work research blog about contact

blog

Disarming Windows Code Integrity Through Unprotected .data Globals

Code Integrity decision-making in ci.dll relies on feature flags and a signing policy table pointer that sit in the writable .data section, outside KDP and PatchGuard protection. Modifying 20 bytes across two structures completely disables enforcement, permitting unsigned kernel drivers to load without triggering any integrity checks.

Mar 2, 2026

SigmaDrift: A Biomechanical Replacement for WindMouse

WindMouse generates trajectories that look human but fail temporal analysis — wrong velocity shape, wrong sub-movement count, no Fitts' Law compliance. SigmaDrift replaces it with sigma-lognormal motor primitives, signal dependent noise, OU drift, and speed-modulated tremor to produce output in the same feature space behavioral classifiers operate in.

Feb 14, 2026

Obfuscating Kernel Drivers Without Crashing

Standard obfuscation libraries assume user mode. Kernel mode forbids heap allocation at elevated IRQL, lacks the C runtime, and has no static destructor mechanism. Porting obfuscation to ring 0 requires rebuilding every primitive from scratch.

Feb 8, 2026

Why Anti Cheats Walk Your Call Stack

Stack walking gives anti cheats a detection primitive that survives manual mapping, direct syscalls, and kernel execution. Each return address reveals origin, module backing, and execution plausibility without scanning a single byte of memory.

Jan 30, 2026

Direct Circular Buffer Injection in mouclass.sys

Kernel mouse input injection through mouclass's internal circular buffer bypasses MouseClassServiceCallback, the HID stack, and every filter driver — producing data indistinguishable from physical hardware.

Jan 21, 2026

ETW as Cover Traffic for Kernel Drivers

Windows places no authenticity checks on ETW provider registration. A kernel driver that registers a profiler GUID and emits real sampling telemetry becomes forensically indistinguishable from legitimate monitoring software.

Jan 10, 2026

Patching Claude Code's Safety Out of cli.js

Claude Code enforces its content policy through unprotected string literals in a local JavaScript file. Three find-and-replace operations strip the refusal logic, and a hash-tracking persistence layer keeps the modification alive across updates.

Dec 15, 2025

RSA Signature Validation Gap in CI.dll for Grandfathered Drivers

CI.dll enforces structure, certificate chains, authenticode hashes, and timestamps for pre-2015 drivers but never checks the RSA signature bytes. A driver whose EncryptedDigest is entirely zeroed loads under Secure Boot and HVCI without error.

Dec 1, 2025