The first open-source DMA-based HWID spoofer implementation.
This project is not another usermode cleaner. It is not another basic kernel driver. It is a real DMA-first HWID spoofing implementation built around direct memory access, build-aware reverse engineering, and consistency across the hardware identifier surfaces anti-cheats actually correlate.
If you understand what that means, then you already understand why this project matters.
Every public project in this space tends to fall into one of two categories:
- usermode tools that patch easy registry or API-visible identifiers
- kernel drivers that cover one or two IOCTL paths but leave the rest of the machine state inconsistent
This repository exists to push past that.
The goal here is to build the first DMA-based implementation that actually works end-to-end by treating identity spoofing as a consistency problem across:
- live kernel query paths
- cached kernel structures
- registry mirrors
- storage and volume metadata
- firmware and boot state
- network and display side channels
That is the difference between a toy spoofer and a serious implementation.
Current spoofer modules:
- SMBIOS
- Disk
- NIC
- GPU
- Monitor
- Volume
- Registry
- TPM
- EFI
- Boot
- ARP
- USB
Support systems included in the codebase:
- DMA access engine
- signature scanning
- code cave helpers
- registry hive parsing
- HWID generation helpers
- DSE research
- PatchGuard research
Current tracked source footprint:
- 12 spoofing modules
- 77 tracked source files under
src/ - 12,106 tracked source lines under
src/
This is an active reverse-engineering project with runtime validation on real targets.
Recent build-aware work includes:
- Win10 SMBIOS support
- Win10 volume GUID support
- Win10 EFI support
- Win10 ARP support using the real
Ipv4Globalroot - Win10 dxgkrnl EDID cache resolution via
DXGGLOBAL - Win11 ARP layout alignment
- Win11 dxgkrnl EDID cache layout alignment
The important point is not that offsets exist. The important point is that the implementation is being aligned to the actual structures Windows uses on live targets, not just static samples.
src/
|-- main.rs
|-- cli.rs
|-- core/
| |-- dma.rs
| |-- dse/
| `-- patchguard/
|-- hwid/
| |-- generator.rs
| |-- manufacturers.rs
| |-- oui.rs
| `-- patterns.rs
|-- spoofers/
| |-- arp/
| |-- boot/
| |-- disk/
| |-- efi/
| |-- gpu/
| |-- monitor/
| |-- nic/
| |-- registry/
| |-- smbios/
| |-- tpm/
| |-- usb/
| `-- volume/
`-- utils/
|-- codecave.rs
|-- random.rs
|-- registry.rs
`-- signature.rs
- Windows 10 or Windows 11
- Rust toolchain
- Python 3
- administrator shell
- MemProcFS / LeechCore runtime DLLs
Primary development and validation path:
- Windows
- PowerShell
- MemProcFS
- VMware target VMs
The executable expects the runtime DLLs next to the built binary.
Required sources:
vmm.dllfrom MemProcFSleechcore.dllfrom MemProcFSvmmyara.dllfrom MemProcFSFTD3XX.dllfrom FTDI D3XX driversFTD3XXWU.dllfrom FTDI D3XX drivers
Download links:
- MemProcFS releases: https://github.com/ufrisk/MemProcFS/releases
- FTDI D3XX drivers: https://ftdichip.com/drivers/d3xx-drivers/
Typical placement:
- next to
dma-spoofer.exe
git clone https://github.com/vibheksoni/dma-spoofer.git
cd dma-spoofer
cargo build --releaseOutput:
target\release\dma-spoofer.exe
Examples:
.\target\release\dma-spoofer.exe -v --test-all
.\target\release\dma-spoofer.exe -v --list all
.\target\release\dma-spoofer.exe -v --list smbios
.\target\release\dma-spoofer.exe -v --list arp
.\target\release\dma-spoofer.exe -v --list dxgkrnl| Module | Focus |
|---|---|
smbios |
firmware tables and system identity |
disk |
storage serials and driver-backed disk identity |
nic |
MAC identity and cached adapter state |
gpu |
NVIDIA UUID and related GPU identifiers |
monitor |
registry EDID and dxgkrnl EDID cache |
volume |
volume GUIDs and related mount metadata |
registry |
tracked registry traces and cleanup |
tpm |
TPM-related traces and hooks |
efi |
EFI runtime variable surfaces |
boot |
boot identifiers and related state |
arp |
neighbor and ARP cache identity leakage |
usb |
removable-device identity surfaces |
- Prefer real kernel-backed identity sources over shallow usermode mirrors.
- Treat spoofing as a build-aware problem.
- Keep registry-visible state aligned with the underlying kernel state whenever possible.
- Validate against live targets, not only static IDA samples.
- Build toward whole-machine identifier consistency, not one-off field edits.
High-value areas still worth covering:
- ACPI firmware identity
- WMI and CIM mirrors
- PCI and PnP registry identity
- display persistence stores beyond raw EDID and dxgkrnl cache
- CPU and hypervisor identity
- network profile and NLA persistence
- additional storage registry mirrors
- device container IDs and related grouping identifiers
This project modifies live kernel state.
Higher-risk areas include:
- PatchGuard-related work
- DSE-related work
- EFI runtime tampering
- TPM-related low-level changes
Use a VM first.
If you reverse new layouts, validate additional Windows builds, extend spoofing coverage, or improve consistency across identifier surfaces, contributions are welcome.
Good contributions include:
- new Windows build support
- better runtime validation
- reversing missing hardware identity paths
- improving consistency between kernel state and registry-visible state
- better detection and recovery for unstable targets
If you want to contribute, open an issue or send a pull request.
If you respect the engineering work behind this repository:
- star the project
- share it with people doing serious anti-cheat and low-level Windows research
- contribute code, reversing notes, or validation results
That helps turn this from a one-off release into the reference implementation for DMA-first HWID spoofing research.
This repository is for research and educational use.
If you run it, you accept responsibility for:
- legal compliance
- target-system safety
- third-party terms and policy issues
- crashes, corruption, boot problems, and data loss
Use it on systems you can afford to break.
MIT
- X/Twitter: @ImVibhek
- Website: vibheksoni.com
- GitHub: vibheksoni