Even Balance, Inc. is the creator of PunkBuster. The company is based in Spring, Texas (USA). There are currently 18 employees (http://evenbalance.com/index.php?page=staff.php).
PunkBuster is an automatically self-updating client/server Anti-Cheat software system. That means that players run the PunkBuster Client software while they are playing online games and also, PunkBuster Server software is running on the game server that players connect to for gameplay. The PunkBuster system is designed to hold all participants accountable by scanning the game computers looking for known cheats, game hacks, and exploits similar to the way Anti-Virus software would scan a computer looking for a virus.
There is a component running on the client (your PC) and one running on the game server. The game server is in control of the cheat detection process and will from time to time request information from the PunkBuster client. If the client on the other end fails to answer correctly and in a timely manner, PunkBuster will raise a violation. The PunkBuster system will in general only raise a violation when it detects a cheat program actively running in memory.
PunkBuster makes no determinations heuristically. Also, heuristic approaches have a good chance of falsely accusing a player that is just really good on a particular map or a particular game. This is the major reason that we don't use any sort of heuristics in our anti-cheat approach.
PunkBuster installs many files on your computer.
First there are files for each of your game using PunkBuster. They are located in the game’s directory often under the directory pb.
Some other files are also installed: PnkBstrA.exe and PnkBstrB.exe are installed in the Windows system folder while PnkBstrK.sys is installed into the Drivers folder (which is inside the Windows system folder) and the user’s application data folder.
The PnkBstrA and PnkBstrB components manage keys in the system Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Even Balance.
Finally, two services are installed: PnkBstrA and PnkBstrB.
This service is used by PunkBuster to update other PunkBuster components in the background (PnkBstrB and PnkBstrK) while users are playing the supported games with PunkBuster enabled. They are updated on the fly when a game is launched with PunkBuster enabled.
PnkBstrA is by default running at startup because a limited access user doesn't have the rights to start a service.
Punkbstrk.sys gathers large fragments of memory (RAM) within the processes and calculates a MD5 checksum on this large data, which is then sent back encrypted to the user mode code (pbcl.dll?).
PunkBuster software is very invasive software by necessity. It scans every file of every folder from any partition of your hard drives (at least those in ntfs). As far as I know it doesn’t scan hidden directories and what is located inside an archive (I may be wrong). It also scans the whole content of your RAM and your virtual memory.
If a cheat program is simply on your hard drive but inactive at the time that you are running the PunkBuster enabled client, you most likely will not raise a violation. There are times, however, that catching a cheat requires detection of a certain file or manipulated game asset. In this case, a violation may be raised.
PunkBuster also inspects the displayed screen, processes, and hardware associated with each computer system on which it is running for the purpose of authenticating those systems for play in a "cheat free" environment.
The primary purpose of the scanning procedures is to inspect for the purpose of authenticating honest users who wish to compete fairly together. These inspection procedures consist of three types: 1) validating that only non-hacked original software is being used during multiplayer competition, 2) examining files that match the profile (or signature) of known cheating programs, and 3) sending screen captures during gameplay.
PunkBuster does not collect or maintain any personally identifiable information regarding players. It does not track web surfing habits or log instant messaging conversations either.
Any information that the PunkBuster client uses is mangled in a one way hash so that upon transmission it is completely meaningless.
When PunkBuster catches a cheater, it will kick him and detail the kick with a violation number. Here is a brief description of every violation:
Technical Violations: (Resolution: Reinstall PunkBuster from the latest game update patch)
#101 - Communication Failure
#102 - Communication Failure
#131 - Initialization Failure
#132 - Protocol Error
#141 - Distress (This indicates a problem trying to update to the latest version of PunkBuster - it may indicate a problem reaching one of the Internet-based Master PB Servers which can be caused by firewalls, router problems, etc.)
Miscellaneous Violations:
#111 - Bad Name (Resolution: Change player name or play on a different server)
#112 - Too Many Bad Names
#113 - Too Many Name Changes (Designed to eliminate name change spamming)
#114 - Protected Name (Resolution: Change player name or play on a different server)
#121 - Negative Score Too Low (usually from Killing Teammates)
#151 - Extended ASCII Characters in Player Name (Resolution: use regular letters, numbers and symbols in the player name or play on a different server)
#9001 - CVAR value failed range check
Integrity Violations:
When PunkBuster is unable to verify that a player's gaming environment is functioning properly and/or has not been altered, an Integrity violation is raised. This also involves the detection of modified game or PunkBuster files. These violation numbers are between 10000 and 29999.
Cheat/Hack Violations:
When PunkBuster detects a cheat or hack by repeated positive identification on a player's computer, a violation is raised. These violation numbers are 50000 and higher. Families of cheats are listed below. Resolution: Remove cheats and hacks from the computer.
#50000s - Aimbot
#60000s - Wallhack
#70000s - Multihack
#80000s - Gamehack
#90000s - 'Cheat' Video Drivers
#100000s - Speedhack
#110000s - Autofire
#120000s - Game Hook
#130000s - Attempted PunkBuster Hack
You can find more information here:
http://www.hazardaaclan.com/history/punkbuster.php
PunkBuster scans your computer and collects the following information:
1) Hard Drive SMART information (if available) (for each hard drive installed)
2) Hard Drive serial number (for each hard drive installed)
3) Network Adapter MAC address (for each NIC installed)
Etc.
Once this info is collected, PunkBuster creates a private hash (a unique alpha-numeric code). It is estimated that this hash will only change when approximately 50% to 75% of the items above are changed (although this varies based on your pc configuration).
Rumours say hardware-bans have been stopped for certain games already. If it’s true, the official reasons aren’t known. However, if you get hardware banned in one game, you obviously won’t buy any new online game relying on PunkBuster. Thus this wouldn’t be a good point for game editors. This may be the reason.
Anti-leak protection prevents people from sending the hack to all their friends, selling the hack, and getting the hack into PunkBuster's hands. Without anti-leak protection, the hack would get detected every couple of weeks!
The anti-leak protection works by recording your hardware information on your first login, and then checking your hardware ID every time you login. If the hardware ID differs, you will receive an error about your 'globally unique identifier' being incorrect. Additionally, if your username or password is incorrect then you will receive a related error about that.
The hack is then downloaded. Files are encrypted to prevent people from looking the code contained.
A quick batch to :