Browse by type
When the EasyAntiCheat driver is initialized, it walks through each loaded driver's read-only sections with MmCopyMemory to ensure that malicious patches have not taken place. But, EasyAntiCheat has a slight oversight resulting in certain drivers, known as session drivers, to not be accounted for during these initial scans. From my debugging, EasyAntiCheat entirely skips session drivers and does not make any attemps to ensure their integrity.
In short, session drivers are drivers that are not globally mapped to every address space, such as the address space EasyAntiCheat's driver is executing under. This allows us to freely patch such drivers without any consequences.
EasyAntiCheat can easily patch this method by attaching to a process that has such drivers mapped into its address space, such as the explorer process.
$ claude mcp add eac-mapper \
-- python -m otcore.mcp_server <graph>