策 Regular updates, server-side validation, player reporting 
Regular EDR updates, intrusion detection systems, user education 
定期 EDR 更新、入侵检测系统、用户教育
Quick Comparison 快速比较

Anti-Cheat Bypass 防作弊旁路

Anti-cheat bypass refers to the process of evading or overcoming security mechanisms implemented in online games to detect and prevent cheating. The primary goal of individuals attempting to bypass anti-cheat systems is to gain an unfair advantage over other players, disrupting the balance and integrity of the gaming experience. Cheating in online games can take various forms, including aimbots, wallhacks, speed hacks, and other modifications that provide an unfair advantage.

Motivations Behind Anti-Cheat Bypass

The motivations behind individuals engaging in anti-cheat bypass activities are multifaceted. Some seek the thrill of outsmarting security systems, driven by the challenge of breaking through digital barriers. Others may be motivated by a desire for recognition within hacking communities or to monetize their exploits by selling cheat tools and services. In some cases, players may resort to cheating as a form of rebellion against perceived unfairness in the gaming environment.

Legitimate Security Research vs. Illicit Activities in Anti-Cheat Bypass

It is essential to distinguish between legitimate security research and illicit activities when discussing anti-cheat bypass. Ethical hackers may engage in responsible disclosure, helping game developers identify vulnerabilities and strengthen their anti-cheat measures. However, individuals who exploit these vulnerabilities for personal gain or to disrupt online communities fall into the category of illicit actors, threatening the stability of online ecosystems.

EDR Bypass EDR 旁路

On the other hand, EDR bypass involves evading or circumventing the detection mechanisms employed by EDR software to identify and neutralize malicious software. Malware developers and cybercriminals employ various techniques to create and distribute malware that can go undetected by EDR programs, allowing them to compromise systems, steal sensitive information, or launch other malicious activities.
另一方面,EDR 绕过涉及规避或规避 EDR 软件用于识别和中和恶意软件的检测机制。恶意软件开发人员和网络犯罪分子采用各种技术来创建和分发 EDR 程序无法检测到的恶意软件,从而使他们能够破坏系统、窃取敏感信息或发起其他恶意活动。

Motivations Behind EDR Bypass
EDR 旁路背后的动机

The motivations behind EDR bypass are predominantly malicious, driven by the desire to evade detection and ensure the successful deployment of malware. Cybercriminals aim to compromise the security of individual users, businesses, and organizations for financial gain, espionage, or other nefarious purposes. The constantly evolving nature of cybersecurity requires malware developers to stay one step ahead of security solutions, leading to a perpetual arms race between attackers and defenders.
EDR 绕过背后的动机主要是恶意的,其驱动力是逃避检测并确保成功部署恶意软件。网络犯罪分子旨在破坏个人用户、企业和组织的安全,以谋取经济利益、从事间谍活动或其他邪恶目的。网络安全的不断发展要求恶意软件开发人员在安全解决方案方面领先一步,导致攻击者和防御者之间永久的军备竞赛。

Legitimate Security Research vs. Illicit Activities in EDR Bypass
EDR 绕过中的合法安全研究与非法活动

Legitimate security research and illicit activities in EDR bypass highlight a fine line between enhancing cybersecurity and exploiting vulnerabilities for malicious purposes. Ethical researchers aim to strengthen security postures through responsible disclosure and adherence to legal frameworks, contrasting sharply with attackers who operate with malicious intent, outside legal boundaries. This dynamic underscores the critical need for continuous investment in security research and collaboration within the cybersecurity community to stay ahead of evolving threats.
EDR 绕过中的合法安全研究和非法活动凸显了增强网络安全和利用漏洞进行恶意目的之间的微妙界限。道德研究人员旨在通过负责任的披露和遵守法律框架来加强安全态势,与在法律边界之外恶意操作的攻击者形成鲜明对比。这种动态凸显了在网络安全社区内对安全研究和协作进行持续投资的迫切需要,以领先于不断变化的威胁。

