Forensic research from the field
Case studies, detection methodologies, and artifact-chain breakdowns from the Clubhouse AC research team. We publish what we learn investigating real cheat ecosystems — kernel-mode tooling, anti-forensic suites, hardware DMA boards, and the techniques used to evade live anti-cheats.
Featured
Latest case studies
PC Checking Methods — Tiered Forensic Methodology
A complete methodology for PC checks (screenshares, SS) organised into five escalating tiers — from a 10-minute foundation triage of execution artifacts and persistence locations, through deep-dive NTFS reconstruction, memory forensics, court-grade DFIR with full disk imaging and chain of custody, all the way to overwrite-bypass detection and cross-source contradiction analysis. Catalogues 130+ techniques across every Windows artifact, parser, and bypass pattern.
Detecting BYOVD Chains Through Kernel Callback Forensics
Bring-Your-Own-Vulnerable-Driver attacks rely on legitimately-signed but exploitable kernel drivers (mhyprot2, GIGABYTE gdrv, Dell dbutil) to disable EDR callbacks. We document a forensic methodology that reconstructs the load order, callback unregistration, and signing-chain anomalies after the driver has been unloaded — leaving only USN journal traces, registry remnants, and prefetch artifacts.
Reconstructing Cheat Execution After Cleaner-Tool Sweeps
Cheat-cleaner utilities (BleachBit forks, custom .bat scripts, Privazer presets) wipe the obvious execution traces — Prefetch, BAM, recent docs. We show how Amcache, ShimCache, RecentFileCache.bcf, and registry transaction logs (LOG1/LOG2) preserve enough fragments to reconstruct a complete execution timeline for the Eulen FiveM executor family with 47-second resolution.
All research notes
Methodology & detection
MFT $SI vs $FN: Detecting Timestomping on NTFS
Timestomping tools rewrite the $STANDARD_INFORMATION attribute but typically miss $FILE_NAME, which is updated only by the kernel during file rename or move. We detail a $SI/$FN delta detection rule that flagged 100% of timestomp attempts in our corpus of 312 known cheat-loader samples — including subsecond manipulation that evades naive timestamp checks.
DMA Hardware Fingerprinting: PCILeech and Squirrel Detection
Hardware DMA cheats (PCILeech, Squirrel, custom FPGA boards) advertise themselves on the PCIe bus through Vendor/Device ID, BAR layout, and configuration space anomalies. We catalogue the signatures of seven publicly-sold DMA boards and document a configuration-space probe that distinguishes legitimate capture cards from attack hardware.
HWID Spoofer Rotation Detection via SMBIOS + ACPI Cross-Reference
HWID spoofers rotate visible identifiers (MachineGuid, MAC, disk serials) but rarely touch every cross-domain identifier consistently. We correlate SMBIOS Type 1/2/3 fields against ACPI _UID values, EFI variables, and TPM EK certificates to surface rotation events even when individual identifiers appear clean.
PsSetCreateProcessNotifyRoutine: Detecting Callback Unhooking
Kernel-mode cheats unregister Windows process-creation callbacks to evade EDR telemetry. We walk the PspCreateProcessNotifyRoutine array post-mortem from a memory snapshot to identify gaps and replaced entries — including the signature pattern left by the public hwbp1 unhook PoC.
Detecting ETW Provider Tampering: Patch, Disable, and Spoof
Cheat loaders that patch EtwEventWrite to a bare return, disable providers via NtTraceControl, or forge event payloads leave structural traces in the ETW metadata tables and session descriptors. We enumerate four distinct tampering techniques observed in the wild and document the kernel-side consistency checks that detect each one without relying on the event stream itself.
Process Hollowing Detection via VAD and Section Object Cross-Reference
Classic process hollowing overwrites legitimate image sections with injected code, leaving the VAD (Virtual Address Descriptor) tree claiming a mapped image path that no longer matches the on-disk binary or the in-memory PEB LDR entries. We detail a detection technique that cross-references VAD node ImageFilePointer, the PEB Ldr InMemoryOrderModuleList, and the mapped section object hash to surface hollowed and stomped-image processes with a 1.8% false-positive rate on clean game populations.
Disclosure & responsible use
Detection rules and forensic methodologies published here describe defensive techniques used by the Clubhouse AC scanner. Where research touches on third-party software vulnerabilities (driver-signing flaws, DMA board firmware, anti-forensic tooling), we follow coordinated disclosure with the affected vendor or maintainer before publishing operational detail. Notes marked disclosure pending are held back until that process completes.
Material is published for defenders, server administrators, DFIR practitioners, and academic researchers. We will not provide weaponised samples, working exploit chains, or evasion guidance. To report a vulnerability in our scanner, contact security@clubhouseac.shop.