Bypass Record

Rootkit × Valve Anti-Cheat (VAC)

A publicly-reported instance of Rootkit bypassing Valve Anti-Cheat (VAC), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Valve Anti-Cheat (VAC)

Technique

Rootkit

MITRE ATT&CK

T1014

Confidence

High

Severity

High

Status

poc

Disclosed

2024-10-22

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-10-22 · original source · via exa

Reported as

It intercepts VAC syscalls via SSDT hooks or InfinityHook to spoof memory integrity checks, allowing unsigned DLL injection and game module patching without detection.

Mechanism

Uses kernel-mode SSDT hooks or InfinityHook to intercept VAC's NtReadVirtualMemory, NtQueryVirtualMemory, NtMapViewOfSection, and NtQuerySystemInformation syscalls. Spoofs results to hide injected DLLs, patched modules, and system debug/test mode status, bypassing signature/heuristic scans and trust-factor checks.

Detection & mitigation

Deploy kernel-level integrity monitoring (e.g., Microsoft Defender for Endpoint's kernel sensors, or third-party EDRs with kernel callbacks) to detect SSDT hooks or InfinityHook-style syscall tampering. Enforce Secure Boot, HVCI, and driver signing to prevent unauthorized kernel-mode code execution.

Rootkit has also been recorded against

Avast AVG Avira Elastic Faceit HitmanPro Kaspersky Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.