SecureGame
Date: 2024-11-10 | Source code
Simple game with a special twist - its game logic is implemented inside a VBS enclave. It is a proof-of-concept demonstrating the use of VBS enclaves for anti-cheat purposes.
PwnedBoot
Date: 2024-07-17 | Source code
Proof of concept showing how you can use Windows’ bootloader (winload.efi) as a shim to effectively bypass Secure Boot. The bootloader does not check the integrity of mcupdate_AuthenticAMD.dll/mcupdate_GenuineIntel.dll when DSE is disabled through the boot menu, but because it is loaded so early in the boot process, before the call to ExitBootServices(), we can remap the image over winload.efi and then revert to the firmware context.
memhv
Date: 2024-04-04 | Source code
Extremely minimalistic hypervisor project that allows programs running in the guest to read/write other (protected) processes memory using a hypercall.
tpm-spoofer
Date: 2023-12-11 | Source code
Modern anticheats have started abusing TPM’s EK as a HWID flag. This was (at least as far as I can tell) the first ever kernel mode driver that would hook into the undocumented Windows TPM stack, parse the TPM responses and randomize the EK when it detected its read command.
OverlayCord
Date: 2023-06-28 | Source code
Discord loads its internal module, which is whitelisted by anticheats, into game processes and then uses it to render its overlay. However, the overlay is not actually rendered in the game process, but instead, it is rendered in the Discord client itself. From there, it is sent through a memory-mapped file into the game process. I reversed-engineered this process and then applied the knowledge in this project, which allows you to hijack the internal game overlay.
DirectPageManipulation
Date: 2023-06-26 | Source code
An example Windows kernel mode driver demonstrating how you can parse page tables directly and overwrite them for interprocess memory copying.
PatchBoot
Date: 2023-05-29 | Source code
I dumped and reverse-engineered my computer’s AMI UEFI firmware and then patched it to allow the loading of unsigned executables even with secure boot enabled.
nullmap
Date: 2023-03-10 | Source code
Based on the older project voidmap, this project utilizes CVE-2023-21768 to manually map a kernel-mode driver without loading any vulnerable driver. It worked on pre-patch Windows 11 22H2 (22621.525).
RwxMeme
Date: 2022-10-23 | Source code
State-of-the-art DLL injector that I wrote in under 20 minutes (sarcasm, in case you haven’t noticed). This project used an ages-old method of abusing DLLs with RWX sections to map its own DLL over them. It also used a vulnerable driver to do so. Funnily enough, at the time, this was enough to get around popular game anti-cheat software.
LightHook
Date: 2022-08-31 | Source code
I was frustrated with the fact that you needed to bundle an entire disassembler to use the most popular hook libraries (which, when using certain build systems, is really painful). So, I wrote this. It is a single-header C library that does not require any other dependencies to hook functions in the AMD64 architecture.
meme-rw
Date: 2022-07-02 | Source code
Using a vulnerable driver, this program would overwrite a single byte in an internal kernel structure, which would then allow it to use system APIs to further manipulate kernel code that would normally be inaccessible, and also to copy memory between processes even when the handle did not have the permission to do so (Microsoft later fixed this method and now the system will just crash if you attempt it).
voidmap
Date: 2022-03-05 | Source code
A simple driver manual mapper that exploits CVE-2021-40449 to get arbitrary function executed at a given address with a single given argument. It allowed for loading of unsigned kernel mode code without exploiting any vulnerable driver.
SecureFakePkg
Date: 2021-07-27 | Source code
Since certain anticheats started enforcing secure boot to be enabled, I made this EFI runtime driver that hooks into EFI runtime services, which then return spoofed values as if secure boot were enabled.
rainbow
Date: 2021-05-14 | Source code
An EFI bootkit that hooks into the Windows boot process to zero out SMBIOS serials and then cleverly swaps disk dispatch to point to a gadget that will cause it to error out on serial number reads.
GetDeviceInterfacesMemoryLeak
Date: 2020-10-18 | Source code
While messing with EFI runtime services hooks, I noticed a memory leak in the Windows kernel. I found exactly where it is leaking and then complained about it on Twitter, where someone from the Microsoft developer team noticed and fixed it in the next insider Windows release.
BetterTiming
Date: 2020-08-01 | Source code
Patch for the Linux kernel that added TSC offsetting to the KVM SVM implementation. At the time, it allowed games with kernel-mode anti-cheat to run inside the VM, despite their efforts to detect hypervisors. It worked only against simple timing checks, though, and was quickly patched.
mutante
Date: 2020-07-25 | Source code
My first attempt at creating a fully-fledged HWID changer. Unlike other similar projects at the time, which only zeroed out entire SMBIOS, this one actually parsed the SMBIOS tables and modified only the relevant data. However, my 16-year-old self did not manage the edge cases well, so it did not perform reliably on all systems. Additionally, it statically changed cached disk serials and faked the disabling of S.M.A.R.T. (which was also used to query serials).
negativespoofer
Date: 2020-06-03 | Source code
Many years ago, I attempted to Hackintosh my laptop so I could run Xcode. I remembered that the bootloader I used modified the SMBIOS tables to present the system as a Mac. Similarly, I created an EFI application for SMBIOS patching, but instead of disguising the computer as a Mac, it randomized its serial numbers to get around HWID flagging.
VirusTotalUploader
Date: 2020-05-10 | Source code
A simple .NET WinForms application to add a context menu entry for uploading files to VirusTotal. It was referenced in the official VirusTotal documentation. Repository was fully reset and recoded multiple times.
EfiDump
Date: 2020-07-13 | Source code
Similarly to the previous project, this one also hooked EFI runtime services, but this time not to manual map kernel mode driver, but to directly call system APIs to copy memory between processes (dumping memory of the main executable).
efi-memory
Date: 2020-04-13 | Source code
One of the first projects that actually got some recognision. When I made it, I was 16 years old and just getting into the game hacking scene. It didn’t really introduce anything new, it was mostly based on the EfiGuard project’s idea of hooking EFI runtime services and then utiliting that hook for manual mapping kernel mode driver instead of using vulnerable driver.