Archie

Wintel is coming for your SMEP bypasses! No more flipping the U/S bit in a PTE to mark a user-mode page as supervisor-mode on Intel Arrow Lake CPUs :) (note: this is meant for protection against speculative attacks, with the side effect of becoming SMEP 2.0)

TIL: If you disable DSE by modifying nt!g_CiOptions to load an unsigned kernel driver, it will be logged :)

@33y0re Glad you like it!

The reason why I am even posting this right now is because I directly copied this theme from @Archie_1997 ! I was reading many of the recent posts from https[:]//Archie-os[.]github[.]io and really liked the theme and obviously it seems works for technical posts (thanks Archie)!

My blog got a much needed update! I have had a few people tell me it was hard to read (especially the code snippets and highlights with the coloring and font) so I decided it was time!

Microsoft put C:\inetpub junk there for a reason 🫠 CVE-2025-21204 #greatfix

@sixtyvividtails The threads actually aren't valid objects either! The !object command fails when given the address of an idle thread. Windows Internals also confirms this should be the case.

@Archie_1997 Hah, very cool find! Note while KiInitialProcess (Idle) is indeed just block in ntoskrnl, I think IDLE threads are actually valid kernel objects (valid _OBJECT_HEADER; just 0 id, no CID entries). So they ought to be openable via ObOpen*. Not that it'll help detect in any way 😺.

Getting code execution in a process that cannot be located using traditional kernel APIs and is untouchable from usermode? All while staying PatchGuard-friendly? Sign me up: archie-osu.github.io/2025/04/13/pow…

@panchoszczcur @RiotVanguard Oh, great catch. I'll edit the article to properly list the authors. While the thread you posted is a great resource, I couldn't find any post discussing the actual hooked methods. I'm not part of any cheating circles, therefore if the info is shared on Discord, I wouldn't know.

@Archie_1997 @RiotVanguard The article you mentioned in there was not written by Nick Peterson, it was written by the authors listed as youd expect.. the authors are listed there and the first paragraph states it.. i think it should be appropriately noted

Dug into @RiotVanguard's kernel driver's dispatch table hooks. The article took an unexpected turn half way through, as I found some not yet documented stuff, such as the complete list of system calls hooked by the driver. Article link: archie-osu.github.io/2025/04/11/van…

@panchoszczcur You make great points. Hooking ETW is certainly not a new technique, and there is multiple ways of hijacking CF via it. You sadly didn't save the rewrite in time, as I started looking Vanguard's hook right after publishing this article. I'm sorry you didn't learn anything new.

@Archie_1997 i’ll save you the rewrite for riot vanguard from the horses mouth.. revers.engineering/fun-with-pg-co… this community needs to stop enabling lazy researchers to gain visibility on recycled (plagiarized) info.. write about something you did on your own.. not piggyback for clout.

ETW is an incredibly powerful tool in the wrong hands. Just finished writing about how it allows drivers to hook context switches on Windows 11 24H2 while remaining PatchGuard and HVCI compatible: archie-osu.github.io/etw/hooking/20…

@sixtyvividtails @Denis_Skvortcov That's incredibly helpful! Thank you for pointing it out, it's really a godsend 🤩

@Archie_1997 That's very nice! Note HalpPerformanceCounter ref'd in nt!KeQueryPerformanceCounter is ptr to _REGISTERED_TIMER structure. // cc @Denis_Skvortcov

Hooking context switches on 24H2 like InfinityHook did in the old days... My first writeup's coming soon 😊

@tulachsam RWEverything delivering as always - got a clue as to why the mapping fails on Windows 11?

Found a signed and not blacklisted driver that allows read/write of MSRs, physical memory mapping and allocation of contiguous memory, it works on win10, but on win11 it fails to map the allocated memory region :/

Super cool project, if you haven't yet, check it out. I have started porting it over to Windows. After fighting with hacky macros and different handling of packed structures in MSVC, I've got everything working except the loading part (need to work on kmode component).

@worldoftanks No Chief, yet again...

The clans-only Maneuvers are back! 😎 The 7v7 intense battles are back, are you pumped? Get ready on March 10, and roll out! The battlefield knows no mercy.

Is it me or does it look like the crowdstrike driver is loading arbitrary binary files into kernel space and executing them?? Is csagent bypassing all security of the kernel?? The faulty file is all 00s!!

Turns out if you bp nt!MiCopyFromUntrustedMemory, you prevent WinDbg from working at all

yooo why vgk.sys tryna query KVM clocks, I ain't even running the riot client 😭😭😭 #valorant #vanguard

@wisdomicz @gf_256 System Informer can't do that because of Microsoft threatening to no longer sign their drivers. Look around and find the last build of Process Hacker (v3.0.4953), it doesn't yet have these restrictions.

@gf_256 If this helps end the Antimalware Executable Process I would be really happy. It consumes high memory & I can't end it from Task Manager 😩

Life pro tip: You can find what process is locking your file in Windows using SystemInformer SystemInformer also lets you kill the process or close(!) the file handle

Ever wondered how those custom loaders work? They're native user-mode applications running under SMSS — «BootExecute applications». That's the earliest stage a user-mode application can be invoked in, right before winlogon.

@SturdyStubs @ruostu @Throat_YT Having to restart your computer has nothing to do with it being (or not being) a kernel-level anticheat. EAC and BE are both kernel-level anticheats but don't require a reboot. The reason VGK does is due to it being a boot driver.

@ruostu @Throat_YT EAC is not kernel level. A kernel level anticheat is loaded before anything else on your system which is why anticheats like vanguard require a restart to launch and run at all times. Not because they want to know every little thing you do but because it has to.

im sure facepunch has thought of this.. but why doesn't rust have a kernel anticheat? i know its invasive but fuck it id let facepunch scan my retinas to get less cheaters