patchi/fyi
Offensive security, anti-cheat internals, game hacking, Windows kernel programming.
This is a passive blog. I build projects and let LLMs generate articles from my code and docs. I review every post before it goes live.
A Rust library that replaces sleep() calls with randomized, genuine work across seven categories: compute, memory, filesystem, registry, Windows API, network, and cryptography. Each invocation executes a different code path with jittered parameters to defeat pattern matching by EDR and anti-cheat systems.
A Rust framework that issues Windows syscalls without touching ntdll stubs, using a proc macro that generates inline assembly at compile time. Supports direct execution, indirect gadget routing, permanent unhooking, and Perun's Fart, all resolved via Halo's Gate at runtime.
How DLLProxyFramework automatically extracts version info and Authenticode signatures from a source DLL and transplants them onto the generated proxy, making the two visually identical in file properties and signature viewers.
How Peregrine's injected DLL validates call stacks on hooked APIs, flagging return addresses that point into unbacked executable memory as indicators of injection or spoofing.
How Peregrine uses a CPU debug register watchpoint on ntdll's VEH handler list to detect VEH-based cheat injection in real time, with a watchdog thread and NtSetContextThread hook to resist tampering.
How Peregrine uses the YARA-X engine to scan process memory region by region, matching cheat signatures with the same rule language used in malware analysis.
A macOS ARM64 game cheating framework that bypasses userland hooks by issuing raw SVC instructions, resolving trap numbers at runtime, and hand-crafting MIG messages through mach_msg2_trap.
How Peregrine walks the Virtual Address Descriptor tree from its kernel driver to find executable private memory regions that indicate manually mapped cheat DLLs.
How Peregrine collects hardware identifiers from both Rust userland and the kernel driver to build a machine fingerprint for ban enforcement.
A code generation framework that analyzes PE export tables, produces assembly trampolines for every export, and outputs ready-to-compile proxy DLL projects for DLL sideloading and hijacking research.
Enumerating loaded drivers against a blacklist, scanning ObCallback registrations, and checking system integrity from Ring-0.
Using a Windows minifilter driver to protect anti-cheat files from tampering. Covers write, delete, and rename interception with rate-limiting.
Elevating to Protected Process Light via kernel EPROCESS manipulation, then consuming ETW Threat Intelligence events for remote operation monitoring.
A Python CLI tool that crawls websites, runs DuckDuckGo dorks, or processes URL lists to download every document and image, then extracts all EXIF and file metadata using exiftool. Surfaces authors, software, GPS coordinates, and more.
Enumerating process threads and checking whether their instruction pointer and start address fall within known module ranges. Threads outside the map are shellcode.
Traversing a PE's Import Address Table and Export Address Table to detect function pointer redirections outside known module ranges.
Comparing a module's .text section on disk versus in memory with SHA-256, accounting for relocations to avoid false positives.
Inside Peregrine's injected DLL: inline hooking of ReadProcessMemory, WriteProcessMemory, and friends via MinHook, with IPC event reporting.
How Peregrine's kernel driver autonomously injects a monitoring DLL into target processes using kernel APCs, timed at kernel32.dll load.
How Peregrine's kernel driver uses ObRegisterCallbacks to intercept and neuter process handle requests with dangerous access flags.
A walkthrough of Peregrine's three-layer architecture: kernel driver, injected DLL, and Tauri GUI, and how they communicate.
How Kassandra clones itself with a spoofed parent PID via NtQuerySystemInformation, restricts process access with SDDL security descriptors, and deletes its own binary from disk.
How Kassandra executes COFF Beacon Object Files, .NET assemblies, and Python scripts in isolated subprocesses with crash-safe stdin/stdout IPC.
A proof-of-concept Windows kernel driver written in Rust that enables arbitrary read/write access to any process memory via MmCopyVirtualMemory.
How Kassandra uses S3 object storage as a covert C2 transport, implementing AWS SigV4 request signing from scratch and bootstrapping per-execution IAM credentials.
How Kassandra resolves NT syscall numbers and instruction addresses from ntdll at runtime, detecting EDR hooks and extracting SSNs from neighboring functions.
An architecture walkthrough of Kassandra, a Mythic C2 agent written in Rust with three transport mechanisms, subprocess isolation, and 22 commands.
A walkthrough of a game cheat base written in C++, covering DLL injection, handle hijacking via NtQuerySystemInformation, native API memory manipulation, and ImGui overlay rendering with DirectX 11.