|
Daax Rynd
@
daax_rynd
United States
|
|
Security researcher. Specializing in reverse engineering, hypervisor development, and Windows internals.
See website for various series in these areas.
|
|
|
244
Tweetovi
|
168
Pratim
|
1.160
Osobe koje vas prate
|
| Tweetovi |
| Daax Rynd proslijedio/la je tweet | ||
|
FireF0X
@hFireF0X
|
30. sij |
|
Unwinding RTCore - response to recent Unwinder claims and behavior related to vulnerabilities found in his RTCore driver which is a part of MSI Afterburner, swapcontext.blogspot.com/2020/01/unwind…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
gerhart
@gerhart_x
|
25. sij |
|
Good whitepaper about windows 10 secure kernel:
"Live forensics on the Windows 10 securekernel (2017)"
ntnuopen.ntnu.no/ntnu-xmlui/bit…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
Carl Schou / vm
@vm_call
|
24. sij |
|
Hackers have been abusing a poor integrity check in BattlEye to completely circumvent game protection mechanisms. This has allowed cheat communities to intercept and modify every single piece information sent by the anti cheat to the respective servers. vmcall.blog/battleye-commu…
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
24. sij |
|
And by broke I mean it made the system unstable. Likely bad engineering with version checks and hardcoded offsets for opaque structures.
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
24. sij |
|
BattlEye was written by a guy who c&p'd his way from trash AC to semi-working because of the fellas at kernelmode.info, and no shame on them. It's a gold mine. BE probably had to get spoonfed from MS since their AC broke on latest insider edition. "Gold Standard."
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
Pavel Yosifovich
@zodiacon
|
18. sij |
|
Chapter 5 is published!
leanpub.com/windows10syste…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
Tamas K Lengyel
@tklengyel
|
16. sij |
|
Very much looking forward to this talk: "Hypervisor-level malware monitoring and extraction system - current state and further challenges" with DRAKVUF @1ns0mn1h4ck! insomnihack.ch/conference-202…
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
14. sij |
|
The other is using CPUID where EAX=0 to query CPU vendor information. For whatever reason, they loop these an exorbitant amount of times - 26,000 times. The rest of the code is virtualized with VMP - yikes. The perf overhead is extreme.
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
14. sij |
|
Seems that there are two others found after more thorough analysis. Using xgetbv/xsetbv in a loop similar to the one in the article. XSETBV is an unconditionally exiting instruction so naturally it fits for the time based attack. 1/2
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
14. sij |
|
Analyzed with @vm_call and offered improvements to BattlEye's VM detection. It was surprising this was their only method to detect generic hypervisors.
vmcall.blog/battleye-hyper…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
Carl Schou / vm
@vm_call
|
14. sij |
|
Anticheats such as BattlEye have been trying to detect generic hypervisors, in particular those prevalent in the cheating community (DdiMon and hvpp), by using time-based detections. Here's some advice on that for the developers.
vmcall.blog/battleye-hyper…
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
13. sij |
|
Might be time for us to throw them a bone... ;p
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
13. sij |
|
Ideally, they would raise the IRQL to the highest and ensure thread affinity on a specific CPU core to prevent influence from other activities or drivers when doing this. Also the time forging technique is quite simple for this check and makes detection efforts much more complex.
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
Narib
@n4r1B
|
14. lis |
|
Little research @0xcpu and me did on the new AltSystemCallHandlers functionality added to Windows 10 20H1 18995. Register a handler that gets executed every time KiSystemCall is called, this has a lot of potential!! github.com/0xcpu/WinAltSy…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
Rolf Rolles
@RolfRolles
|
7. sij |
|
I recently discovered @ModernVintageG's channel on YouTube. A lot of stuff about old video game copy protections (arcade, console, PC), emulation, game development, etc. Good production values, too. Great stuff for reverse engineering enthusiasts. youtu.be/vCtXZM8iG-o
|
||
|
|
||
|
Daax Rynd
@daax_rynd
|
7. sij |
|
Always good to read interesting research - keep it up Carl twitter.com/vm_call/status…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
/r/netsec
@_r_netsec
|
5. sij |
|
Upload htaccess as image to bypass filters ..nice read medium.com/@int0x33/uploa…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
0verfl0w
@0verfl0w_
|
2. sij |
|
So, it's been a while since I posted on my blog, but I had some spare time over the holidays to do a write up on reversing @MalwareTechBlog's VM1 challenge and writing a custom VM interpreter for it, as well as incorporating YARA into it! Check it out! 0ffset.net/reverse-engine…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
hasherezade
@hasherezade
|
2. sij |
|
a nice talk from #DefCon26, about using PE relocations for the purpose of obfuscation: Nick Cano - "Relocation Bonus - Attacking the Windows Loader Makes Analysts Switch Careers" : youtube.com/watch?v=8_kfyK…
|
||
|
|
||
| Daax Rynd proslijedio/la je tweet | ||
|
Giuseppe `N3mes1s`
@gN3mes1s
|
31. pro |
|
KRSI - Google's Kernel Runtime Security Instrumentation - lkml.org/lkml/2019/12/2…
|
||
|
|
||