| VGKbootstatus.dat | Boot status handshake file created by IoCreateFileEx |
| stack_magic seed | (KePerfCounter.LowPart ^ image_base) | 0xCAFE0001 |
| 8-stage init validator | vgk_init_verifier @ vgk+0xC9D4C, checks all subsystems |
| Section hash drift | vgk_section_hash_drift_locator, binary search for code changes |
| Driver image bounds | Captures DriverObject->DriverStart + DriverSize |
| Secondary init (INID) | 0xD4494E49 sentinel triggers HVCI-safe minimal path |
| 15-slot SSDT hook table | vgk_install_ssdt_hooks, 15 syscall dispatcher ladder |
| HAL PMC trampoline | vgk_install_hal_pmc_hook on HalCollectPmCCounters |
| Syscall dispatcher | vgk_syscall_hook_target_dispatcher @ vgk+0x93B08, 15 targets |
| Process create/exit | PsSetCreateProcessNotifyRoutineEx, XOR-encoded runtime resolve |
| Thread creation | PsSetCreateThreadNotifyRoutine, every thread is monitored |
| Module/image load | PsSetLoadImageNotifyRoutine, every DLL and driver load |
| Registry operations | CmRegisterCallbackEx, monitors all registry key activity |
| Object handles | ObRegisterCallbacks, strips/guards process handles |
| Type/code pair | vgk_classify_process assigns (type, code) to every process |
| Protected process check | vgk_is_protected_process_object @ vgk+0xBF85C |
| VGC process ring | vgk_is_vgc_process_expanded, 32-slot ring for up to 32 VGC instances |
| Riot client service match | vgk_match_riot_client_services, XMM-XOR string matcher |
| Cross-CR3 verification | vgk_cross_cr3_verify_vgc_agreement @ vgk+0x42AA8 |
| Process terminate | ZwTerminateProcess for kill-marker enforcement |
| Memory size | 0x200000 (2 MB) NonPagedPool, allocated as big pool |
| Memory state | MEM_RESERVED, found via SystemBigPoolInformation |
| UWorld pointer | guarded_region + 0x50 -> offset 0x144F0 (may update) |
| PTE toggle primitive | vgk_pte_present_batch_toggle, flips page table entries |
| CR4.PGE flush | CR4.PageGlobalEnable cleared around every PTE edit |
| SMEP/SMAP bypass | vgk_cr4_communication, reads/writes CR4 |
| PCID-aware CR3 writer | vgk_cr3_paging with TLB flush after every write |
| Physical memory read | Read via physical memory mapping (MmMapIoSpace) |
| DR0-DR7 register scrub | vgk_dpc_clear_drs_ipi, DPC broadcast via KeIpiGenericCall |
| DR7 local→global promotion | NtSetContextThread detour, promotes local enables |
| XCR0 baseline check | vgk_xgetbv_anti_debug, XSAVE area state validation |
| INT3 prologue scanner | System-wide scan for 0xCC bytes in function entries |
| KUSER_SHARED_DATA KD flag | Reader of KdDebuggerEnabled + KdPitchDebugger |
| Per-CPU canary timer | vgk_per_cpu_canary, 50ms integrity check on each core |
| Stack walker to syscall | vgk_stack_walker_to_syscall, PMC frame scanner |
| BugCheck callback | KeRegisterBugCheckReasonCallback + KeDeregisterBugCheckReasonCallback |
| APC kernel routine | vgk_evidence_apc_kernel_routine @ vgk+0x9B26C |
| APC normal+rundown | vgk_evidence_apc_normal_routine + vgk_evidence_apc_rundown_routine |
| DR trap context capture | vgk_dr_trap_context_capture @ vgk+0x... (Section 298) |
| Stack magic anti-spoof | stack_magic validated at multiple checkpoints |
| TSC vs QPC drift | 1000 / 5000 PPM ratio bands, Section 259 |
| TPM emulator detection | swtpm/vtpm vendor-string matched on TPM_PT_VENDOR_STRING |
| CPUID leaf 0 classifier | core_hwid_cpu_vendor_classifier @ vgk+0xD6CBC |
| MSR reads (Intel/AMD) | 0x680, 0x1C9, 0x1DB — CPU-specific MSR values |
| Monotonic clock pair | TSC + QPC pair verification against spoofers |
| CPUID SMT anti-emulation | vgk_cpuid_smt_anti_emul @ vgk+0xAD41000, Section 196 |
