|
Can Bölük
@
_can1357
The Netherlands
|
|
Security researcher and reverse engineer; mostly interested in Windows kernel development and low-level programming. Founder of @verilave.
|
|
|
26
Tweetovi
|
58
Pratim
|
621
Osobe koje vas prate
|
| Tweetovi |
|
Can Bölük
@_can1357
|
12. sij |
|
Much better than dumb /Device/PhysicalMemory detection targeting the binary, using a few braincells goes a long way :)
|
||
|
|
||
| Can Bölük proslijedio/la je tweet | ||
|
Carl Schou / vm
@vm_call
|
12. sij |
|
BattlEye, a popular anti-cheat, has been detecting unknown cheats by using heuristics in combination with the x86 trap flag. This was done to specifically target "The Perfect Injector" by @_can1357 from usermode.
vmcall.blog/battleye-kerne…
|
||
|
|
||
|
Can Bölük
@_can1357
|
2. pro |
|
Competition? When they have exclusivity contracts? Haha.
|
||
|
|
||
|
Can Bölük
@_can1357
|
27. stu |
|
Undocumented offsets.
|
||
|
|
||
|
Can Bölük
@_can1357
|
18. stu |
|
I've received this question a lot so wanted to clarify. Do not use Windbg to debug this project, it will not work due to the internals of ByePg. VMWare GDB stub or any other hypervisor will work fine.
|
||
|
|
||
|
Can Bölük
@_can1357
|
18. stu |
|
After an additional week of work, ExHook is finally live.
ExHook is a standalone project utilizing ByePgLib allowing you to hook all kernel-to-user exits (SYSCALL or any interrupt) bypassing PatchGuard.
Enjoy!
github.com/can1357/ByePg/… pic.twitter.com/Ta89mG2uHR
|
||
|
|
||
|
Can Bölük
@_can1357
|
7. stu |
|
Hilarious.
|
||
|
|
||
|
Can Bölük
@_can1357
|
21. lis |
|
Just pushed a SEH module to ByePg, letting you use SEH in manual mapped drivers effectively bypassing another
PatchGuard protected mechanism as it protects PsInvertedFunctionTable. System-call hooks coming Soon™.
github.com/can1357/ByePg/… pic.twitter.com/oyFqRMvsuX
|
||
|
|
||
|
Can Bölük
@_can1357
|
20. lis |
|
ofc not🙃
|
||
|
|
||
|
Can Bölük
@_can1357
|
20. lis |
|
Just published my latest project "ByePg", exposing an entirely new attack surface to PatchGuard/NT and bringing @nickeverdox's InfinityHook back: blog.can.ac/2019/10/19/bye…
|
||
|
|
||
|
Can Bölük
@_can1357
|
9. lis |
|
just fyi, you can check _KPROCESS.AddressPolicy to detect this behavior
|
||
|
|
||
|
Can Bölük
@_can1357
|
9. ruj |
|
You need a logo and a website Nick, should be clear after POPSS one smh...
|
||
|
|
||
|
Can Bölük
@_can1357
|
11. kol |
|
I'm literally crying
|
||
|
|
||
|
Can Bölük
@_can1357
|
17. srp |
|
Who cares about PG /s. Memes aside, excited to see how you pulled it off 🤓
|
||
|
|
||
|
Can Bölük
@_can1357
|
3. pro 2018. |
|
..with the right configuration.
|
||
|
|
||
|
Can Bölük
@_can1357
|
3. pro 2018. |
|
Gdb stub hides them.
|
||
|
|
||
|
Can Bölük
@_can1357
|
3. pro 2018. |
|
You can always set a read bp on it via VMware gdb stub to avoid the bsod delay but yeah, can't really escape the randomness of checks and the delays between them. I'm somewhat confident it's checked on Win10 but frankly no idea about Win7.
|
||
|
|
||
|
Can Bölük
@_can1357
|
3. pro 2018. |
|
I researched Patchguard for around a year and 4 hrs was the magic number I found after which I could be quite confident ¯\_(ツ)_/¯
|
||
|
|
||
|
Can Bölük
@_can1357
|
3. pro 2018. |
|
IIRC, it is. If you want to test just get the latest windows 10, modify it and see if you can survive 2/3 boots for longer than 4 hrs, pretty easy to test.
|
||
|
|
||
|
Can Bölük
@_can1357
|
21. srp 2018. |
|
Thanks for the swift fix :)
|
||
|
|
||