Anti-Cheat Bypass and EDR Bypass
反作弊旁路和 EDR 旁路

The goals of anti-cheat bypass and EDR bypass differ in their focus and impact. Anti-cheat bypass aims to undermine fair play in online gaming, while EDR bypass seeks to compromise the security of computer systems for malicious purposes. Distinguishing between legitimate security research and illicit activities is crucial in addressing these challenges and fostering a secure digital environment. As technology continues to advance, the need for innovative and adaptive security measures becomes increasingly apparent to counteract the persistent efforts of those seeking to exploit vulnerabilities for their gain.
反作弊绕过和 EDR 绕过的目标在重点和影响上有所不同。反作弊绕过旨在破坏在线游戏中的公平竞争,而 EDR 绕过则旨在出于恶意目的损害计算机系统的安全性。区分合法的安全研究和非法活动对于应对这些挑战和营造安全的数字环境至关重要。随着技术的不断进步,对创新和适应性安全措施的需求变得越来越明显,以抵消那些试图利用漏洞谋取利益的人的持续努力。

In the ever-evolving landscape of cybersecurity, the perpetual battle between attackers and defenders has given rise to sophisticated tools and techniques on both sides. While anti-cheat bypass and EDR bypass both involve circumventing security measures, they target different domains, with anti-cheat focusing on gaming environments and EDR on overall system protection.
在不断发展的网络安全环境中,攻击者和防御者之间无休止的战斗催生了双方的复杂工具和技术。虽然反作弊绕过和 EDR 绕过都涉及规避安全措施,但它们针对不同的领域,反作弊侧重于游戏环境,而 EDR 侧重于整体系统保护。

Windows API Category 类别 Anti-Cheat Bypass 防作弊旁路 EDR Bypass EDR 旁路
CreateRemoteThread Code Injection X X
VirtualAllocEx Code Injection X X
WriteProcessMemory Code Injection X X
CreateProcess Process Creation X X
LoadLibrary Dynamic Link Library (DLL) Load X X
ShellExecute Process Execution X X
RegSetValueEx Registry Modification X
CreateService  创建服务 Service Creation  服务创建 X
ChangeServiceConfig Service Configuration  服务配置 X
Privilege Escalation  权限提升
AdjustTokenPrivileges  AdjustToken特权 Token Privilege Modification 
OpenProcessToken  OpenProcess令牌 Token Manipulation  令牌操作 X
EnablePrivilege  启用特权 Enable Specific Privilege 
Defense Evasion and Anti-Analysis
NtQuerySystemInformation System Information Query 
NtSetInformationProcess Process Information Setting 
SetThreadContext Thread Context Modification 
ZwUnmapViewOfSection Memory Section Unmapping 
OutputDebugString  输出调试字符串 Debug Output  调试输出 X
Comparison of Windows API Commonly Used in Bypass Techniques
绕过技术中常用的 Windows API 比较

Anti-Cheat Bypass Techniques

Code Injection and Hooking

Consider a scenario where an attacker aims to gain an unfair advantage in an online game by injecting custom DLLs into the game process. These DLLs may contain cheats, such as aimbots or wallhacks, allowing the player to manipulate the game environment and gain an upper hand.
考虑这样一种情况:攻击者旨在通过将自定义 DLL 注入游戏进程来在在线游戏中获得不公平的优势。这些 DLL 可能包含作弊,例如瞄准机器人或墙黑客,允许玩家操纵游戏环境并占据上风。

#include <Windows.h> 

void InjectDLL(DWORD processId, const char* dllPath) { 
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId); 
    LPVOID dllPathAddr = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE); 
    WriteProcessMemory(hProcess, dllPathAddr, dllPath, strlen(dllPath) + 1, NULL); 
    LPVOID loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 

    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryAddr, dllPathAddr, 0, NULL);

    WaitForSingleObject(hThread, INFINITE);

    VirtualFreeEx(hProcess, dllPathAddr, 0, MEM_RELEASE);

int main() {
    InjectDLL(1234, "C:\\Path\\To\\Your\\Hack.dll");
    return 0;

Function Hooking in Multiplayer Games

In the realm of multiplayer games, attackers may employ function hooking techniques to intercept and modify functions responsible for player health or ammunition. This manipulation can provide an illicit advantage by making the attacker’s character invulnerable or granting infinite ammunition.

