Hyperspace is a multi purpose Windows Kernel Driver that has been in development since June 2025.
I've applied Hyperspace for every purpose I've thought of Injecting, Emulating, Dumping, Externals, e.g..
It's one of my biggest projects that I've ever developed, it's been in development for years and I hope you can enjoy.
Hyperspace was designed to bypass Anti-Cheat Integrity Checks.
This was made possible through hours of Reverse-Engineering the industry-leading Anti-Cheat. (EasyAntiCheat)
I will cover all of the fundamentals for what it's bypassing and the reason.
Manual Mapping
Manual Mapping loads a kernel driver into Ring 0 (Kernel Mode) without using Windows' official driver loadingThis bypasses all DSE (driver signature enforcement) checks and doesn't put it in kernel cache lists like PsLoadedModuleList.
The mapper exploits the ASMMAP64 CVE, an undocumented CVE that has never been publicly used for mapping.
This gives us arbitrary kernel memory access to manual map and install hooks to execute kernel functions.
The mapper parses NTOSKRNL's PDB symbols using the DIA SDK to dynamically resolve all kernel functions.
This makes the driver completely signature-less and compatible with all Windows versions.
The driver is allocated using MmAllocateIndependentPages, which doesn't place the allocation in any cache lists.
This prevents anti-cheats like EasyAntiCheat from discovering the allocation through pool scanning.
After mapping, the allocation's base address and size are passed to the driver's entry point for page hiding and remapping.
Page Hiding & Remapping
Anti-cheats detect illegitimate drivers by scanning for executable driver code in kernel memory.Different anti-cheats use different detection methods to find executing driver code.
EasyAntiCheat uses VM instructions to probe executing code in suspicious driver regions.
EasyAntiCheat and others use NMIs (Non-Maskable Interrupts) to catch illegitimate driver execution.
The solution is to either hide our driver's pages or remap them to appear legitimate.
Page Remapping - View Code
Maps our driver's page tables into a legitimate kernel module's context (like ntoskrnl.exe).
When anti-cheats see our driver's execution, they see it as coming from a trusted module.
Page Hiding - View Code
Prevents page table walking by blocking MmCopyMemory and similar APIs from accessing our driver's pages.
Anti-cheats attempting to read or scan our driver pages will fail, making our driver invisible to integrity checks.
Combined, these techniques prevent anti-cheats from detecting our driver's execution as illegitimate.
Physical Memory Mapping
We use Physical Memory Mapping to Read/Write Physical Memory without relying on APIs like MmCopyMemory that could be detected.For example MmCopyMemory is detected because it generates Page Faults that are hooked by Anti-Cheats. (For example Vanguard)
DPM (Direct Physical Mapping) - View Code
DPM creates 64 allocated virtual pages (per CPU core) and dynamically remaps PTEs to target physical addresses.
When you need to read/write physical memory DPM changes the PFN (Page Frame Number) of the PTE.
This method is fast and perfect for quick read/write operations since pages are pre-allocated.
PTM (Page Table Mapping) - View Code
PTM constructs a custom page table hierarchy (PML4, PDPT, PD, PT) in an unused region of the address space.
It finds a free PML4 entry and builds new page tables, allowing you to map a physical page to a virtual address.
PTM can set the user_supervisor bit in page table entries, allowing usermode to directly access the kernel memory.
This method is better for when you need full control over virtual address layout and page protections.
PTM: Creates custom virtual address space, full page protection control, usermode accessibility
Both bypass MmCopyMemory and while being invisible to all anti-cheat hooks.
Client Communication
Most commonly drivers communicate using IOCTLs or kernel threads, both of which are monitored by anti-cheats.Anti-cheats scan for suspicious device objects, unnamed devices, and threads running in kernel mode from illegitimate modules.
Threadless communication eliminates all of these detection vectors entirely.
WNF (Windows Notification Facility) - View Code
Uses WNF state change subscriptions to receive notifications without creating any threads.
WNF is a legitimate Windows mechanism, making our callbacks appear as normal activity.
This avoids touching any suspicious cache lists or calling hooked functions that anti-cheats monitor.
Process Callback Initialization - View Code
A process creation callback detects when our client creates a process with a unique name.
Once detected, the driver attaches to the client process and creates a Hyperspace (shared address space).
We spoof the PTE flags of our hyperspace allocation to allow the usermode direct access to kernel memory.
