{"id":50212792,"url":"https://github.com/sutaigne/alibi","last_synced_at":"2026-05-26T07:00:35.030Z","repository":{"id":360363894,"uuid":"1249805379","full_name":"Sutaigne/alibi","owner":"Sutaigne","description":"Read-only Windows forensic kit. Run alibi, hand the report to a third party, prove the rig isn't cheating. PowerShell canonical + Python parity, no installs, two-file output (.txt + interactive .html). 22 scanners covering CoD / CS2 / Apex / Tarkov / Rust / R6 / Marvel Rivals brands plus DMA, LOLDrivers BYOVD, AI-vision aimbots.","archived":false,"fork":false,"pushed_at":"2026-05-26T05:29:55.000Z","size":814,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-26T06:23:34.379Z","etag":null,"topics":["activision","anti-cheat","byovd","call-of-duty","cheat-detection","cybersecurity","dfir","dma","forensics","gaming","portable","powershell","python","registry-forensics","ricochet","security","threat-hunting","windows"],"latest_commit_sha":null,"homepage":"https://sutaigne.github.io/alibi/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Sutaigne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-26T03:47:14.000Z","updated_at":"2026-05-26T05:29:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Sutaigne/alibi","commit_stats":null,"previous_names":["sutaigne/alibi"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/Sutaigne/alibi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sutaigne%2Falibi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sutaigne%2Falibi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sutaigne%2Falibi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sutaigne%2Falibi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Sutaigne","download_url":"https://codeload.github.com/Sutaigne/alibi/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sutaigne%2Falibi/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33508317,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T03:12:49.672Z","status":"ssl_error","status_checked_at":"2026-05-26T03:12:47.976Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["activision","anti-cheat","byovd","call-of-duty","cheat-detection","cybersecurity","dfir","dma","forensics","gaming","portable","powershell","python","registry-forensics","ricochet","security","threat-hunting","windows"],"created_at":"2026-05-26T07:00:20.904Z","updated_at":"2026-05-26T07:00:35.020Z","avatar_url":"https://github.com/Sutaigne.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Alibi\n\nA read-only forensic kit for Windows that lets a gamer demonstrate to a third party that their machine isn't running cheats. The deliverable is two timestamped files on the user's Desktop — a plain-text report and a matching `_visual.html` companion. A reviewer reads those files. **No system modifications, no installed software, no telemetry.** Exactly one outbound network call — the opt-in LOLDrivers BYOVD cross-reference — is prompted before running and explicitly disclosed in every report; everything else stays on the machine.\n\n**Primarily built for Call of Duty.** The kit was born out of the CoD cheating scene — its first preserved scan output dates from May 12, 2026 (under the project's original name **\"CheatChecks\"**), and the first *external* field test (May 22) was a self-confessed CoD cheater whose setup was correctly flagged and whose feedback drove the v3.3+ feature push. The deepest keyword coverage is still for CoD-side brands: EngineOwning, PhantomOverlay, Lavi/Sky/iWantCheats, X22, the rut.gg / RUAVT family, Two2nd / Tomware / Cynical (the Activision-C\u0026D'd Feb-2025 brands), plus Ricochet- and HWID-spoofer-focused detection logic. CS2, Apex, Tarkov, Rust, R6, and Marvel Rivals brand arrays were added later because the same engine handled them for free — but if you're auditing a CoD rig, this is the kit that's been most actively shaped for that.\n\nTwo scan modes share one engine:\n\n- **PC mode** — for PC gamers auditing their own gaming PC\n- **Console-rig mode** — for console gamers auditing a PC connected to their console rig (capture-card host, streaming PC, MITM-aimbot setup)\n\nAuthor: **Bread** — Activision ID `Bread#3266221`, GitHub [@Sutaigne](https://github.com/Sutaigne). Contributor: **Drownmw**.\n\n\u003e The Activision ID is intentional: this kit was built by an active CoD player, and reviewers can verify that in-game. If you're auditing a CoD rig, you should be able to look up the kit's author the same way you'd look up the person whose machine you're scanning.\n\n\u003e **Reviewer?** Someone handed you a report and is asking you to believe it? Read [**`docs/for-reviewers.md`**](./docs/for-reviewers.md) first. It walks you through verifying the kit, reading the verdict, and what `CLEAN` does and does not rule out. The verification chain starts with [`HASHES.txt`](./HASHES.txt).\n\n## Quick start\n\n**The repo itself is the runnable distribution.** Download the ZIP from GitHub (or `git clone`), unzip / copy to a USB stick if you want portability, then **double-click `Run scan.bat` at the root.** That's it.\n\n```\n.