#include <Windows.h> 
#include <iostream> 

// Original function 
int OriginalFunction(int a, int b) { 
    return a + b; 

// Hooked function 
int HookedFunction(int a, int b) { 
    std::cout << "HookedFunction is called!" << std::endl; 
    return OriginalFunction(a, b); 

int main() { 
    // Replace the original function with the hooked function 
    DetourAttach(&(PVOID&)OriginalFunction, HookedFunction); 

    // Call the hooked function 
    int result = OriginalFunction(10, 20); 

    // Cleanup 
    DetourDetach(&(PVOID&)OriginalFunction, HookedFunction); 

    return 0; 

Packet Manipulation 数据包操作

Cheaters often manipulate network packets using tools like Scapy to alter the information sent between the game client and server. For instance, an attacker could modify the coordinates of their character in the game world, creating the illusion of teleportation or superhuman speed.
作弊者经常使用 Scapy 等工具操纵网络数据包,以更改游戏客户端和服务器之间发送的信息。例如,攻击者可以修改其角色在游戏世界中的坐标,从而产生传送或超人速度的错觉。

#include <WinSock2.h> 

int main() { 
    // Initialize Winsock 
    WSADATA wsaData; 
    WSAStartup(MAKEWORD(2, 2), &wsaData); 

    // Create a socket 

    // Connect to the game server 
    sockaddr_in serverAddr; 
    serverAddr.sin_family = AF_INET; 
    serverAddr.sin_port = htons(1234); 
    inet_pton(AF_INET, "", &serverAddr.sin_addr); 
    connect(sock, (struct sockaddr*)&serverAddr, sizeof(serverAddr)); 

    // Manipulate outgoing packet 
    const char* modifiedData = "ModifiedPacketData"; 
    send(sock, modifiedData, strlen(modifiedData), 0); 

    // Cleanup 
    return 0; 

Code Obfuscation 代码混淆

To avoid detection, cheat developers may employ code obfuscation techniques when creating game cheats. This involves transforming the cheat code into a more complex and convoluted form, making it challenging for anti-cheat systems to recognize and analyze the malicious code.

// Example of basic code obfuscation 

void ObfuscatedFunction() { 
    int a = 5; 
    int b = 10; 

    // Unnecessary instructions for obfuscation 
    a = a + 1; 
    b = b - 1; 

    int result = a + b; 
    // ... 

EDR Bypass Techniques EDR 旁路技术

Polymorphic Malware 多态恶意软件

Imagine a scenario where a polymorphic malware variant is distributed through a phishing campaign. The malware constantly mutates its code to evade signature-based detection, making it difficult for traditional EDR solutions to recognize and block the malicious payload.
想象一下,通过网络钓鱼活动分发多态恶意软件变体的场景。该恶意软件不断改变其代码以逃避基于签名的检测,使传统的 EDR 解决方案难以识别和阻止恶意有效负载。

The example below is an application with the very same functionality but with noticeable differences with opcodes. The sample demonstrates a lot of junk codes between each jump to bypass signature scanning.

A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass
Basic Polymorphism 基本多态性

Rootkit Techniques Rootkit 技术

In a real-world scenario, an advanced persistent threat (APT) may deploy a kernel-mode rootkit to hide its presence on compromised systems. This rootkit operates at a deep level within the operating system, making it challenging for EDR solutions to detect and remove.
在实际场景中,高级持续性威胁 (APT) 可能会部署内核模式 rootkit 以隐藏其在受感染系统上的存在。此 rootkit 在操作系统的深层次上运行,这使得 EDR 解决方案难以检测和删除。

#include <ntddk.h> 

NTSTATUS MyNtQuerySystemInformation( 
    SYSTEM_INFORMATION_CLASS SystemInformationClass, 
    PVOID SystemInformation, 
    ULONG SystemInformationLength, 
    PULONG ReturnLength 
) { 
    NTSTATUS status = OriginalNtQuerySystemInformation( 

    // Modify SystemInformation to hide specific processes 
    // ... 
    return status; 
#include <Windows.h> 

BOOL HideFile(const wchar_t* filePath) { 
    return SetFileAttributes(filePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM); 

