Streaming remote dynamically executed code into the kernel 

https://twitter.com/vm_call/status/1214263096845488133 …
-
Show this thread
-
-
Replying to @0xabU @dwizzzleMSFT
The shellcode in question is indeed streamed to the usermode client :)
1 reply 0 retweets 2 likes -
sorry you are right, there are various anticheats that are doing nearly doing the same thing in kernel so i accused the innocent here
1 reply 0 retweets 3 likes -
Replying to @dwizzzleMSFT @0xabU
But if it helps, BattlEye also streams a ton of shellcode to their kernel driver BEDaisy, so you're not wrong ;-) i will release them later on
1 reply 0 retweets 3 likes -
Many anticheat solutions do. The ones that use hypervisors can be even worse
1 reply 0 retweets 2 likes -
Replying to @dwizzzleMSFT @0xabU
Sounds pretty annoying for OS Security people :D
1 reply 0 retweets 0 likes -
no way we can totally disambiguate "good" remotely injected shellcode that manipulates kernel memory from exploits...
1 reply 0 retweets 0 likes -
Replying to @dwizzzleMSFT @0xabU
Nope, such an amazing attack vector installed on millions of computers, just waiting for the supply chain attack of the decade to happen when someone gets a hold of battleye servers
1 reply 0 retweets 0 likes -
in fairness, its clear they need to move fast and i get why they want to update frequently. Also i am not sure this any worse in terms of a supply chain attack than a static driver update
1 reply 0 retweets 1 like
Static driver updates require certificate access as well, and can be verified by checking the hash on disk for updates. This shellcode streaming is completely silent to the user and depending on server setup, might not need access to fully recompile the driver with certificate.
-
-
I get what your saying, it is more ephemeral for sure
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.