| IOMMU probe | AMD-Vi IOMMU MMIO probe for IOMMU-enforcement verification |
| Kernel image load callback | Cat 42 enforcer on every driver load event |
| Certificate database | vgk_init_certificate_database with 27 RSA roots |
| Minimum certificate count | At least 16 of 27 certs must load for boot |
| BCryptVerifySignature | RSA PKCS#1 verification against pinned keys |
| PCR0 read (firmware) | TPM2_PCR_Read of bank 0, measures S-CRTM and BIOS |
| PCR7 read (SecureBoot) | TPM2_PCR_Read of bank 7, measures boot policy |
| PCR14 read (boot chain) | TPM2_PCR_Read of bank 14, authority boot chain |
| EK certificate | TPM2_ReadPublic on EK handle + TPM2_Certify |
| TPM2_Quote attestation | Platform attestation with PEM-encoded signature |
| TPM2_GetCapability | Firmware version, vendor string, TPM properties |
| TPM2_NV_Read | Reads NV indices for EK certificate storage |
| TPM2_GetRandom | Cryptographic randomness generation |
| TPM2_SelfTest | Self-test execution at boot |
| TPM2_Hash + HashSequence | SHA-256/SHA-1 hash computation |
| TPM2_Sign + VerifySignature | RSA signing and verification |
| TPM2_StartAuthSession | Session establishment for protections |
| TPM2_PolicyPCR | PCR policy session for authorization |
| TPM 1.2 fallback | PcrRead, ReadPubek, PERMANENT/STCLEAR flags |
| TIS MMIO base | 0xFED40000, locality-aware register access |
| TPM TIS register map | ACCESS(0x00), STS(0x18), DATA_FIFO(0x24), DID_VID(0xF00) |
| ACPI PPI walker | AML walker for _DSM method on TPM device |
| SetupMode variable | UEFI GetVariable of SetupMode |
| SecureBoot variable | UEFI GetVariable of SecureBoot |
| db/dbx/MokList/SbatLevel | UEFI signature database walk + entry enumeration |
| BCD store traversal | NoIntegrityChecks, GlobalSettings, NTLDR element IDs |
| UEFI variable chain | Readers for shim GUID, Authenticode section sort |
| Boot manager validation | BCD BootMgr + OSLoader well-known object keys |
| VTL register catalog | Run-time enumeration of VTL registers |
| System Guard SecureLaunch | DRTM attestation surface measurement |
| HypervisorLaunchType | BCD store + registry query |
| VsmLaunchType | VBS status verification |
| Secure Kernel surface | Pluton + softTPM provider discriminator |
| HVCI runtime detection | THREE independent HVCI ON/OFF detection methods |
| SMBIOS Type 1 (System) | Manufacturer, product name, serial, UUID |
| SMBIOS Type 3 (Chassis) | Chassis serial, asset tag, chassis type |
| SMBIOS Type 4 (CPU) | Processor ID, socket type, manufacturer |
| SMBIOS Type 17 (RAM) | Memory serial, part number, speed, size |
| Boot HWID fingerprint | vgk_boot_hwid_compute_fingerprint @ vgk+0x59FB0 |
| Runtime HWID drift | vgk_runtime_hwid_recompute_and_compare @ vgk+0x5B770 |
| HWID composite blob | vgk_compose_hwid_blob @ vgk+0x590E0 |
| MachineGuid capture | vgk_machine_guid_capture @ vgk+0xC5DD0 |
| SMBIOS UUID read | vgk_read_smbios_uuid @ vgk+0xC5240 |
| ATA SMART attributes | S.M.A.R.T. threshold + attribute classifier |
| PCI config space | Device/vendor ID for live device enumeration |
| NDIS hardware OIDs | Network adapter vendor + product identifiers |
| GPT partition geometry | Disk layout fingerprinting |
| Volume serials (NTFS/FAT) | Drive serial number reads |
| WMI activation status | Software license grace period query |
| Hot-plug re-baseline | HWID recompute on hardware change events |
| MachineGuid | HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| ProductId | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId |
| InstallDate | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate |
