Detection Vectors

How can Anticheats Detect our Device?

Detecting a DMA device is a challenging task. So far, only ESEA has publically claimed to detect hardware-based cheating. There have been several research papers (1, 2, 3) on how to detect these devices from a system level, but given how busy the system is while gaming, they are impractical, if not impossible, for any anticheat to implement. A device that is properly configured, and programmed, should be completely undetected until the anticheat developers get their hands on the device.

PCI Configuration Space

Every PCI device has a configuration space. In short, this is a sequence of data that the host can read from the device. This data contains information such as the device id, and device capabilities. Anticheats can probe this information from all PCI devices and check for known bad actors. The only anticheat known to probe the PCI lanes is Vanguard, although it is not known if this is used to check for DMA devices.

BattlEye is believed to run a signature scan against the configuration space of PCI devices.

40: 01 48 03 78 08 00 00 00 05 60 80 00 00 00 00 00
60: 10 00 02 00 e2 8f XX XX XX XX XX XX 12 f4 03 00

They appeared to check lines 40 and 60 for the patterns above. ("XX" are bytes that they do not care about).

Using Big Data

Anticheats could correlate cheat reports with users PCI devices. If enough highly-reported users are all using an unknown PCI device, that could be enough to issue a ban. This is not actively being done by any anticheat.

Xilinx IP Block Detection

Most devices on the market, however, can not have their config space completely customized. The devices I have tried are all built on Xilinx PCIe IP. Using Xilinx Vivado, it is impossible to build gateware that contains a completely custom configuration space.

With this, anticheats could detect gateware built using Xilinx PCIe IP. This is not being done by any anticheat.

Device Identifier Detection

All of the DMA devices ship with stock gateware. This gateware contains stock device identifiers. Those are almost certainly unique for the device. Anticheats can scan the devices plugged into the system and read the identifiers. If a known DMA device's stock identifier is found, this user is almost certainly a cheater. This will get you banned from BattlEye, ESEA, and possibly other anticheats.

Device identifiers persist on the Windows system even after the device is unplugged. Anticheat could lift previously installed devices & look for factory PCILeech gateware IDs. Check out the "Clearing Device History" page for information on cleaning the Windows OS of previous DMA devices.

Integrity Checks

When we modify .text sections with our DMA device, we can still fall victim to integrity checks. For example, if we try to patch some hook applied by the anticheat, we could be banned when that anticheat checks to see if all it's hooks still exist.