虽然AI在客户端安全上的作用还�是�常显著，但我总觉得�学AI迟早�被淘汰。以一个客户端安全人的视角�看，学习AI的�需�学会用��：也就是

A Github repository named DoubleCallBack caught my attention. Lots of programs espically game cheats use this library so as to execute Ring3 functions from kernel. I have learned this code, to be frank with you, it is so difficult to understand that I’m surprised it works at all. Therefore, in this blog post, I will talk about DoubleCallBack and how to execute Ring3 functions from kernel gracefully. Background Generally, if

What is known to us is that UnrealEngine uses reflection to achieve various dynamic features, such as object management, garbage collection systems, etc. UnrealEngine generates reflection data during compilation, including class names, class methods, class fields and other class properties. And these data are packed and saved. In this situation, we can retrieve class information and symbols through reverse engineering. Usually, we refer to this process as Dump SDK. In this blog, I downloaded UE4 4.

“屠龙勇士终��龙�，昔日�赛选手��出题人。 这次�赛的出题确�是耗费了�常多的时间和精力，虽然以�也�常给别的CTF比赛出题，但还��没有

The analysis of crash is a very common and difficult problem while programming or testing. I have recorded some of useful tricks to analyze Windows dump. In this blog, I will use a demo crash dump of a Windows kernel shellcode to share some analysis tricks. windows_kernel_shellcode_dump.dmp Basic When we open a dump using windbg, the software will print some basic info about crash automatically. This includes some crucial information. Such as ntoskrnl base address, system startup time and the time from system startup to crash.

Sometimes, we have to face the situation where we need to read or write process memory but want the process to be completely unaware. In general, users can achieve this by utilizing the process_vm_readv and process_vm_writev syscalls provided from Android kernel. However, there are several methods to detect such malicious behaviors. Some anti-cheaters insert a type of special memory pages into the game’s memory, they can detect these memory pages being read or written by mincore.

Sometimes, we may need hide our process from various programs in order to achieve specific objectives. For instance, we may want to hide our virus from antivirus software, or conceal our cheat from anti-cheat programs. There are lots of different approaches introduced by blogs in internet. In this article, I will introduce a few methods that I believe are both effective and relatively straightforward. Unlink EPROCESS First and foremost, I

Sometimes, we need to implement some libs using rust, and these libs should be loaded by other programs, which means we have to implement some interface for these libs based on the specific foreign interface standard. Usually, this specific standard is called FFI(Foreign Function Interface). It is an important mechanism that allows libraries to access functions from other programming language. In this way, we can use this mechanism call C functions in Rust language or call Rust functions in C language.

�言 大体设计�路� Qriver2.0出题�路 差�多，�旧是使用自己写的LLVM混淆编译了一个Windows驱动程�。主��因是�年是0解，感

With the accelerating advancement of Rust language, more and more tech companies are recompiling their programs using Rust, especially client security software. However, there are few documents available that explain how to hook any functions using Rust. Therefore, I have written this blog to help you understand how to hook programs using the retour-rs crate for Rust. In the C language, two hook libraries, detour and MinHook, are commonly used and both have been implemented in Rust.

一月的时候分�了一下Riot Vanguard，并且得知在三月的时候Vanguard有�大更新，��在公开此分�报告。 整体门槛�难点 Vangu

在CTF中�常有Android题需�调试so，或者需�调试so的�始化函数JNI_OnLoad和init_array，正好这次腾讯游�安全大

代��格一致化和规范化，�以说是一直困扰我多年，并严�干扰我写代�效�的一个巨大难题。我总是会在写的时候�考���方法�类的命�，代��的缩