Aidan Khoury

Yet another very powerful patchguard and vbs compliant method for hooking system calls globally revers.engineering/fun-with-pg-co…

@UlfFrisk @ItsGamerDoc Yes, 9 years ago. Yes, when half of players were still on pre-Skylake processors. Yes, when Microsoft didn't even properly support the tech on Windows yet. We've had to be very patient. :)

@ItsGamerDoc Interesting you finally got around to using the IOMMU. I remember suggesting the IOMMU as a possible DMA solution when I released PCILeech as a hardware‑security tool nine years ago.

Two weeks ago, one of our chad engineers cooked so we released our IOMMU Restriction Enforcement, which marked the end of 2PC DMA attacks using IOMMU. This is where the device itself is contained in its own memory region and cannot read outside of it. No matter what you do, tampering with that would defeat the purpose of the 2PC "security" benefit. The biggest P2C devs, including devices like HPTT that cost $4500, have all either given up or are coping on theories of how they can get around it or try to resort to finding niche stupid things that gets them detected/banned lmao. It is a relatively simple area to cover, not a particularly problematic surface area. I have collected their tears for your enjoyment imgur.com/a/iommu-judgem… and here is a video a 2PC DMA cheat dev has posted youtube.com/watch?v=IprU_G… This marks the end of 2PC DMA ATTACKS 2016-2025

@Ka11zer @riotgames #b-signature-requirements" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/security… "Signatures using elliptical curve cryptography (ECC), such as ECDSA, are not supported in Windows and newer Windows security features. Users utilizing these algorithms and certificates will face various errors and potential security risks."

@riotgames So that OBS hook certificate might not get fixed

To close out the year, we take time to rest, recharge, and, naturally, queue up for some games. This downtime is part of our commitment to keeping Rioters energized, alongside our summer break and open paid time off. Of course, some teams like live operations, anti-cheat, and security will still be online, keeping things running smoothly. But don't worry, they'll get a well-earned break, too. GGWP, and we'll see you in 2025.

@Ka11zer @riotgames That is 100% an OBS problem, there is not much Riot can do about that. Microsoft doesn't support ECDSA signed certificates like OBS decided to use, and probably never will. OBS needs to use an RSA certificate to sign their hook DLL like the rest of the industry.

@apekros @FeribHellscream One of the reasons for disapproval was because I couldn't prove the domain associated with the business entity was over a year old, Namecheap refused to provide sufficient information for me to provide Microsoft with.

@aidankhoury @FeribHellscream Was this a recent experience?

Fighting kernel AC? Just buy an EV Code Sign Signature they said, it be fun they said ferib.dev/blog/EV-code-s…

@apekros @FeribHellscream Yeah I suppose, about 10 months ago

@brinlystorm @number201724 @HexRaysSA Yeah I can definitely agree that it was not communicated properly

@aidankhoury @number201724 @HexRaysSA But it wasn’t communicated that we would only get 8.4 support. Not sure how long you’ve been an IDA customer, but after 10 years of being a named licencee, I expect changes to be communicated, or pro rated refunded

This is bullshit. I paid for an IDA pro + 2 decompilers licence in June - with the usual system of upgrades for one year, then perpetual use after that. You should atleast honour perpetual use for people who have existing active licences. @HexRaysSA

@number201724 @brinlystorm @HexRaysSA If you continue to get support for 8.4, then yes.

@aidankhoury @brinlystorm @HexRaysSA So is this fair to users who have paid for a perpetual license in full and just renewed it?

@number201724 @brinlystorm @HexRaysSA That makes no sense from a business perspective if they are switching to SaaS model. They have to get everyone off perpetual licenses at some point.

@brinlystorm @aidankhoury @HexRaysSA Also, even though they are no longer selling perpetual licenses, they should at least give me a perpetually licensed IDA 9 during the maintenance period of the perpetual license.

@brinlystorm @HexRaysSA So if I understand correctly, you simply disagree with IDA being SaaS? Not sure how else they can migrate perpetual licenses to SaaS without doing this. If they give you perpetual IDA 9, then it wouldnt be fair to new SaaS licenses. What would you recommend they do?

@aidankhoury @HexRaysSA Yes, but we paid for updates/new features/versions when we paid for something with a year of support, not for “bug fixes only”. I’ve been a customer for like 10 years now and never had any of this crap before. I’ve back up my installers but trust is lost.

@zodiacon Sometimes Microsoft is late on releasing symbols for latest builds, but I've never seen PDBs missing types like this. Hopefully they upload new symbols. Windows 11 22H2 10.0.22621.607 still missing ntoskrnl symbols last I checked lol

Does anyone have an issue with the kernel symbols for the latest Win10 update? It seems all types are gone - no EPROCESS, no LIST_ENTRY...?

@UlfFrisk @dwizzzleMSFT @riotgames It's not so simple to just enforce HVCI on millions of gamer's machines, especially 5-6 years ago. But the tech is getting there, more and more PCs ship with virtualization and VBS/HVCI enabled nowadays!

@dwizzzleMSFT @riotgames I released PCILeech DMA attacks 8 years ago. Gamers started abusing DMA around 5-6 years ago. It took them all these years to find out they can enable HVCI? 🐌🐢

@davepl1968 A quick look in IDA with loaded symbols and they updated to use full paths that use expanded environment vars since then. There are 14 of them defined in a symbol called TmSpecialProcesses::CriticalProcessPaths

Here's the code (circa XP) that determines whether or not you can kill a Windows process. Of course, you need to have sufficient rights, but if it's not in this list of 5 important processes, you can kill it. Task Manager goes to significant lengths to be able to kill a process, such as enabling the SE_DEBUG privilege. If there's sufficient interest, follow me for more Task Manager code trivia! BTW, this isn't open-source, it's just code they allowed me to share, and it's still under Microsoft copyright, etc...

@PetrBenes INT 20h, see KiSwInterruptDispatch

Is there a way how to manually trigger the whole Patch Guard routine? For, uh, reasons.

@halsgenein @ItsGamerDoc Better uninstall your entire operating system then.

@ItsGamerDoc I'm a simple man. I see kernel level anything, I uninstall.

It's funny how cheaters are launching a large scale attack, farming impressions, and spreading misinformation, trying their best to get Vanguard removed. This has happened in Valorant as well. It's not going anywhere. We will protect the player experience and help everyone who has an incompatibility issue. The team is hard at work and will continue to work hard.

vanguard 2 now on league of legends, cheating to be deprecated this patch leagueoflegends.com/en-au/news/gam…

@b1ack0wl @nickeverdox @thezdi This is unrelated.

fun little vmware backdoor will cause the guest to immediately enter a suspend state 🧐

@Jeditobe The code is all there, it works, but the wine authors were not inclined to accept my test cases which used real blobs I extracted from Adobe's installer

@aidankhoury hi, could you tell please if there is any progreass with mspatcha reimplementation gitlab.winehq.org/wine/wine/-/me…

Truly the best in the industry.

Helldivers 2 got review-bombed by players complaining about their anti-cheat, so I reached out to anti-cheat leaders from Riot Games, Roblox, and Fortnite to get their take. Are players over-reacting to kernel-level anti-cheat drivers? Full story: pushtotalk.gg/p/the-gamers-d…