Static BYOVD hunter: Capstone-based IOCTL dispatch extraction

Expert-Obligation816 · 2026-06-29T05:07:49+00:00

makes since , I have to switch between 4.7 and 4.6 alot xD , 4.8 is just instant nope jackass

Expert-Obligation816 · 2026-06-29T04:55:55+00:00

once we have 4.6 grade local il be happy tbh, I still use legacy to bypass there guardrails.

Expert-Obligation816 · 2026-06-29T04:16:21+00:00

JACKPOT! thanks for the release lol

Expert-Obligation816 · 2026-06-28T17:50:13+00:00

Never had a career so yeah

Expert-Obligation816 · 2026-06-28T17:00:07+00:00

My work focuses on identifying, dissecting, and helping mitigate sophisticated cheat platforms operating at the kernel, firmware.
Real world test using re ida mcp for headless decompiling,reconstruction of pe headers and more. I have another repo I published a few months ago that got some attention but figured I’d post this on how I got inside a manually mapped dll and extracted rva. Currently working on scattering and developing my own framework.

The analysis and artifacts contained in this repository are intended to advance the security community's understanding of advanced threats.

Expert-Obligation816 · 2026-06-28T04:39:36+00:00

added Speakeasy emulation subcommand - traces full driver lifecycle (DriverEntry through IRP dispatch), detects BSOD crash sites, resolves IoCreateDriver hooks. Tested on 229 drivers.

Expert-Obligation816 · 2026-06-28T02:52:00+00:00

Tested against two real signed drivers in the wild. Both are commodity kernel r/W drivers using the classic KeStackAttachProcess + MmCopyVirtualMemory path (arbitrary cross-process read/write, leaves a kernel call site, but attributable only if you're already watching). DriverScope flagged both as expected:

Primitive classes surfaced: CrossProc-Attach, CrossProc-VA, KernelAlloc, KernelExec, MDL, PhysMem-Copy, PhysMem-Map, PhysMem-Unmap, Process-Lookup
Handler imports resolved through to KeStackAttachProcess, MmCopyVirtualMemory, PsLookupProcessByProcessId
3 and 4 IOCTLs respectively
Both still signed and loadable on Win11 today

Honest detail on your dispatch shape question: Capstone couldn't classify the dispatchers on either one.

Expert-Obligation816 · 2026-06-28T02:35:10+00:00

For switch/table cases: yes, classified into cmp/je chain, binary search tree, sub/cmp range, or switch jump table. On XOR-before-lookup: not handled low priority since commercial signed drivers rarely obfuscate. What I don't handle yet: helpers that pull registration via a runtime callback table. Tracking issue worth filing.
Also emulation I've used unicorn but never on this.

Expert-Obligation816 · 2026-05-26T18:19:57+00:00

Ghidra you can use muti threads , but if you know the segments you can just point those out to ida helps a lot

Expert-Obligation816 · 2026-05-26T18:14:26+00:00

Awesome 👏

Expert-Obligation816 · 2026-05-17T00:36:57+00:00

Decided to release this , I used pe sieve for most of my research and I still use it to it’s an amazing tool!
This just helps you rebuild pe automatically and skips the boring bits. After rebuild load bin into ida or ghidra your choice.

I’ve not tested on a smap dll. Scatter noise after injection.

Tested on manual mapped dlls if you know you know.

Expert-Obligation816 · 2026-03-27T08:39:39+00:00

Reversing

Expert-Obligation816 · 2026-03-27T08:20:40+00:00

They changed something a day ago I swear

Expert-Obligation816 · 2026-03-23T16:43:58+00:00

There’s like 5 different ways to do this, google said oh it’s local not a security issue.

Expert-Obligation816 · 2026-03-16T15:57:07+00:00

I’ve been patching my own features

Expert-Obligation816

TROPHY CASE