Easy AntiCheat Mouse Move Bypass

good morning! seb here, and welcome back to the blog.

today we’re looking at something that honestly shocked me with how simple it was, a logic flaw in easy anti-cheat’s driver detection. it’s related to the interception framework, which is commonly used in input-based cheats (aimbots, recoil control, etc). the flaw lets those cheats slide right past eac, all because of a lazy filename check.

please note that anything listed in these articles has already been disclosed to the epic team before posting and patched.

how i found it

like usual, i started by analyzing what eac queries during launch after this patch. i was pretty surprised that after 5 years or so they finally decide to do something about it. i looked at what drivers it's scanning for. by testing against interception, i noticed that eac seemed to care only about two specific names:

keyboard.sys
mouse.sys

and that’s it. no signature verification, no hash check. it was literally looking for just those names. however, i did try to replace them with fake ones and the game let me load, so they do check if there is a module linked to that file path.

the logic bypass

once i saw that eac was only scanning those names, i figured, what happens if we just rename them?

turns out:

rename keyboard.sys to something like kbsys.sys
rename mouse.sys to something like msys.sys
launch the eac-protected game

and that’s it. the interception drivers are fully functional. eac doesn’t unload them, no warnings, you just get to use it.

after closing the game, you can even rename the drivers back to their original names to restore normal behavior so you don't bug out next restart. this proves eac isn’t validating the contents of the drivers, just checking static names at boot time.

what this means:

this is a BAD logic flaw in eac's detection:

no content verification
no signature or hash checks
no check for interception devices themselves
only relying on filename + module link

it’s an extremely lazy check from them, and it breaks completely with a single rename.

how eac could’ve done it better

instead of relying on filenames, they could’ve done a runtime check for the actual interception interfaces. example: in usermode, you can do something like this:

bool interception_devices_exist(void) {
    char device_name[] = "\\\\.\\interception00";
    HANDLE h;
    for (int i = 0; i < 20; ++i) {
        sprintf(&device_name[sizeof(device_name) - 3], "%02d", i);
        h = CreateFileA(device_name, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
        if (h != INVALID_HANDLE_VALUE) {
            CloseHandle(h);
            return true; // <--- interception is active
        }
    }
    return false;
}

this is straight from my poc and checks if interception devices are live. way harder to bypass than looking at names on disk.

impact

this lets any cheat that relies on interception keep working. cheats and even colorbots all bypass eac by default now.

not only is this a security issue, it’s a reputation risk. players expect protection, not basic oversights. if this flaw gets passed around, it could lead to more widespread abuse and a drop in trust for protected titles.

PreviousEasy AntiCheat Overall Analysis NextEasy AntiCheat Driver Load Bypass

Last updated 1 month ago