Been doing some research lately, think we're hitting the limit of usermode bypasses so i'll just share two more methods that actually work (Tested) for both BE & EAC (and probably others) - Virtual filesystem You own the filesystem the cheat/game is executed on and you can control what pid can access what and what content is read on each read request. A few libraries for that exist that implement the kernel filesystem with usermode api to expand them. One of them is Dokan Dokany From github - Lsass handles lsass.exe has special privileges, its handles never get stripped due to how Windows work. You can process hollow it and get full access handles or you can dll playerup into it or hijack its handles (Hleaker) ... No PoC code tho, i'll make a universal solution in the coming weeks.
