I’m going to refrain from posting public information about VAC from this post forward. They seem to have noticed we are using the .text section of the modules to keep track of modules and the timestamps to determine if any updates occurred.
The .rdata seems to be merged now with the code section (.text) so we can’t really use section hashes anymore.
No doubt that someone new is working with the VAC team and they have read my posts or they have just picked back up from the inactivity as evident of the recent major banwaves hitting p2cs.
If we look at the pdb paths of the modules we can see that they are not like the old ones which accidentally shipped a while back
E:\\p4\\s3dev2\\src\\vac2\\vac3\\Release\\vac3\_memoryscan\\win32\\vac3\_memoryscan.pdb E:\\p4\\s3dev2\\src\\vac2\\vac3\\Release\\vac3\_primitives\\win32\\vac3\_primitives.pdb E:\\p4\\s3dev2\\src\\vac2\\vac3\\Release\\vac3\_verifyclient\\win32\\vac3\_verifyclient.pdb E:\\p4\\s3dev2\\src\\vac2\\vac3\\release\\vac3\_processhandle\\win32\\vac3\_processhandle.pdb
The path has changed and I know this doesn’t exactly prove anything but It’s just something I’ve picked up.