\n├── Run scan.bat              ← double-click this\n├── START HERE.txt            ← read this first if confused\n├── scanner/                  ← the .ps1 scanner files (the engine)\n├── python/                   ← Python parity port (alternative implementation)\n├── docs/                     ← reviewer guide, dev history, design source\n├── archive/                  ← old builds, kept for provenance\n├── README.md / SECURITY.md / HASHES.txt / LICENSE\n```\n\nTwo scans run back-to-back (PC mode + console-rig mode); two pairs of timestamped files land on the Desktop. Approve the UAC prompt when it appears — admin is required for full coverage. Total time: about 1–2 minutes on a typical machine; the first run pulls the LOLDrivers driver database (opt-in, ~50 KB).\n\n### Python parity (alternative implementation for reviewers who prefer Python)\n\n```powershell\ncd python\npython -m alibi                          # PC mode\npython -m alibi.console_rig_audit        # console-rig mode\n```\n\nOr install and use the console scripts:\n\n```powershell\ncd python\npip install -e .\nalibi\nalibi-rig\n```\n\nPython 3.10+ required. Pure stdlib (except an opt-in `urllib` call to [loldrivers.io](https://www.loldrivers.io) for BYOVD detection).\n\n## What it detects\n\n- **22 scanners** across Prefetch, BAM, MUICache, USB history, ShimCache, services, drivers, downloads, recent files, AppData, user-folder script content, lua scripts, obscured filenames, process modules, DLL injection event timeline, network attack tools, AI-vision aimbot constellation, known hashes, DMA build artifacts, application data dirs.\n- **520+ research-confirmed keyword tokens** across cheat brands (CoD, CS2, Apex, Tarkov, Rust, R6, Marvel Rivals), HWID spoofers, DMA hardware vendors, AI-vision aimbots, mouse-macro / anti-recoil patterns, input devices (XIM, Cronus, ReaSnow, KMBox, Titan, reWASD), and dual-use tools.\n- **LOLDrivers BYOVD detection** — cross-references loaded drivers against the public [loldrivers.io](https://www.loldrivers.io) database. The only network call the kit ever makes, and it's opt-in.\n- **Recency decay** — artifacts older than 180 days are logged in a separate Historical section but do not bump the verdict. A clean current machine should not be condemned for old, abandoned software.\n\n## Verdict tiers\n\n| Mode | Verdicts |\n|---|---|\n| PC | `CHEATS DETECTED` / `INPUT DEVICES DETECTED` / `UNSURE` / `CLEAN` |\n| Console-rig | `MITM CHEAT STACK DETECTED` / `CAPTURE STACK PRESENT` / `UNSURE` / `CLEAN` |\n\n## Example outputs\n\n**Live preview:** [**sutaigne.github.io/alibi**](https://sutaigne.github.io/alibi/) — three rendered states served from GitHub Pages, full interactivity, no download required.\n\nThe Python port ships three synthetic examples in [`python/examples/`](./python/examples) — one per visual state (red / amber / green). They are generated by piping fake data through the production formatters, so what you see is bit-identical to what a real scan would produce.\n\n| Verdict state | Live preview | `.txt` source | `.html` source |\n|---|---|---|---|\n| **CHEATS DETECTED** (red) | [open ↗](https://sutaigne.github.io/alibi/pc-mode-cheats-detected_visual.html) | [.txt](./python/examples/pc-mode-cheats-detected.txt) | [.html](./python/examples/pc-mode-cheats-detected_visual.html) |\n| **CAPTURE STACK PRESENT** (amber, console-rig mode) | [open ↗](https://sutaigne.github.io/alibi/console-rig-capture-stack_visual.html) | [.txt](./python/examples/console-rig-capture-stack.txt) | [.html](./python/examples/console-rig-capture-stack_visual.html) |\n| **CLEAN** (green, with a Historical demo) | [open ↗](https://sutaigne.github.io/alibi/pc-mode-clean_visual.html) | [.txt](./python/examples/pc-mode-clean.txt) | [.html](./python/examples/pc-mode-clean_visual.html) |\n\nThe `_visual.html` files are fully self-contained (inline CSS + JS, no external assets) and work offline once downloaded.\n\n## Auditability\n\nThis kit's whole value is being readable by a reviewer who has no reason to trust the author. Therefore:\n\n- All source is plain `.ps1` / `.py` / `.css` / `.js` / `.html`. Nothing is minified, compiled, or obfuscated.\n- No binaries are shipped (the historical zips in `archive/` are PowerShell source).\n- No external dependencies at runtime beyond Python 3.10+ stdlib (Python port) or the PowerShell that ships with Windows.\n- No telemetry, no analytics, no tracking.\n- Exactly one outbound network call (LOLDrivers BYOVD cross-reference) exists, prompts the user with Y/N before running, skipped by default with `-SkipLOLDrivers` / `--skip-loldrivers`, and is explicitly disclosed in every report.\n- Every shipped file has its SHA256 published in [`HASHES.txt`](./HASHES.txt) so a reviewer can confirm the kit they received matches this repo.\n- The reviewer-side workflow is documented in [`docs/for-reviewers.md`](./docs/for-reviewers.md).\n- Security disclosure policy: [`SECURITY.md`](./SECURITY.md). Private vulnerability reporting is enabled — use it for bypass reports or false-positive contributions.\n\n## Project history\n\nSee [`docs/handoff.md`](./docs/handoff.md) for the full PowerShell-side history (v3.2 through v3.8, 2026-05-25), the design rationale for each scanner, the recency-decay architecture, and the dev workflow.\n\nSee [`docs/design-handoff-2026-05/`](./docs/design-handoff-2026-05/) for the visual design's source-of-truth bundle (reference HTMLs, design canvas, design tokens spec).\n\n## License\n\nMIT — see [`LICENSE`](./LICENSE). Free to read, run, fork, redistribute.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsutaigne%2Falibi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsutaigne%2Falibi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsutaigne%2Falibi/lists"}