{"id":28521955,"url":"https://github.com/johnsonjason/rudiac","last_synced_at":"2025-07-04T00:30:58.166Z","repository":{"id":37430602,"uuid":"202291423","full_name":"johnsonjason/RudiAC","owner":"johnsonjason","description":"A client-sided anti-cheat developed during a freelance project to \"plug-in\" to a proprietary client for a private server. Includes memory integrity checks, thread execution restrictions, hook detection, memory honeypots, and more.","archived":false,"fork":false,"pushed_at":"2020-12-26T07:58:18.000Z","size":40,"stargazers_count":58,"open_issues_count":1,"forks_count":13,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-06-09T08:15:46.438Z","etag":null,"topics":["anticheat","cpp","reverse-engineering","security","windows","x86"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/johnsonjason.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-08-14T06:47:55.000Z","updated_at":"2025-05-18T04:43:03.000Z","dependencies_parsed_at":"2022-08-19T12:41:02.912Z","dependency_job_id":null,"html_url":"https://github.com/johnsonjason/RudiAC","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/johnsonjason/RudiAC","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsonjason%2FRudiAC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsonjason%2FRudiAC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsonjason%2FRudiAC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsonjason%2FRudiAC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/johnsonjason","download_url":"https://codeload.github.com/johnsonjason/RudiAC/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnsonjason%2FRudiAC/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263426011,"owners_count":23464791,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anticheat","cpp","reverse-engineering","security","windows","x86"],"created_at":"2025-06-09T08:15:33.358Z","updated_at":"2025-07-04T00:30:58.087Z","avatar_url":"https://github.com/johnsonjason.png","language":"C++","readme":"# RudiAC\n\nAn anti-cheat used for a 2018 freelance project. Much of the behavior and functionality is circumstantial.\nThe project was to attach a client-sided anti-cheat to an old game private server which already had some third party proprietary security modules attached which leads to an anti-cheat with noticeable exceptions to odd behavior.\n\n# Fundamentals\n\n### Memory Integrity Check\n\nGathers a collection of memory pages initially within the game's module (anticheat::cheat_monitor::init) and generates a CRC32 hash based on the memory contents of each page (calc_vpt_hashes) - each validated every cycle (anticheat::cheat_monitor::check_pages).\n\n### Thread Blocking\n\nHooks RtlUserThreadStart and checks if the designated address of execution for the thread is within the correct memory bounds. In this case, it is called \"image-only execution\", where only threads within the primary image (and some other excluded images such as ucrtbased.dll) are allowed to have threads run. If a thread is running outside of these bounds then it is detected as malicious inside an invalid execution space. This also prevents debuggers from attaching the process since RtlUserThreadStart is executed before DbgUiRemoteBreakIn is called which executes outside of the secure boundaries.\n\n### Memory Honeypots\n\nMemory honeypots are created within the init routine, where memory pages aren't yet accessed, but when they are (which they shouldn't be), it is detected. Prevents \"cheat\" scanners.\n\n### Anti-Debugging\n\nChecks the PEB directly (instead of using IsDebuggerPresent, which can be easily looked up) for the value of the BeingDebugged flag as well as the value of NtGlobalFlag. Prone to just directly modifying the BeingDebugged flag to bypass this check though. DbgUiRemoteBreakIn is blocked because debug threads can't be executed in the process (DebugActiveProcess executes a thread within the process, but our process has memory bounds checking, simplified when thread scanning is mentioned.)\n\nTBA: Arbitrary Vectored Exception Handling Detection\n\n### Protected Functions\n\nSimilar in concept to a memory integrity check, but specifically detects if Winsock routines designated as \"protected\" are hooked/modified, preventing user-mode packet modification and reading by software such as WPE Pro and rPE.\n\n### Process Scanner\n\nScans each process based on the contents (process name, window name) and unique memory signature. I have outlined much of this rudimentary detection here: https://medium.com/@jasonmjohnson1/third-party-software-detection-f0ed396634cf\n\n### Module Scanner\n\nScans the loaded modules in the process for any with blacklisted names.\n\nTBA: Signature scanning\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnsonjason%2Frudiac","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjohnsonjason%2Frudiac","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnsonjason%2Frudiac/lists"}