YouMayPasser is an x64 implementation of Gargoyle (https://github.com/JLospinoso/gargoyle)
BLOG POST HERE: https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/
It contains several parts.
- Lockd: This is the main Gargoyle component
- sRDI-Master: This has been slightly re worked to provide a free mechanism.
- test.profile: This sample profile shows required options to work
- ShellcodeRDI.py: This is the altered python generator with the new sRDI assembly
Below are a list of current IOCs
- The new sRDI assembly can of course by statically detected in memory.
- The DLL loads are leveraged in order to obtain the required ropgadgets, these can all be monitored and alerted on
- VEH Handlers constantly getting created and deleted not originating from disk (These get removed on sleep so it cannot be detected on sleep)
- VEH Handlers getting created that aren't generated from disk
- The SetThreadContext injection leveraged to spoof the start address is in itself suspicious as these calls are often only used by debuggers
I will fix none of these issues. This is nothing more than an x64 gargoyle POC to demonstrate how it can be leveraged to bypass PeSieve and Moneta.
- Ret address spoofing - Namaszo (https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html)
- Timer sleep - computerBeat (https://blat-blatnik.github.io/computerBear/making-accurate-sleep-function/)
- VEH Hooks - CheatEngine Forums https://www.cheatengine.org/forum/viewtopic.php?t=610689&sid=c329059fbe5c36ef296bce5ef72decfc