Tweets
- Tweets, current page.
- Tweets & replies
- Media
You blocked @daax_rynd
Are you sure you want to view these Tweets? Viewing Tweets won't unblock @daax_rynd
-
Pinned Tweet
Analyzed with
@vm_call and offered improvements to BattlEye's VM detection. It was surprising this was their only method to detect generic hypervisors. https://vmcall.blog/battleye-hypervisor-detection/ …Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Unwinding RTCore - response to recent Unwinder claims and behavior related to vulnerabilities found in his RTCore driver which is a part of MSI Afterburner, https://swapcontext.blogspot.com/2020/01/unwinding-rtcore.html …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Good whitepaper about windows 10 secure kernel: "Live forensics on the Windows 10 securekernel (2017)" https://ntnuopen.ntnu.no/ntnu-xmlui/bitstream/handle/11250/2448948/18109_FULLTEXT.pdf …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Hackers have been abusing a poor integrity check in BattlEye to completely circumvent game protection mechanisms. This has allowed cheat communities to intercept and modify every single piece information sent by the anti cheat to the respective servers. https://vmcall.blog/battleye-communication-hook/ …
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd RetweetedThanks. Twitter will use this to make your timeline better. UndoUndo
-
Daax Rynd Retweeted
Very much looking forward to this talk: "Hypervisor-level malware monitoring and extraction system - current state and further challenges" with DRAKVUF
@1ns0mn1h4ck! https://insomnihack.ch/conference-2020/#202005 …Thanks. Twitter will use this to make your timeline better. UndoUndo -
The other is using CPUID where EAX=0 to query CPU vendor information. For whatever reason, they loop these an exorbitant amount of times - 26,000 times. The rest of the code is virtualized with VMP - yikes. The perf overhead is extreme.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Seems that there are two others found after more thorough analysis. Using xgetbv/xsetbv in a loop similar to the one in the article. XSETBV is an unconditionally exiting instruction so naturally it fits for the time based attack. 1/2
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Anticheats such as BattlEye have been trying to detect generic hypervisors, in particular those prevalent in the cheating community (DdiMon and hvpp), by using time-based detections. Here's some advice on that for the developers. https://vmcall.blog/battleye-hypervisor-detection/ …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Little research
@0xcpu and me did on the new AltSystemCallHandlers functionality added to Windows 10 20H1 18995. Register a handler that gets executed every time KiSystemCall is called, this has a lot of potential!!https://github.com/0xcpu/WinAltSyscallHandler …Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
I recently discovered
@ModernVintageG's channel on YouTube. A lot of stuff about old video game copy protections (arcade, console, PC), emulation, game development, etc. Good production values, too. Great stuff for reverse engineering enthusiasts.https://youtu.be/vCtXZM8iG-oThanks. Twitter will use this to make your timeline better. UndoUndo -
Always good to read interesting research - keep it up Carlhttps://twitter.com/vm_call/status/1214263096845488133 …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Upload htaccess as image to bypass filters ..nice readhttps://medium.com/@int0x33/upload-htaccess-as-image-to-bypass-filters-71dfcf797a86 …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
So, it's been a while since I posted on my blog, but I had some spare time over the holidays to do a write up on reversing
@MalwareTechBlog's VM1 challenge and writing a custom VM interpreter for it, as well as incorporating YARA into it! Check it out!https://0ffset.net/reverse-engineering/solving-a-vm-based-crackme/ …Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
a nice talk from
#DefCon26, about using PE relocations for the purpose of obfuscation: Nick Cano - "Relocation Bonus - Attacking the Windows Loader Makes Analysts Switch Careers" :https://www.youtube.com/watch?v=8_kfyKVk32c …Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
KRSI - Google's Kernel Runtime Security Instrumentation - https://lkml.org/lkml/2019/12/20/641 …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 4/4) https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Fantastic resource including all Windows ETWs! [Repo] Events from all manifest-based and mof-based ETW providers across Windows 10 versions https://github.com/jdu2600/Windows10EtwEvents …
#Windows#ETW#Forensics#DFIRpic.twitter.com/i0Q2GsqJX6
Thanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
I wonder if vs project arbitrary code execution is another wont-fix
pic.twitter.com/bN4BKgfVUQShow this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Daax Rynd Retweeted
Awesome Forensics Resources. Almost 300 open source forensics tools, and 600 blog posts about forensics.https://github.com/alphaSeclab/awesome-forensics/blob/master/Readme_en.md …
Thanks. Twitter will use this to make your timeline better. UndoUndo
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.