Twitter | Pretraživanje | |
Daax Rynd
Security researcher. Specializing in reverse engineering, hypervisor development, and Windows internals. See website for various series in these areas.
244
Tweetovi
168
Pratim
1.160
Osobe koje vas prate
Tweetovi
Daax Rynd proslijedio/la je tweet
FireF0X 30. sij
Unwinding RTCore - response to recent Unwinder claims and behavior related to vulnerabilities found in his RTCore driver which is a part of MSI Afterburner,
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
gerhart 25. sij
Good whitepaper about windows 10 secure kernel: "Live forensics on the Windows 10 securekernel (2017)"
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
Carl Schou / vm 24. sij
Hackers have been abusing a poor integrity check in BattlEye to completely circumvent game protection mechanisms. This has allowed cheat communities to intercept and modify every single piece information sent by the anti cheat to the respective servers.
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 24. sij
Odgovor korisniku/ci @vm_call
And by broke I mean it made the system unstable. Likely bad engineering with version checks and hardcoded offsets for opaque structures.
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 24. sij
Odgovor korisniku/ci @imcallxm @vm_call
BattlEye was written by a guy who c&p'd his way from trash AC to semi-working because of the fellas at , and no shame on them. It's a gold mine. BE probably had to get spoonfed from MS since their AC broke on latest insider edition. "Gold Standard."
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
Pavel Yosifovich 18. sij
Chapter 5 is published!
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
Tamas K Lengyel 16. sij
Very much looking forward to this talk: "Hypervisor-level malware monitoring and extraction system - current state and further challenges" with DRAKVUF !
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 14. sij
Odgovor korisniku/ci @vm_call
The other is using CPUID where EAX=0 to query CPU vendor information. For whatever reason, they loop these an exorbitant amount of times - 26,000 times. The rest of the code is virtualized with VMP - yikes. The perf overhead is extreme.
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 14. sij
Odgovor korisniku/ci @vm_call
Seems that there are two others found after more thorough analysis. Using xgetbv/xsetbv in a loop similar to the one in the article. XSETBV is an unconditionally exiting instruction so naturally it fits for the time based attack. 1/2
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 14. sij
Analyzed with and offered improvements to BattlEye's VM detection. It was surprising this was their only method to detect generic hypervisors.
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
Carl Schou / vm 14. sij
Anticheats such as BattlEye have been trying to detect generic hypervisors, in particular those prevalent in the cheating community (DdiMon and hvpp), by using time-based detections. Here's some advice on that for the developers.
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 13. sij
Odgovor korisniku/ci @vm_call
Might be time for us to throw them a bone... ;p
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 13. sij
Odgovor korisniku/ci @vm_call
Ideally, they would raise the IRQL to the highest and ensure thread affinity on a specific CPU core to prevent influence from other activities or drivers when doing this. Also the time forging technique is quite simple for this check and makes detection efforts much more complex.
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
Narib 14. lis
Little research and me did on the new AltSystemCallHandlers functionality added to Windows 10 20H1 18995. Register a handler that gets executed every time KiSystemCall is called, this has a lot of potential!!
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
Rolf Rolles 7. sij
I recently discovered 's channel on YouTube. A lot of stuff about old video game copy protections (arcade, console, PC), emulation, game development, etc. Good production values, too. Great stuff for reverse engineering enthusiasts.
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd 7. sij
Always good to read interesting research - keep it up Carl
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
/r/netsec 5. sij
Upload htaccess as image to bypass filters ..nice read
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
0verfl0w 2. sij
So, it's been a while since I posted on my blog, but I had some spare time over the holidays to do a write up on reversing 's VM1 challenge and writing a custom VM interpreter for it, as well as incorporating YARA into it! Check it out!
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
hasherezade 2. sij
a nice talk from , about using PE relocations for the purpose of obfuscation: Nick Cano - "Relocation Bonus - Attacking the Windows Loader Makes Analysts Switch Careers" :
Reply Retweet Označi sa "sviđa mi se"
Daax Rynd proslijedio/la je tweet
Giuseppe `N3mes1s` 31. pro
KRSI - Google's Kernel Runtime Security Instrumentation -
Reply Retweet Označi sa "sviđa mi se"