// the find
donnaskiez/ac
kernel mode anti cheat
A kernel-mode anti-cheat driver for Windows, written in C, built as a learning/research project by one developer. It implements a wide range of detection techniques including NMI stackwalking, EPT hook detection, handle stripping, and hypervisor detection. Squarely aimed at people who want to understand how anti-cheat systems work at the kernel level, not at shipping production protection.
NMI stackwalking via ISR iretq is a legitimately sophisticated technique — most open-source anti-cheat projects don't go this deep. EPT hook detection and hypervisor detection show real understanding of the threat model. The codebase is organized into discrete modules (apc, callbacks, integrity, hv) which makes it readable and educational. AGPL-3.0 licensing is the right call for this kind of dual-use security tool.
Abandoned mid-2024 with the architecture section literally reading 'todo!' — this is a research artifact, not a maintained project. The 'chained .data pointer detection' is flagged as 'iffy' by the author themselves, which is an honest admission but not a good sign for reliability. Build setup requires disabling Spectre mitigations and treating warnings as non-errors, which tells you something about the code quality baseline. The Go server component is a stub with no documented protocol, so the client/server split is incomplete.