This is a list of some of my more notable public projects. The vast majority of work that I do stays private. If you want to discuss some of my private projects, do not hesitate to contact me.
memhv
Date: 2024-04-04 | Source code
Extremely minimalistic hypervisor project that allows programs running in the guest to read/write other (protected) processes memory using a hypercall.
tpm-spoofer
Date: 2023-12-11 | Source code
Modern anticheats have started abusing TPM’s EK as a HWID flag. This was (at least as far as I can tell) the first ever kernel mode driver that would hook into the undocumented Windows TPM stack, parse the TPM responses and randomize the EK when it detected its read command.
OverlayCord
Date: 2023-06-28 | Source code
Discord loads its internal module, which is whitelisted by anticheats, into game processes and then uses it to render its overlay. However, the overlay is not actually rendered in the game process, but instead, it is rendered in the Discord client itself. From there, it is sent through a memory-mapped file into the game process. I reversed-engineered this process and then applied the knowledge in this project, which allows you to hijack the internal game overlay.
DirectPageManipulation
Date: 2023-06-26 | Source code
An example Windows kernel mode driver demonstrating how you can parse page tables directly and overwrite them for interprocess memory copying.
PatchBoot
Date: 2023-05-29 | Source code
I dumped and reverse-engineered my computer’s AMI UEFI firmware and then patched it to allow the loading of unsigned executables even with secure boot enabled.
nullmap
Date: 2023-03-10 | Source code
Based on the older project voidmap, this project utilizes CVE-2023-21768 to manually map a kernel-mode driver without loading any vulnerable driver. It worked on pre-patch Windows 11 22H2 (22621.525).
RwxMeme
Date: 2022-10-23 | Source code
State-of-the-art DLL injector that I wrote in under 20 minutes (sarcasm, in case you haven’t noticed). This project used an ages-old method of abusing DLLs with RWX sections to map its own DLL over them. It also used a vulnerable driver to do so. Funnily enough, at the time, this was enough to get around EAC, BE, and Vanguard anti-cheat.
LightHook
Date: 2022-08-31 | Source code
I was frustrated with the fact that you needed to bundle an entire disassembler to use the most popular hook libraries (which, when using certain build systems, is really painful). So, I wrote this. It is a single-header C library that does not require any other dependencies to hook functions in the AMD64 architecture.
meme-rw
Date: 2022-07-02 | Source code
Using a vulnerable driver, this program would overwrite a single byte in an internal kernel structure, which would then allow it to use system APIs to further manipulate kernel code that would normally be inaccessible, and also to copy memory between processes even when the handle did not have the permission to do so (thereby bypassing anticheats that would strip handles).
voidmap
Date: 2022-03-05 | Source code
A simple driver manual mapper that exploits CVE-2021-40449 to get arbitrary function executed at a given address with a single given argument. It allowed for loading of unsigned kernel mode code without exploiting any vulnerable driver.
SecureFakePkg
Date: 2021-07-27 | Source code
Since certain anticheats started enforcing secure boot to be enabled, I made this EFI runtime driver that hooks into EFI runtime services, which then return spoofed values as if secure boot were enabled.
rainbow
Date: 2021-05-14 | Source code
An EFI bootkit that hooks into the Windows boot process to zero out SMBIOS serials and then cleverly swaps disk dispatch to point to a gadget that will cause it to error out on serial number reads.
lrdp
Date: 2020-12-20 | Source code
Windows client SKUs have an artificial limit that disallows multiple users from using RDP to connect to the system. This was a simple program that patched the limitation. Unlike others in the past, it downloaded debug symbol files from the Microsoft Debug Symbol server, ensuring it worked on any recent Windows version and future updates.
GetDeviceInterfacesMemoryLeak
Date: 2020-10-18 | Source code
While messing with EFI runtime services hooks, I noticed a memory leak in the Windows kernel. I found exactly where it is leaking and then complained about it on Twitter, where someone from the Microsoft developer team noticed and fixed it in the next insider Windows release.
BetterTiming
Date: 2020-08-01 | Source code
Patch for the Linux kernel that added TSC offsetting to the KVM SVM implementation. At the time, it allowed games with kernel-mode anti-cheat to run inside the VM, despite their efforts to detect hypervisors. It worked only against simple timing checks, though, and was quickly patched.
mutante
Date: 2020-07-25 | Source code
My first attempt at creating a fully-fledged HWID spoofer that would change all serial numbers required to bypass HWID related bans on, at that time, the most popular anti-cheats. Unlike other spoofers at the time, which only zeroed out entire SMBIOS, this one actually parsed the SMBIOS tables and modified only the relevant data. However, my 16-year-old self did not manage the edge cases well, so it did not perform reliably on all systems. Additionally, it statically changed cached disk serials and faked the disabling of S.M.A.R.T. (which was also used to query serials).
negativespoofer
Date: 2020-06-03 | Source code
Many years ago, I attempted to Hackintosh my laptop so I could run Xcode. I remembered that the bootloader I used modified the SMBIOS tables to present the system as a Mac. Similarly, I created an EFI application for SMBIOS patching, but instead of disguising the computer as a Mac, it randomized its serial numbers to bypass HWID bans.
VirusTotalUploader
Date: 2020-05-10 | Source code
A simple .NET WinForms application to add a context menu entry for uploading files to VirusTotal. It was referenced in the official VirusTotal documentation. Repository was fully reset and recoded multiple times.
EfiDump
Date: 2020-07-13 | Source code
Similarly to the previous project, this one also hooked EFI runtime services, but this time not to manual map kernel mode driver, but to directly call system APIs to copy memory between processes (dumping memory of the main executable).
efi-memory
Date: 2020-04-13 | Source code
One of the first projects that actually got some recognision. When I made it, I was 16 years old and just getting into the game hacking scene. It didn’t really introduce anything new, it was mostly based on the EfiGuard project’s idea of hooking EFI runtime services and then utiliting that hook for manual mapping kernel mode driver instead of using vulnerable driver. It was published right around time the game hacking community started exploring possibilities of EFI bootkits so that was most likely why it gained traction.