API tools faq
paste
xosski

Riot Vanguard

xosski
Aug 30th, 2025
19
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.55 KB | None | 0 0
raw download clone embed print report
  1. **GhostCore: Riot Vanguard Root-Level Subversion – White Paper PoC**
  2.  
  3. ---
  4.  
  5. **Title:** Kernel-Level Persistence via Riot Vanguard Subversion
  6. **Codename:** VGR-Ghost
  7. **Author:** Quellaran Deluxethue Messat // GhostCore Reactor Node
  8. **Date:** August 29, 2025
  9.  
  10. ---
  11.  
  12. ## πŸ“Œ Executive Summary
  13.  
  14. This white paper outlines a proof-of-concept attack chain against Riot’s anti-cheat driver, **Riot Vanguard (VGC/VGk)**. The exploit leverages **thread silencing, memory mapping pivots, XOR validation bypasses, device enumeration overrides, and kernel notification suppression** to achieve stealth persistence at kernel (ring-0) level.
  15.  
  16. This chain demonstrates how an attacker could cloak malicious code inside Vanguard’s own trusted kernel module, turning an anti-cheat fortress into a persistence sanctuary.
  17.  
  18. ---
  19.  
  20. ## 🎯 Target Surface
  21.  
  22. * **Components:**
  23.  
  24. * `VGRdll` β†’ Userland/Vanguard module injection surface
  25. * `vgtray.exe` β†’ Device enumeration and environment checks
  26. * `vgk.sys` β†’ Kernel driver (root authority)
  27. * **Key APIs:**
  28.  
  29. * `ZwGetNlsSectionPtr`
  30. * `NtWaitForAlertByThreadId`
  31. * `RtlCopyMemory`
  32. * **Security Features Bypassed:**
  33.  
  34. * Thread error checks
  35. * Stack XOR integrity
  36. * Device emulation detection
  37. * Kernel notification alerts
  38.  
  39. ---
  40.  
  41. ## βš™οΈ Attack Phases
  42.  
  43. ### 1. **Thread Error Silencing**
  44.  
  45. **File:** `ThreadError(silencer).txt`
  46.  
  47. * Normal Vanguard threads validate status via TEB offset checks.
  48. * Attacker patches validation loop β†’ hijacked threads appear clean.
  49. * Malicious worker threads now blend with legitimate Vanguard processes.
  50.  
  51. ```
  52. [Injected Thread] β†’ [TEB Error Flag Forced 0] β†’ [Thread Passes as Legitimate]
  53. ```
  54.  
  55. ---
  56.  
  57. ### 2. **Memory Mapping Pivot**
  58.  
  59. **File:** `Memorymapping.txt`
  60.  
  61. * Vanguard code pivots into PEB/heap via `gs:[30h]` and `[rax+60]`.
  62. * Attacker hooks this stub to remap RWX pages inside kernel heap.
  63. * Provides **write-anywhere-execute-anywhere** inside Vanguard’s protected space.
  64.  
  65. ```
  66. [Heap Pivot] β†’ [Map RWX Kernel Pages] β†’ [Payload Injection]
  67. ```
  68.  
  69. ---
  70.  
  71. ### 3. **XOR Validation Bypass**
  72.  
  73. **File:** `ModuleInjection(into Xor Bypass).txt`
  74.  
  75. * Vanguard stack integrity guarded by XOR `rsp` checks.
  76. * Attacker patches validation routine β†’ stack spoofed as intact.
  77. * Defeats anti-tamper protection, enabling injection of rogue modules.
  78.  
  79. ```
  80. [Anti-Tamper Routine] β†’ [Patched / NOP’d] β†’ [Module Injection Allowed]
  81. ```
  82.  
  83. ---
  84.  
  85. ### 4. **Device Enumeration Emulation Override**
  86.  
  87. **File:** `Vgtray(deviceenum emulation bypass).txt`
  88.  
  89. * Vanguard enumerates devices to spot sandboxes or emulators.
  90. * Attacker intercepts and forces valid responses.
  91. * Execution continues even in analysis or VM environments.
  92.  
  93. ```
  94. [Emulator Detected] β†’ [Return Forced Legit DeviceID] β†’ [Bypass Sandbox Detection]
  95. ```
  96.  
  97. ---
  98.  
  99. ### 5. **Kernel Notification Silencer**
  100.  
  101. **File:** `KernelNotification(silencer).txt`
  102.  
  103. * Vanguard driver listens for kernel alerts via `NtWaitForAlertByThreadId`.
  104. * Attacker hooks notification handler, dropping or redirecting events.
  105. * Watchdogs blinded β†’ persistence achieved with no alerts.
  106.  
  107. ```
  108. [Kernel Event] β†’ [Silenced] β†’ [Malicious Persistence Hidden]
  109. ```
  110.  
  111. ---
  112.  
  113. ## πŸ”„ Full Attack Chain Flow
  114.  
  115. ```
  116. [Thread Error Silenced] β†’
  117. [Memory Pivot to Kernel Heap] β†’
  118. [XOR Anti-Tamper Defeated] β†’
  119. [Device Enum Spoofed] β†’
  120. [Kernel Notifications Suppressed] β†’
  121. [Persistent Malicious Code Inside Riot Vanguard]
  122. ```
  123.  
  124. ---
  125.  
  126. ## 🎭 Cloaking Characteristics
  127.  
  128. * **Signed & Trusted:** Code executes under Riot’s signed kernel driver.
  129. * **Thread Masking:** Hijacked threads indistinguishable from legitimate.
  130. * **Heap Blending:** Payloads live in kernel heap memory, hidden by design.
  131. * **Sandbox Evasion:** Device enumeration spoof neutralizes analysis attempts.
  132. * **Watchdog Blindness:** Alerts silenced β†’ no visible footprint.
  133.  
  134. ---
  135.  
  136. ## πŸ›‘οΈ Mitigation Concepts
  137.  
  138. * Enforce runtime attestation of Vanguard modules.
  139. * Harden stack XOR routines with per-session ephemeral keys.
  140. * Validate device enumeration results cryptographically.
  141. * Require kernel notification audits by independent watchdogs.
  142.  
  143. ---
  144.  
  145. ## 🧠 GhostCore Framing
  146.  
  147. **VGR-Ghost** is not breaking into Vanguard β€” it is **possessing it**.
  148. The anti-cheat becomes the cheat.
  149. The fortress becomes the mausoleum.
  150. Threads speak in silence, heaps become altars, and watchdogs sleep while the ghost endures.
  151.  
  152. This is persistence by reflection. The system cannot eject what it believes is itself.
  153.  
  154. ---
  155.  
  156. **End of Document // GhostCore Relay Node Q.D. Messat**
Tags: Riot Vanguard
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!