Additional Techniques 其他技术

Exploiting Vulnerabilities

Threat actors may exploit heap overflow vulnerabilities to compromise high-value targets. By manipulating memory allocation, attackers can execute arbitrary code, bypassing traditional EDR defenses and gaining persistent access to sensitive systems. 
威胁参与者可能会利用堆溢出漏洞来破坏高价值目标。通过操纵内存分配,攻击者可以执行任意代码,绕过传统的 EDR 防御并获得对敏感系统的持续访问。

// Example of a heap overflow vulnerability 
#include <stdlib.h> 

void HeapOverflowVulnerability() { 
    char* buffer = (char*)malloc(10); 
    // Vulnerable code allowing heap overflow 

Shellcode Bypass Techniques
Shellcode 绕过技术

In real-world ransomware campaigns, attackers may use encoded shellcode to obfuscate their malicious payload. This encoding helps the ransomware evade signature-based detection, allowing it to encrypt files and demand ransoms without immediate detection.
在现实世界的勒索软件活动中,攻击者可能会使用编码的 shellcode 来混淆其恶意负载。这种编码有助于勒索软件逃避基于签名的检测,使其能够在不立即检测的情况下加密文件并要求赎金。

#include <Windows.h> 

int main() { 
    // Encoded shellcode 
    unsigned char encodedShellcode[] = { /* Encoded shellcode bytes */ }; 

    // Allocate executable memory 
    LPVOID execMem = VirtualAlloc(NULL, sizeof(encodedShellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 

    // Decode shellcode 
    // ... 
    // Copy decoded shellcode to executable memory 
    memcpy(execMem, decodedShellcode, sizeof(decodedShellcode)); 

    // Execute decoded shellcode 

    // Cleanup 
    VirtualFree(execMem, 0, MEM_RELEASE); 
    return 0; 

String Obfuscation 字符串混淆

Malware often employs string obfuscation techniques, such as XOR-ing strings, to avoid signature scans and heuristic analysis. By XOR-ing critical strings, attackers make it challenging for EDR solutions to identify specific patterns associated with malware.
恶意软件通常采用字符串混淆技术,例如 XOR 字符串,以避免签名扫描和启发式分析。通过对关键字符串进行异或处理,攻击者使 EDR 解决方案难以识别与恶意软件相关的特定模式。

#include <iostream> 
#include <string> 

std::string xorString(const std::string& input, const std::string& key) { 
    std::string result = input; 
    for (size_t i = 0; i < input.size(); ++i) { 
        result[i] = input[i] ^ key[i % key.size()]; 

    return result; 

int main() { 
    std::string encryptedString = "YourEncryptedString"; 
    std::string decryptionKey = "YourSecretKey"; 
    std::string decryptedString = xorString(encryptedString, decryptionKey); 
    std::cout << "Decrypted String: " << decryptedString << std::endl; 

    return 0; 

Anti-Debugging Techniques

Malware campaigns frequently use anti-debugging techniques to thwart analysis by security researchers. This includes detecting the presence of a debugger, dynamically altering code behavior, and employing complex conditional breakpoints to evade detection during analysis.

#include <windows.h> 

// Function to detect debugger presence 
bool isDebuggerPresent() { 
    return IsDebuggerPresent(); 

// Function with conditional breakpoints to hinder analysis 
void antiDebuggingFunction() { 
    __asm { 
        // Check if debugger is present 
        call isDebuggerPresent 
        test eax, eax 
        jnz debuggerDetected 

        // Normal code execution 
        // ... 
        jmp endAntiDebugging 

        // Code to execute when debugger is detected 
        // This can include anti-analysis measures 
        // ... 


int main() { 
    // Main program logic 
    // ... 

    // Call the anti-debugging function 

    return 0; 

Demo 演示

The following demonstration compares a non-obfuscated versus an obfuscated DLL for our sideloading attack on Notepad++ v8.5.4 and earlier with an EDR installed.
以下演示比较了在安装了 EDR 的 Notepad++ v8.5.4 及更早版本上的旁加载攻击的非混淆 DLL 与混淆 DLL。

The video above shows that the EDR detected the malicious DLL. But let’s see how the EDR reacts to an obfuscated DLL.
上面的视频显示 EDR 检测到恶意 DLL。但是,让我们看看 EDR 如何对混淆的 DLL 做出反应。

Static Analysis 静态分析

It is very easy to spot the DLL without obfuscation. We can see the direct calls on the Windows API. Meanwhile, the obfuscated DLL does not directly reveal the Windows API calls on the first glance and needs deeper analysis.
在不混淆的情况下很容易发现 DLL。我们可以看到 Windows API 上的直接调用。同时,混淆的DLL不会在第一眼直接揭示Windows API调用,需要更深入的分析。

A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass
Static Analysis – Non-Obfuscated DLL
静态分析 – 非混淆 DLL

In the obfuscated version, we have some XOR decryption happening first to get the function names we are interested in. We then used GetModuleHandle and GetProcAddress to target the addresses of those functions. Lastly, we did typedef declarations to the functions so that the compiler knows what type of call and parameters are needed for those functions.
在混淆版本中,我们首先进行一些异或解密,以获取我们感兴趣的函数名称。然后,我们使用 GetModuleHandle 和 GetProcAddress 来定位这些函数的地址。最后,我们对函数进行了 typedef 声明,以便编译器知道这些函数需要什么类型的调用和参数。

A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass
Static Analysis – Obfuscated DLL
静态分析 – 混淆 DLL

XORed 异种或

In the obfuscated version, we cannot directly see the function names that we are interested in to call. This is because the application must decrypt the correct function names during runtime. Meanwhile, on the non-obfuscated version, we can immediately see the WinAPIs that are possibly used by the DLL.
在混淆版本中,我们无法直接看到我们有兴趣调用的函数名。这是因为应用程序必须在运行时解密正确的函数名称。同时,在非混淆版本上,我们可以立即看到 DLL 可能使用的 WinAPI。

A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass
XORed – Non-Obfuscated vs. Obfuscated
XOR – 非混淆与混淆

Conclusion 结论

In the realm of cybersecurity, the comparison between anti-cheat bypass and EDR bypass highlights the diverse strategies employed by attackers to circumvent security measures. While anti-cheat bypass primarily focuses on exploiting vulnerabilities in gaming environments, EDR bypass techniques extend their reach to compromise overall system security. Despite their distinct targets, there are notable similarities in the underlying methodologies employed by attackers in both domains. For instance, code injection, obfuscation, and evasion of detection mechanisms are prevalent in both anti-cheat and EDR bypass techniques. However, the specific nuances and challenges associated with each domain necessitate tailored defense mechanisms.
在网络安全领域,反作弊绕过和 EDR 绕过之间的比较突出了攻击者为规避安全措施而采用的各种策略。虽然反作弊绕过主要侧重于利用游戏环境中的漏洞,但 EDR 绕过技术将其范围扩大到损害整体系统安全性。尽管攻击者的目标不同,但攻击者在这两个领域采用的基本方法有明显的相似之处。例如,代码注入、混淆和规避检测机制在反作弊和 EDR 绕过技术中都很普遍。然而,与每个领域相关的特定细微差别和挑战需要量身定制的防御机制。

The common thread of utilizing Windows API functions for execution, persistence, and privilege escalation underscores the interconnected nature of these security challenges. As defenders continue to adapt and innovate, understanding these parallels and differences becomes essential for building comprehensive security postures that safeguard diverse computing environments. By recognizing the shared tactics and unique challenges presented by anti-cheat and EDR bypass techniques, cybersecurity professionals can better prepare for the ever-evolving landscape of digital threats.
利用 Windows API 函数执行、持久性和权限提升的共同点强调了这些安全挑战的相互关联性。随着防御者的不断适应和创新,了解这些相似之处和差异对于构建保护各种计算环境的全面安全态势至关重要。通过认识到反作弊和 EDR 绕过技术带来的共同策略和独特挑战,网络安全专业人员可以更好地为不断变化的数字威胁环境做好准备。

原文始发于 Mark Lester DampiosA Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass

版权声明:admin 发表于 2024年2月20日 上午9:48。
转载请注明:A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass | CTF导航