How Does Our Client Communicate? - View Code
The client process writes request data to the shared hyperspace allocation and triggers the WNF callback.
Semaphores are used for synchronization - the client releases a semaphore to signal the request is ready.
The driver validates the semaphore, processes the request, then releases a response semaphore to notify completion.
Hyperspace is a diverse kernel driver with applications for emulation, injection, dumping, and external memory operations.
Table of Contents
Hyperspace (aka Angel-Engine Emulator) emulates EasyAntiCheat by hooking KEP (Kernel Export Patch) and ETW (Event Windows Tracing).
We additionally pattern scan EasyAntiCheat's driver to find internal functions, and call them directly instead of using APIs.
This makes all operations appear as EAC itself is performing them, bypassing stack walking and integrity checks.
| Emulates | How does it work? |
|---|---|
| EasyAntiCheat | Blocks integrity checks via KEP (Kernel Export Patch) - View CodeHooks kernel exports by patching ntoskrnl's EAT (Export Address Table) entries.We allocate space inside ntoskrnl by splitting large pages to get a valid RVA for our shellcode. Our shellcode is a trampoline that sets the stack as our hook handler. We swap the export table RVA to point to our shellcode instead of the original function. |
| UserAntiCheat | Blocks integrity checks via ETW (Event Tracing Windows) - View CodeHooks the CKCL (Circular Kernel Context Logger) ETW session to intercept syscalls made by the usermode anti-cheat.We configure CKCL to trace syscall events and hook HalCollectPmcCounters to capture syscalls. When a syscall is caught, we walk the kernel stack looking for the magic values that mark ETW trace events. When found, we swap the return address on the stack with our hook handler. |
- Allocate Virtual - View Code
- Page Memory - View Code
- Free Virtual - View Code
- Flush Virtual - View Code
- Set Information Virtual - View Code
- Protect Virtual - View Code
- Query Virtual - View Code
- Read Virtual - View Code
- Write Virtual - View Code
- Attach Process - View Code
- Detach Process - View Code
- Create Callback - View Code
Hyperspace injects DLLs using reliable dependency resolution, and post-injection cleanup.
Instead of hooking monitored IDxgiSwapChain::Present, we swap DiscordHook64.dll's PeekMessage hook.
This bypasses anti-cheat heuristics that specifically watch for Direct3D/DXGI hooks.
Hyperspace uses a multi-layered fallback system to resolve DLL dependencies.
This ensures 100% dependency resolution across all scenarios:
- API Set Resolving - Uses Windows API sets to resolve C runtime libraries via API scheming
- KnownDLLs Registry - Checks the KnownDLLs registry key for system libraries
- Local Directory - Searches the injector's local directory
- Game Directory - Searches the target game's directory
- PDB Symbols - Searches debug symbols to locate dependencies
After successful injection, Hyperspace cleans up to reduce detection:
- Erases non-discardable PE sections from memory
- Removes allocated shellcode used during injection
Hyperspace dynamically selects a allocation method based on the target process. View Code
| Method | When Used | Code |
|---|---|---|
| EAC Allocation | For EasyAntiCheat-protected processes | View Code |
| Remap Allocation | For processes not running with EasyAntiCheat | View Code |
| VAD Allocation | A backup if you want to switch from Remap | View Code |
Hyperspace Dumper captures and decrypts pages from a target process protected by EasyAntiCheat.
The dumper iterates through all pages in the target process, leveraging EAC to decrypt encrypted pages:
- Page Enumeration - Scans all pages in the process image
- Encryption Detection - Uses
hyperspace::eac::query_virtualto check if pages are encrypted (PAGE_NOACCESS) - Page Decryption - For encrypted pages, calls EAC's internal functions to decrypt:
page_memory- Triggers page decryptionflush_virtual- Flushes the virtual memoryprotect_virtual- Restores original page protectionset_information_virtual- Finalizes the page state
- Physical Mapping - Translates virtual addresses to physical addresses via page table walking
- Page Capture - Maps physical pages using PTM and copies decrypted data to output buffer
- Add Changelog
- Finish Emulation
- Finish Dumper
- Add Thead Hijacking execution
- Finish KPP Bypass for different versions
Hyperspace is a comprehensive kernel driver built to bypass anti-cheat integrity checks.
Review the source code for detailed implementation and documentation.
Found issues or want to contribute? Create an issue or contact me on Discord.