Daax Rynd

@daax_rynd

Security researcher. Specializing in reverse engineering, hypervisor development, and Windows internals. See website for various series in these areas.

United States
Joined May 2018

Tweets

You blocked @daax_rynd

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @daax_rynd

  1. Pinned Tweet
    Jan 14

    Analyzed with and offered improvements to BattlEye's VM detection. It was surprising this was their only method to detect generic hypervisors.

    Show this thread
    Undo
  2. Retweeted
    Jan 30

    Unwinding RTCore - response to recent Unwinder claims and behavior related to vulnerabilities found in his RTCore driver which is a part of MSI Afterburner,

    Undo
  3. Retweeted
    Jan 25

    Good whitepaper about windows 10 secure kernel: "Live forensics on the Windows 10 securekernel (2017)"

    Undo
  4. Retweeted
    Jan 24

    Hackers have been abusing a poor integrity check in BattlEye to completely circumvent game protection mechanisms. This has allowed cheat communities to intercept and modify every single piece information sent by the anti cheat to the respective servers.

    Show this thread
    Undo
  5. Retweeted
    Jan 18
    Undo
  6. Retweeted
    Jan 16

    Very much looking forward to this talk: "Hypervisor-level malware monitoring and extraction system - current state and further challenges" with DRAKVUF !

    Undo
  7. Jan 14

    The other is using CPUID where EAX=0 to query CPU vendor information. For whatever reason, they loop these an exorbitant amount of times - 26,000 times. The rest of the code is virtualized with VMP - yikes. The perf overhead is extreme.

    Show this thread
    Undo
  8. Jan 14

    Seems that there are two others found after more thorough analysis. Using xgetbv/xsetbv in a loop similar to the one in the article. XSETBV is an unconditionally exiting instruction so naturally it fits for the time based attack. 1/2

    Show this thread
    Undo
  9. Retweeted
    Jan 14

    Anticheats such as BattlEye have been trying to detect generic hypervisors, in particular those prevalent in the cheating community (DdiMon and hvpp), by using time-based detections. Here's some advice on that for the developers.

    Undo
  10. Retweeted
    14 Oct 2019

    Little research and me did on the new AltSystemCallHandlers functionality added to Windows 10 20H1 18995. Register a handler that gets executed every time KiSystemCall is called, this has a lot of potential!!

    Undo
  11. Retweeted
    Jan 7

    I recently discovered 's channel on YouTube. A lot of stuff about old video game copy protections (arcade, console, PC), emulation, game development, etc. Good production values, too. Great stuff for reverse engineering enthusiasts.

    Undo
  12. Jan 7

    Always good to read interesting research - keep it up Carl

    Undo
  13. Retweeted
    Jan 4
    Undo
  14. Retweeted
    Jan 2

    So, it's been a while since I posted on my blog, but I had some spare time over the holidays to do a write up on reversing 's VM1 challenge and writing a custom VM interpreter for it, as well as incorporating YARA into it! Check it out!

    Undo
  15. Retweeted
    Jan 2

    a nice talk from , about using PE relocations for the purpose of obfuscation: Nick Cano - "Relocation Bonus - Attacking the Windows Loader Makes Analysts Switch Careers" :

    Show this thread
    Undo
  16. Retweeted
    31 Dec 2019

    KRSI - Google's Kernel Runtime Security Instrumentation -

    Undo
  17. Retweeted
    31 Dec 2019

    CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 4/4)

    Undo
  18. Retweeted

    Fantastic resource including all Windows ETWs! [Repo] Events from all manifest-based and mof-based ETW providers across Windows 10 versions

    Undo
  19. Retweeted
    30 Dec 2019

    I wonder if vs project arbitrary code execution is another wont-fix🤔

    Show this thread
    Undo
  20. Retweeted
    30 Dec 2019

    Awesome Forensics Resources. Almost 300 open source forensics tools, and 600 blog posts about forensics.

    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·