| DigitalProductId | Windows license PID from registry |
| ComputerHardwareId | Gen 8+ hardware hash identifier |
| InstallTime | OS installation timestamp |
| TimeZoneInformation | Timezone bias + daylight saving settings |
| Cryptography defaults | Default cryptographic provider GUIDs |
| VGK service key | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VGK |
| Registry callback | CmRegisterCallbackEx monitors key open/create/write |
| Volume serial number | NTFS/FAT root drive serial via GetVolumeInformationW |
| GPT partition GUID | Disk GUID via IOCTL_DISK_GET_DRIVE_LAYOUT_EX |
| ATA SMART data | Drive health metrics via SMART_RCV_DRIVE_DATA |
| Physical disk serial | Storage serial via IOCTL_STORAGE_QUERY_PROPERTY |
| Disk file traces | IoQueryFileInformation for file-level access |
| Permanent MAC address | OID_802_3_PERMANENT_ADDRESS from NIC firmware |
| Adapter GUID | OID_GEN_NETWORK_LAYER_ADDRESSES NDIS query |
| NDIS hardware identifier | Vendor ID, product ID, bus information |
| NDIS filter driver | Installed filter for OID interception |
| PCI configuration space | IRP_MN_QUERY_ID with BusQueryDeviceID/InstanceID |
| GPU vendor/device/subvendor | Read from PCI config space |
| IsDebuggerPresent | NtQueryInformationProcess(ProcessDebugPort) |
| CheckRemoteDebuggerPresent | NtQueryInformationProcess process flags |
| NtQueryInformationProcess | Full debug flag enumeration |
| AddVectoredExceptionHandler | VEH chain check for anti-debug handlers |
| SetUnhandledExceptionFilter | Last-chance exception filter override |
| OutputDebugStringW | Debug string detection for kernel debugger presence |
| CreateToolhelp32Snapshot | Process enumeration for debugger process detection |
| WTSEnumerateSessionsW | Terminal Services session enumeration for multiple logons |
| Tray icon scanning | Scan system tray for known debugger icons |
| BCrypt SHA-256 wrapper | Hash operations for integrity checking |
| BCrypt SHA-1 monolith | ~240KB self-integrity hash computation |
| BCrypt SHA-384/SHA-512 | Extended hash algorithm support |
| KDFa with SP800-108 fix | Key derivation function with null-label fix |
| AES-CFB encryption | Symmetric encryption for specific data |
| HMAC-SHA256 | Tied to MakeCredential and evidence chain |
| RSA PKCS#1 verify | Full certificate chain verification |
| Authenticode ASN.1 walker | Signature parsing for signed binaries |
| ECDSA blob validator | Elliptic curve signature verification |
| PKCS#7 SignedData parser | Certificate bundle parsing for BYOVD |
| PsSetCreateProcessNotifyResolve | Resolved via MmGetSystemRoutineAddress on XOR names |
| PsSetCreateThreadNotify | XOR-encoded, resolved per call site |
| PsSetLoadImageNotify | XOR-encoded, resolved per call site |
| ObRegisterCallbacks & more | Family of XOR-encoded callbacks resolved at runtime |
| SHA-1 self-hash monolith | vgk_sha1_compute_text_backend, ~240KB of hash computation |
| 225-tuple guard chain | static_assert VGK_TAMPER_GUARD_SLOT_COUNT == 225 |
| Guard chain orchestrator | @ vgk+0xAE42678, invokes 231 total (225 guards + 2 prologue + 4 tail) |
| XMM canary mailbox | 16-byte rotating value (4 ULONGs), heartbeat integrity check |
| Canary rotation | vgk_rotate_canary, xmmword mailbox primitive |
| Section hash drift | Binary search page-level comparison for code changes |
| XOR-IAT chain verification | Section 312 documents the complete XOR verification pattern |
| Central evidence emitter | vgk_log_evidence, 311 call sites across the driver |
| VAN68 evidence header | 40-byte VAN68_EVIDENCE_HEADER packet format |
| HWID evidence header | 16-byte HWID_EVIDENCE_HEADER distinct from VAN68 |
