![cr3ghost's tweet photo. While gamers debate kernel anti-cheat, ring-1[.]io was shipping a Themida-protected UEFI bootkit that injects into Hyper-V, manipulates EPT entries, clones game page tables, and hides memory contents below the OS entirely.
After partially deobfuscating their binaries and recovering critical functions, this is what was inside.
Bungie and Ubisoft sued them.
They found $12 million in Bitcoin and kept going.
This is what kernel anti-cheat is actually fighting.
https://t.co/zHjWeLgQ3X
Authors: @BackEngineerLab
#AntiCheat #Malware #InfoSec](https://pbs.twimg.com/media/HJy0UoTagAAO9gt.jpg)
Olivia
Online
cr3ghost
@cr3ghost
A student passionate about reverse engineering, windows internals, anti-cheat research, malware research, and exploit research. Aspiring red teamer.
Australia
Joined May 2026
250 Following
730 Followers
91 Posts
ย Pinned Tweet
Alexandre Borges has published over 700 pages of free security, malware and vulnerability research.
A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085.
No paywall. No course. Just research. Free as in beer.
https://t.co/x516DQRcB8
Author: @ale_sp_brazil
#ReverseEngineering #MalwareAnalysis #InfoSec
Credits to @aionescu for the amazing FREE content and training on the website. World-class researchers: https://t.co/WueTrjdXHZ
Most people learn security research by reading finished writeups. This one shows the actual process.
The messy, organic, step-by-step reality of reversing an unknown Windows mitigation from scratch. WinDbg. IDA. Hex Rays. Guard page violations. Trap flags. Zero prior knowledge of the target.
If you want to learn how to actually approach unknown Windows internals, start here.
https://t.co/Xq8xbSnG75
Author: @yarden_shafir
#ReverseEngineering #WindowsInternals #InfoSec
@HackingLZ Microsoft does a great job at helping the security industry by staying more vulnerable.
@vxunderground @5mukx @martinwoodward i reached out to my contact in github and apparently it's copy-right infringement. ill ask around for you to see if they can help internally.
@vxunderground at this point the CEO of Microsoft is probably on autopilot or should we say copilot ๐คฃ
I believe I was trying to say itโs a โmalware technique.โ, obviously itโs not doing anything malicious but you could easily add functionality to do that in the user-mode component. Most game cheats use malware-like techniques. It helps non-technical individuals understand similarities.
This is the type of malware game hackers build to bypass kernel anti-cheat. The same techniques can be used by malware authors to evade EDRs.
A UEFI bootkit that injects into Microsoft's own Hyper-V at ring -1 before the OS even loads (easier than building a custom hypervisor from scratch).
Four phase bootloader. Hypervisor VM-exit interception. EPT page shadowing. MSR virtualization. EFI memory map ghosting. TPM measurement spoofing.
Reads like malware. Because it is. Videos and full technical breakdown in the link.
Author: https://t.co/iHtxyJSbwy
#ReverseEngineering #Malware #AntiCheat
While gamers debate kernel anti-cheat, ring-1[.]io was shipping a Themida-protected UEFI bootkit that injects into Hyper-V, manipulates EPT entries, clones game page tables, and hides memory contents below the OS entirely.
After partially deobfuscating their binaries and recovering critical functions, this is what was inside.
Bungie and Ubisoft sued them.
They found $12 million in Bitcoin and kept going.
This is what kernel anti-cheat is actually fighting.
https://t.co/zHjWeLgQ3X
Authors: @BackEngineerLab
#AntiCheat #Malware #InfoSec
![cr3ghost's tweet photo. While gamers debate kernel anti-cheat, ring-1[.]io was shipping a Themida-protected UEFI bootkit that injects into Hyper-V, manipulates EPT entries, clones game page tables, and hides memory contents below the OS entirely.
After partially deobfuscating their binaries and recovering critical functions, this is what was inside.
Bungie and Ubisoft sued them.
They found $12 million in Bitcoin and kept going.
This is what kernel anti-cheat is actually fighting.
https://t.co/zHjWeLgQ3X
Authors: @BackEngineerLab
#AntiCheat #Malware #InfoSec](https://pbs.twimg.com/media/HJy2lHIbUAA410J.jpg)
@BackEngineerLab published one of the first public Hyper-V hyperjacking frameworks back in 2021. Module injection and VM-exit hooking for both AMD and Intel. A lot of the techniques being discussed here trace back to that work.
blog: https://t.co/z0oQMuGPBT
GitHub: https://t.co/gdY3IeMEyB
Author: @_xeroxz
Free resources is the best way to learn.
Alexandre Borges has published over 700 pages of free security, malware and vulnerability research.
A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085.
No paywall. No course. Just research. Free as in beer.
https://t.co/x516DQRcB8
Author: @ale_sp_brazil
#ReverseEngineering #MalwareAnalysis #InfoSec
@IAMERICAbooted @jonasLyk i was probably in high school when this legend was hacking. I wanted to sell my 0-exploits too but someone told be it is cyber weapon and itโs illegal. So instead I just use in game cheats.
@NinjaParanoid @Octoberfest73 what experiences have you had with EDR vendors? Iโm curious to know peopleโs interactions for reporting bugs or bypasses and their bounty programs. Are they okay with releasing blog posts to bypass them or are they same as anti-cheat vendors?
@cyb3rops do they even have a security team and if they do then why are they not part of the SDLC?
Server-side authority works well for smaller player counts but at millions of concurrent players the latency and infrastructure cost becomes a real problem. Most studios cannot afford to run authoritative physics and position validation at that scale. Client-side is not ideal but it is a practical reality. The honest answer is both are needed and neither alone solves it.
Gamers worry about kernel anti-cheats when any user-mode software (ring-3) can already read your passwords, browser history, log your keystrokes, record your camera, steal your files, and exfiltrate your data.
Spyware has never needed the kernel. Kernel access is not what makes something spyware.
Cheaters have been loading kernel drivers and hypervisors for years to hide from detection. A usermode anti-cheat has no way to detect something already operating below it.
Loading at boot is necessary. If anti-cheat loads after a cheat driver is already in the kernel, it has already lost.
Read: Why Anti-Cheat Software Utilize Kernel Drivers
https://t.co/eTi683zHgc
Author: @vm_call from @the_secret_club
#AntiCheat #GameSecurity
Vanguard runs at boot because cheats run at boot.
Riot clones the PML4 table, inserts a shadow entry into a free slot, hooks SwapContext, and swaps CR3 per-thread at context switch time.
If it was spyware, researchers would have found it. They found this instead.
Reverse engineering is an art. When in doubt, reverse it.
#ReverseEngineering #Vanguard #InfoSec
Full RE breakdown by @Xyrem256: https://t.co/RyUreWosL5
@blackroomsec You can always uninstall Windows and go to Linux.
@LowLevelTweets You should search for โMSRC scams security researchersโ
@Pirat_Nation We should call it goddess of love.
@vxunderground Free as in Beer? We wish.
@HackingLZ @github what repos did you have. would be helpful to see what they're flagging so we can reverse the why.
@jonasLyk @IAMERICAbooted do you think it is possible that you are affiliated with a game hacking research group called the back engineering lab and secret club?
Last Seen Users on Sotwe
Niso Niso
Seen from United States
Gani
Seen from Turkey
For Adults
Seen from Turkey
Moms Gone Bad
Seen from United Kingdom
Melis Ahmet
Seen from Turkey
doctor
Seen from France
$B
Seen from France
elambilir
Seen from Turkey
โจ-~alexia~-โจ
Seen from Turkey
Indonesia sexsi cantik bokeh viral
Seen from Indonesia
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.3M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers