ANTICHEAT ANALYSIS, GAMERSCLUB, EMACLAB, DRIVER

EMACLAB Anticheat Driver, Final Part: Conclusion

  • File Name: EMAC-Driver-x64.sys
  • TimeDateStamp: 0x67CAFFCE (Friday, 7 March 2025 14:16:46 GMT)
  • Protector: VMProtect 3.8+

What it does?

  • InfinityHook — Intercepts 14 syscalls via ETW abuse to monitor and block unauthorized process/memory access
  • Inline Hooks — 6 kernel function hooks under test-signing mode (KeAttachProcess, MmCopyVirtualMemory, etc.)
  • Anti-virtualization — 10+ hypervisor detection checks (LBR, CPUID timing, synthetic MSR, PCI vendor IDs, XSETBV)
  • Hardware Fingerprinting — TPM queries, SecureBoot verification, PCI device enumeration, CLASSPNP dispatch hooks for disk serial numbers
  • Minifilter — FSFilter altitude 363570, intercepts image loading with CI.dll-based Authenticode signature verification
  • Certificate Blacklist — 14 known cheat-related certificate signer names blocked
  • Driver Blacklist — 11 patterns checked against MmUnloadedDrivers and PiDDBCache (BlackBone, Process Hacker, API Monitor, etc.)
  • Object Callbacks — Handle stripping via ExEnumHandleTable, removing VM_READ/VM_WRITE/VM_OPERATION from unauthorized handles
  • BigPool Scanning — Detects manually-mapped drivers by checking PE signatures and ntoskrnl import count (9-79 threshold)
  • Aimbot Heuristics — Novel float constant detection (14 IEEE 754 values, >5 threshold)
  • Suspicious Import Detection — Scans module import tables for 11 commonly-abused APIs (>4 threshold)
  • Syscall Integrity Monitoring — Compares 8 syscall handlers against clean ntoskrnl copy from disk
  • System Table Integrity — Verifies HalPrivateDispatchTable, gDxgkInterface, KdDebuggerDataBlock
  • Physical Memory Walking — Full 4-level page table walking to find RWX pages and manually-mapped code
  • Self-integrity — Compares in-memory driver image against XOR-encrypted disk copy
  • DLL Injection — Kernel-mode injection of EMAC client DLL via NtCreateThreadEx + LoadLibraryW
  • IOCTL Communication — Code 0x1996E494, METHOD_NEITHER, minimum output buffer 0x180C bytes
  • Blocks simulated input — NtUserSendInput hook blocks ALL simulated mouse/keyboard input

There is a lot of interesting stuff that can be looked at in the .IDB file, i suggest doing that :)

Conclusion

This anticheat surprised me, it was really cool to reverse engineer it. With 931 total functions (145 named with the Emac prefix) and heavy VMProtect 3.8+ virtualization, it represents a significant engineering effort. The driver employs a layered defense approach combining syscall interception, kernel integrity monitoring, hardware fingerprinting, and heuristic-based cheat detection.

Some of the more novel techniques — like the aimbot float constant heuristic, BigPool PE import counting, and CLASSPNP dispatch hooking for hardware fingerprinting — show creative approaches to anti-cheat problems. The InfinityHook usage for fixing Steam handle system holes is also an unusual choice that most anti-cheats avoid.

We must take into account that the kernel driver does not work alone: the usermode DLL (EMAC-CS-Client-x64.dll) provides additional protection, and the IOCTL communication channel (0x1996E494) allows bidirectional data exchange between the components. It is not behind competitors in the market such as BattlEye, but it does not have a system as solid as EasyAntiCheat or its direct competitor FACEIT.

EMACLAB Reversal