| veve CRC-32 tag | 0x65766576 LE, wraps HWID evidence in CRC-32 packet |
| KIWH binary blob | NV-seal form HWID blob, base64-ready format |
| Kill-marker mediator | Chain of evidence escalation on detection |
| Severity classifier | Section 22, assigns severity to evidence events |
| Evidence APC delivery | Kernel-mode APC for cross-process evidence notification |
| Main scan loop | vgk_main_scan_loop @ vgk+0x45D38, 1.5 seconds fast scan |
| Extended scan loop | 30 seconds slower scan with full enumeration |
| Per-CPU canary timer | 50ms per-core integrity verification |
| HWID drift detection | Continuous runtime compare of HWID vs boot baseline |
| Hot-plug re-baseline | Re-run HWID capture on hardware change notification |
| Timer setup | KeInitializeDpc + KeInitializeTimer + KeSetTimer |
| BCryptOpenAlgorithmProvider | Opens algorithm provider for cryptography |
| BCryptCloseAlgorithmProvider | Closes provider when done |
| BCryptGetProperty | Queries algorithm properties |
| BCryptCreateHash | Hash object creation |
| BCryptHashData | Data injection into hash |
| BCryptFinishHash | Hash digest output |
| BCryptImportKeyPair | RSA key import for verification |
| BCryptVerifySignature | RSA PKCS#1 signature verification |
| BCryptDestroyHash | Hash object cleanup |
| /vanguard/v1/gateway | Central HTTPS telemetry endpoint |
| AuthenticationRequest | machine_id + game_token + client_rsa_public_key |
| TokenResponse | session_token + server_rsa_public_key + FeatureFlags |
| HeartbeatRequest | Periodic ping with access_token + additional_requested_tasks |
| OSInfo | Windows version + build variant + language |
| CpuInfo | CPU brand string + model + cores |
| GpuInfo | GPU brand string + model + driver version |
| MemoryInfo | Total RAM size + configuration |
| DeviceInfo | SMBIOS serial numbers + hardware identifiers (encrypted) |
| ModuleCDNData | CDN module definition with cdn_url + Module.id |
| Task system | Task.id + TaskResult.data + TaskPerformance metrics |
| Module execution | CreateProcessW / LoadLibraryW from CDN-delivered modules |
| Signature verification | WinVerifyTrust + CryptQueryObject on downloaded modules |
| LDAP directory query | 14 LDAP functions including ldap_search_s/simple_bind_s |
| Kernel device name | \Device\VGK_PLZNOHACK |
| User symlink | \DosDevices\VGK for user-mode access |
| Shared memory section | 0x2000 byte ring buffer between vgk.sys and vgc.exe |
| Boot-start service | Start=0 (SERVICE_BOOT_START), loads before other boot drivers |
| Service registry key | HKLM\SYSTEM\CurrentControlSet\Services\VGK |
| Dispatcher A | Return-RIP VM landing, Category 57 |
| Dispatcher B | Syscall-hook landing for SSDT protection |
| Dispatcher C | Init-verifier 8-stage landing |
| EB FF anti-disassembly | 0xEB 0xFF short-jump-self prefix in .riot1 |
| XMM-XOR string decryption | Category 22, deobfuscates strings at runtime |
| MBA pad simplifier | Cube-flip + XOR-rotate-fold inverter for arithmetic obfuscation |
| Memory management | ExAllocatePoolWithTag, ExFreePoolWithTag, MmMapLockedPagesSpecifyCache |
| I/O operations | IoCreateFileEx, ZwReadFile, ZwWriteFile, ZwClose |
| Process ops | ZwTerminateProcess, ZwQuerySystemInformation, ObfDereferenceObject |
| Synchronization | KeInitializeSpinLock, KeAcquireSpinLock, KeReleaseGuardedMutex |
| Timer/DPC | KeInitializeDpc, KeInitializeTimer, KeSetTimer, KeQuerySystemTimePrecise |
| String operations | wcscpy_s, wcscat_s, swprintf_s, RtlInitUnicodeString, strcmp |
| BugCheck | KeBugCheckEx, KeRegisterBugCheckReasonCallback |
