Return to

A little teaser of what is to come :)


That thread was a salty read… they are having opposing opinions about it lol

So there is more than one way to check if you are running in a vitalized environment? Well if there is I guess that’ll be hard to spoof.

So its probably something that’ll be an annoyance than anything else, depending on how frequent it’ll happen of course.


Yeah, but Valve made it clear that they saw cheaters using virtualization to hook into the game “invisibly,” so they’re outlawing virtualization.


Outlawing? Doesn’t it just pop up with errors as they said?


No, they claim to have seen code writers for aimbot hooks using virtualization, so they’re outlawing all virtualization.


Time to find ways to hide from the guest that its on a vm…


PC mustard race in action, as shown in that steam thread.

Please create a linux pci passthrough race.


We can dream cant we? :cold_sweat:


It’s possible as on the host you could access the guest’s ram without it knowing about it, dumping out entity information for esp type hacks.

What is stupid is, if someone truly want’s to hack using a VM and has this level of technical competency it’s not hard to get a driver signing cert for personal use, and write yourself a signed driver for this purpose without the hassle of a VM.


I wish business dudes were interested in that though, the fight is going to be about hostility towards virtualization because it’s easier to do in userland


Hi guys noob here. Just a question (or two). Considering that the guest is writing to a part of ram and the host is reading from that same part of ram, would that open this up for possible security risks?
Also, how much ram would the guest need to have to be dedicated as the “framebuffer”? I would assume based on what I’ve read from the previous posts, around 600MB more for 1080p?
Also sorry if the questions were really simple one’s as I’m really out of my depth here but I just want to understand this amazing project as much as I can.


Yes, so we have to treat it like any other source of un-trusted data. The biggest risk is the guest writes invalid frame information into the segment which overflows something in the host. A few simple range checks cover this though.

Thats MB/s, not frame size. The calculation is simple:

width * height * (bpp / 8)

So 1080p is

1920 * 1080 * (32/8) = 8294400 bytes
8294400 / 1024 / 1024 = 7.91 MiB

We need room for two frames, so double that.


Interesting, but as soon as something else shows in the ram of the guest wouldn’t that be gg as that’s what VAC would be scanning thorough?

Wouldn’t the idea be to hack without tampering anything on the guest system so it looks clean to anti-cheat tools. I could be dead wrong as I don’t know too much.


AntiCheat in general is in a laughable state, it is very easy to write something that still works. Once you have access to ram on that level it’s game over as the guest has no indication that you do.

You also don’t need to alter it… ie, ESP, just read out the entity information, nothing is changed and as such nothing to detect.

Also if you did alter things, memory scans are expensive, and in a real time FPS game, could cause so much lag the game would be unplayable (ie: The new Assassins Creed game). The scans have to be rare, and targeted.

You could also patch the scanner…

Edit: You could even trap the reads to the altered pages of memory and reverse the change before returning control to the guest.

I once many years ago reverse engineered a very popular game engine’s net code so that I could inspect player actions on the server for my own anti-cheat implementation. While I did this for good (detect teleporters, speed hacks, etc), if the knowledge was out there it would be usable for another completely undetectable ESP hack that could be done by just sniffing network traffic on your lan from another PC.

While this sounds complex and like nobody else would do this… my foot in the door for this technique came from someone else that published the decryption algo for the protocol, specifically so that others could write cheats to use it.


Ahhh yes, that makes sense.

So I guess it depends on the effort that they are willing to go to in order to make a near “undetectable” hack. As it (in CSGOs case) is a low effort cash grab for those who are making the hacks.


You missed the point… this is the holy grail of hacks, it is completely undetectable. The only way I can see games preventing abuse this way would be to encrypt the ram… but overheads would be enormous, and at some point it will still need to be decrypted to be processed…


Oh sorry, yeah I think I now understand what you are on about, very interesting stuff either way… thanks for putting up with my incompetence. :smiley:


Today’s Looking Glass Updates:

  • The client had a major re-write to clean up the mess of experimental code. A renderer abstraction layer was added to provide a fallback to SDL_Textures should the host hardware not support GL_ARB_buffer_storage.
  • The host went through some performance improvements along with some code cleanup.

And here is where it stands at today.

  • GTX680 connected to a total of four monitors, three of which are identical.
  • GTX1080Ti passed into the guest, plugged into the secondary of one of the monitors for testing.
  • Keyboard and mouse is being sent via Spice

With VSync enabled on the host (client), it is possible to see at most 16ms of latency, depending on how closely the two GPUs are syncronized. At best 1-2ms. For optimal performance, if we could control it (which we can’t, so dont ask) you want the host GPU refresh around 2ms after the guest GPU.

With VSync disabled, obviously we get tearing, but latency is so low I can’t measure it. I turned the hardware cursor back on on the host, and the guest, which shows perfect alignment at any rate of movement. This shows we are as optimal as possible now with sync.

If 16.7ms latency is too long for you, either turn off vsync, or run a 120Hz monitor or better:

  • 1000ms / 60Hz = 16.7ms
  • 1000ms / 120Hz = 8.3ms
  • 1000ms / 144Hz = 7.0ms
  • 1000ms / 240Hz = 4.2ms

Note that these are worst case figures, most frames arrive before this, with vsync enabled the average at 60Hz is around 8-10ms. I also can not test above 60Hz as I do not have any monitors capable of higher. I can affirm though that Looking Glass is capable of > 200FPS at minimal CPU load.


I wonder if there’s a market out there for a piece of software and hardware that looks at a webcam pointed at the monitor in some kind of fps, computes where to move and who to shoot at, and pretends to be a mouse and keyboard.


Does the VM side code run early enough that you can log in without using the real monitor?

I currently use a HDMI switch but that disconnects the monitor when switching so I will likely just use one of those EDID emulation plugs


The Windows Vista and later security model doesn’t allow you to perform desktop interaction from a service anymore, so the earliest it can happen is after the user logs in.