Back to blog

Game Booster Safety Toolkit: Audit, Block, One-Click Toggle

Technical audit of a game booster revealing kernel drivers, full NIC binding, self-signed CA certificate, and 22 ad SDKs. Developed a toggle tool that blocks all system capabilities when not in use.

#Windows#Security#Privacy#Reverse Engineering

Background

After setting up a new PC, I needed to use a game booster that was installed on the old machine. A technical audit of the old installation revealed multiple security risks.

VM isolation wasn't convenient enough, so I developed a control toolkit: fully block system capabilities when not in use, one-click enable when needed.

GitHub: https://github.com/EnjouZeratul/ak-safety-toolkit(opens in a new tab)

Technical Audit Findings

Kernel Drivers

Two kernel drivers running with SYSTEM privileges:

DriverPathNote
akdriversys.sysC:\WINDOWS\Non-standard location
Hgate.sysC:\WINDOWS\system32\DRIVERS\Standard location

Kernel drivers have the highest privileges. Auto-start means the system is exposed without user awareness.

Full NIC Binding

Hgate.sys registers as NDIS Lightweight Filter (LWF), ComponentID ms_hgate, bound to all network adapters.

Get-NetAdapterBinding -ComponentID ms_hgate

Self-Signed CA Certificate

Path: C:\ProgramData\AKPlatform\ca.crt, Subject: CN=ChangeMe

Not installed in system trust store, but file existence means capability exists — software can inject it at runtime for HTTPS MITM.

Other Findings

ItemDescription
Unsigned DLLhv.dll has no digital signature
Encrypted configCannot audit data collection behavior
Hardware fingerprintMachineCode field in config

Privacy Policy Analysis

Company Info

  • Code signing company: Sichuan Guanglun Technology Co., Ltd.
  • Privacy policy company: Sichuan Zhengyun Network Technology Co., Ltd.

Different companies for code signing and privacy policy — accountability is unclear.

What the Privacy Policy Admits

  1. Traffic monitoring: Claims "no logs" but exception clause allows "real-time analysis of data including website IP, origin address"
  2. Collecting installed app list and process info
  3. 22 third-party ad SDKs (Bytedance, Tencent, Kuaishou, etc.)
  4. Auto-start capability
  5. Promotional push notifications

Ad SDK Data Collection Scope

22 SDKs covering: device identification (IMEI/AndroidID/MAC), location tracking, app lists, behavioral analysis, ad delivery, sensor data, etc.

Control Scheme Design

Design Goal

Since the software can't be avoided:

  • When in use: software works normally
  • When not in use: fully block all system capabilities

Three-Layer Blockade

Layer 1: Kernel drivers → SYSTEM privileges, auto-start
Layer 2: NIC binding → Mounts on every adapter, intercepts traffic
Layer 3: CA certificate → HTTPS decryption capability

Three-Layer Blockade Operations

Block Layer 1:
  reg add HKLM\SYSTEM\CurrentControlSet\Services\akdriversys /v Start /d 4
  reg add HKLM\SYSTEM\CurrentControlSet\Services\Hgate /v Start /d 4
  → Set driver start type to Disabled

Block Layer 2:
  Get-NetAdapterBinding -ComponentID ms_hgate | Disable-NetAdapterBinding
  → Unbind from all NICs

Block Layer 3:
  ren C:\ProgramData\AKPlatform\ca.crt ca.crt.bak
  → Rename certificate file, block MITM capability

Even if the software is somehow activated, three-layer blockade prevents it from accessing any data.

Toolkit Features

Main Script AK.bat

Enable flow:

  1. Set driver start type to Demand
  2. Start driver services
  3. Bind all NICs
  4. Restore certificate file
  5. Launch software

Disable flow:

  1. Force-kill related processes (9)
  2. Stop driver services
  3. Set driver start type to Disabled
  4. Unbind all NICs
  5. Rename certificate file
  6. Clean ad cache and logs (~250MB)
  7. Reset proxy and DNS

Status Detection

reg query HKLM\SYSTEM\CurrentControlSet\Services\Hgate /v Start | find "0x4"
  • Start=4 (Disabled) → Run enable flow
  • Start≠4 → Run disable flow

Cleanup Content

DirectorySizeContent
cache\bannerpic\32 MBAd banner images
mbcef73\cef_cache\215 MBChromium ad browser cache
log\*.log~130 KBUser logs (IP, account, game history)
temp\6 MBTemp files

Auxiliary Scripts

ScriptFunction
pre-install-check.batPre-install system check
watch-install.batInstallation monitoring, record changes
post-install-verify.batPost-install verification
check-status.batCurrent status check
cleanup.batStandalone cache cleanup

Verification

Run check-status.bat after disabling:

[Driver Startup Type]
Start: 0x4 (Disabled)

[Network Adapter Binding Status]
(empty = unbound)

[CA Certificate Status]
NOT FOUND (renamed)

[AK Process Status]
NOT RUNNING

Security Assessment

Current state: Drivers not loaded, NICs unbound, certificate renamed, cache and logs cleared.

Theoretical remnants: Driver files still on disk, registry entries exist, program directory exists.

Practically, current state is sufficiently secure. Even if activated, three-layer blockade prevents data access.

Usage Recommendations

  • Avoid sensitive operations while booster is active (banking, login, private communications)
  • Run disable script immediately after use
  • Check status periodically

Alternatives

  • Self-hosted acceleration nodes (WireGuard)
  • Commercial boosters with audited security
  • Accept game latency, no booster

⚠️ Disclaimer: This article is for technical learning and personal device maintenance only. Operate within legal and regulatory boundaries.

Related Links

Last updated: 2026-05-25