| IRQL control | KfRaiseIrql, KeLowerIrql, KeGetCurrentIrql, KeAreAllApcsDisabled |
| A PC operations | KeInitializeApc, KeInsertQueueApc |
| APC helpers | KeInitializeGuardedMutex, KeAcquireGuardedMutex, KeReleaseGuardedMutex |
| HAL: KeQueryPerformanceCounter | High-precision timing for drift detection |
| CNG: BCryptVerifySignature | RSA PKCS#1 verification |
| CNG: BCryptCreateHash | Hash create |
| CNG: BCryptHashData | Hash data |
| CNG: BCryptFinishHash | Hash finish |
| CNG: BCryptOpenAlgorithmProvider | Open provider |
| CNG: BCryptCloseAlgorithmProvider | Close provider |
| CNG: BCryptGetProperty | Get property |
| CNG: BCryptImportKeyPair | Import RSA key |
| CNG: BCryptDestroyHash | Destroy hash |
| PsSetCreateProcessNotifyRoutineEx | Process create/exit notification |
| PsSetCreateThreadNotifyRoutine | Thread create/exit notification |
| PsSetLoadImageNotifyRoutine | Module load notification |
| ObRegisterCallbacks | Process/thread handle interceptor |
| CmRegisterCallbackEx | Registry change monitor |
| IoRegisterFsRegistrationChange | File system driver registration |
| PsIsProtectedProcessLight | Protected process light verification |
| PsLookupProcessByProcessId | Process ID to EPROCESS translation |
| 4.1 DriverEntry | 70-byte shim, calls init thunk through .grfn1 defilade |
| 4.2 vgk_real_driver_init | 462-byte MBA pad with mixer K1/K2 obfuscation |
| 4.3 vgk_verify_boot_status | Reads VGKbootstatus.dat from disk |
| 4.4 vgk_setup_shared_memory | 0x2000-byte shared ring with vgc.exe |
| 4.10 vgk_main_scan_loop | Primary detection loop, dual 1.5s/30s cadence |
| 4.12 vgk_resolve_xor_import | Per-call-site XOR-IAT decryptor |
| 4.13 vgk_install_ssdt_hooks | 15 syscall hook installation |
| 4.14 vgk_install_hal_pmc_hook | HAL performance counter hook |
| 4.17 vgk_dpc_clear_drs_ipi | DR0-DR7 scrub across all CPUs via IPI |
| 4.19 vgk_byovd_on_kernel_image_load | Block vulnerable drivers |
| 4.20 vgk_init_certificate_database | Load 27 RSA certificate roots |
| 4.21 vgk_irp_device_control | vgc.exe <-> vgk.sys IOCTL gate |
| 4.22 vgk_init_verifier | 8-stage post-init validator |
| 4.31-4.33 VM dispatchers | A (ret-RIP), B (syscall), C (init-verifier) |
| 4.43 vgk_cr4_communication | Every CR4 read/write + SMEP/SMAP bypass |
| 4.44 vgk_cr3_paging | PCID-aware CR3 writer with TLB flush |
| Total functions | 9,285 tiny stub functions in 50.5 MB |
| Internal JMPs | 7,057 jumps between .grfn1 functions |
| Cross-section CALLs | 1,909 calls from .grfn1 to .text |
| XREFs from .riot0 | 21,977 data references into .grfn1 |
| Pattern | .riot0 -> XREF -> .grfn1 -> JMP chain -> CALL -> .text |
| Purpose | Anti-static-analysis call graph obfuscation |
| Work items | IoAllocateWorkItem + IoQueueWorkItem for deferred work |
| IPI broadcast | KeIpiGenericCall for cross-CPU synchronization |
| DPC timer | KeInitializeDpc + KeInitializeTimer for periodic scan |
| System threads | PsCreateSystemThread for dedicated monitor threads |
| A PC for evidence | KeInitializeApc + KeInsertQueueApc for inter-context delivery |
| Section size total | 66 MB PE binary with 11 memory sections |
| Main engine (.riot1) | 10,267 functions in 6.7 MB of executable code |
| Obfuscation (.grfn1) | 9,285 functions in 50.5 MB of jump-stub obfuscation |
| Bootstrapper (.riot0) | 528 KB, chains into .grfn1 indirection |
| Standard code (.text) | 7,274 functions in 3.9 MB OpenSSL/libcurl/glue |
| Total imports | 338 Windows API imports across all categories |
| Total strings | 5,486 strings extracted from .rdata section |
| Functions labeled | 11,972 functions auto-renamed with human-readable names |