When downloading popular games from Riot Games such as Valorant or League of Legends, they install a particular anticheat software called Vanguard. Unlike standard anti-cheats that launch with the game, Vanguard uses a kernel-mode driver that loads when the computer boots. Typical software operated under rings 3 and 2. Windows operating systems operate under ring 1. Ring 0 is used for system kernels, kernel has direct communication with CPU instructions, memory, and hardware components.
This tool demonstrates techniques for extracting stored passwords from Windows systems using Vanguard's access to kernel-level power installed through Valorant or League of Legends.
When researching security flaws in kernel-level software, researchers look for "bridges" between Ring 3 and Ring 0. Theoretical vulnerabilities may occur in the following areas:
Drivers use IOCTLs to receive requests from user-space. If a driver fails to properly validate the size or type of data sent via an IOCTL, it could lead to:
- Buffer Overflows: Writing data beyond allocated memory limits.
- Arbitrary Read/Write: Allowing a user-mode program to read or modify kernel memory.
Windows requires Driver Signature Enforcement (DSE) to ensure only trusted code enters the kernel. Research often focuses on:
- BYOVD (Bring Your Own Vulnerable Driver): Using a legitimate, signed-but-flawed driver to gain a foothold in Ring 0.
- Signature Bypasses: Identifying flaws in the verification chain.
To counter these theoretical threats, modern systems employ several layers of defense:
| Feature | Description |
|---|---|
| HVCI | Hypervisor-Protected Code Integrity ensures all kernel code is signed. |
| KASLR | Randomizes the memory location of kernel components to prevent predictable targeting. |
| PatchGuard | Periodically monitors the kernel for unauthorized modifications and triggers a BSOD if detected. |
This research is intended for educational purposes and security auditing. If a legitimate vulnerability is discovered in any software (such as anti-cheat drivers or system utilities), it should be reported directly to the vendor via their Vulnerability Disclosure Program (VDP) or platforms like HackerOne to ensure a patch is developed for the public.
