Micro-projects.

2024-08-16

This is a list of projects I made in my free time during the bachelor's degree. Most of the project repos are private but I will gladly share the source/info if anyone is interested. A few entries might be omited since it would be more appropriate to write a dedicated blog post going over them. (TODO: posts on hetrane/qemu/bochspwn, sinkclose, llvm pass, tt-tooling, ddcci)

• Hetrane - TODO: insert blog link here
• Sinkclose - TODO: insert blog link here
• Grammar-LLVM - TODO: insert blog link here
• Custom SymEx tooling - TODO: insert blog link here
• Ideas (DDC/CI?) - TODO: insert blog link here
• CabalSVM - A simple blue-pill AMD Virtual Machine Manager based on their AMD-V extensions implemented as a Windows driver. Supports tracing and intercepting several interesting VM-exits as well as manipulating/hiding host memory from the (Windows's) guest's view with AMD-NPT.
• KvmBackdoor - A patchfile for Linux's Kernel Virtual Machine x86-64 component which allows the an guest code running in CPL3 to perform complete memory inspection of privileged guest memory and MSRs. Used for analysing/probing invasive anti-cheat mechanisms in competetive multiplayer games.
• WVDM - A reimplementation of the popular VDM framework for mapping unsigned kernel drivers on a Windows system with Driver Signature Enforcement turned on, by leveraging allowed vulnerable drivers. Fixed a few limitations present in the original such as inflexiblity, HVCI compliant, compatiblity with a larger range of 'syscalls', etc. Superseeded by KernelForge.
• SmmDebug - A meme debugger self-implementation of the Malt paper on UEFI with EDK2/OVMF after authors ignored any questions about program architecture and requests for source; Just an average case of academia-brain, nothing surprising. Just use a gdb stub please(?).
• LlamaRemoteCall - C library that allows users to 'execute' arbitrary pure functions in a remote process whos memory view is available but process state such as running threads cannot be disturbed, due to for instance, being monitored by anti-cheat software. It achieves this by executing remote code using the Unicorn CPU emulator and applying the memory side-effects in the remote process's address space. LRC is another one of the tools that should never be used other than for comedic purpose due to the obvious threat of losing data to races between the emulator and real threads, faulty non-existent exception handling, etc. Used as a device to learn the Unicorn framework.
• SynthetikChat - Frida script I wrote that hooks the network transmission function used for the 'global chat' feature in the popular rogue-like game Synthetik and performs on-the-fly replacement of binary data corresponding several attributes of the sent messages. This allows for some fun stuff like impersonating the game's developers by enabling the special colour and developer-only logo that is prepended to the message, making the messages indistinguishable from the real ones.
• EQU8-RIP - Basic kernel driver written for fun that neuters the EQU8 anti-cheat driver for the (surprisingly fun) game Splitgate by hooking the driver-code at load-time. Its nothing special except for how it uses a fun little trick that allows the manually mapped EQU8-RIP driver to register callbacks (without DKOM) that would otherwise cause a BSOD.