EAC Thread Bypass in 1line 💀

PoC.cpp

const std::uint64_t current_thread = reinterpret_cast<std::uint64_t>(current_thread);
*reinterpret_cast<ULONG*>(current_thread + 0x560) = FALSE; // this offset is for my OS version which is windows 11 23h2, you can get offsets at https://www.vergiliusproject.com/
dbg("thread dbg status %i\n", PsIsThreadTerminating(current_thread));


//now the 1line version (meme):
*reinterpret_cast<ULONG*>(reinterpret_cast<std::uint64_t>(KeGetCurrentThread()) + 0x560) = FALSE;

PoC.md

Skip EAC thread detection PoC

If you look at what EAC does in IDA on their thread detection once you've devirtualized their driver You'll see the detection function will bugcheck/get out if

if ( !(unsigned __int8)PsIsThreadTerminating(threadObject)

Now, how does this actually work? PsIsThreadTerminating returns the byte

ULONG _ETHREAD::Terminated

https://doxygen.reactos.org/dc/d4d/ntoskrnl_2ps_2thread_8c_source.html#l00868

The function itself is just a bytecheck, and this byte doesnt actually initialize the thread termination function but more like the thread termination function initializes the byte.

What is the PoC?

Look at the following file, of course its just code scrambled as i didnt use an ide to write that part but it has been tested on my hypervisor that i use for debugging and indeed works. (i tested numerous calls etc without writing any code just plain debugging)

EDIT:

there is absolutely no else condition on the terminating check execution

nothing will be debugged or sent to server about that

glhf cant wait for eac fix ^^

thank you for this bro