Security research, systems programming, and game development.https://ckoi.dev/https://ckoi.dev/blog/ci-dll-unsigned-driver-loading/https://ckoi.dev/blog/ci-dll-unsigned-driver-loading/Code Integrity decision-making in ci.dll relies on feature flags and a signing policy table pointer that sit in the writable .data section, outside KDP and PatchGuard protection. Modifying 20 bytes across two structures completely disables enforcement, permitting unsigned kernel drivers to load without triggering any integrity checks.Mon, 02 Mar 2026 00:00:00 GMThttps://ckoi.dev/blog/sigmadrift-windmouses-successor/https://ckoi.dev/blog/sigmadrift-windmouses-successor/WindMouse generates trajectories that look human but fail temporal analysis — wrong velocity shape, wrong sub-movement count, no Fitts' Law compliance. SigmaDrift replaces it with sigma-lognormal motor primitives, signal dependent noise, OU drift, and speed-modulated tremor to produce output in the same feature space behavioral classifiers operate in.Sat, 14 Feb 2026 00:00:00 GMThttps://ckoi.dev/blog/obfuscating-kernel-drivers/https://ckoi.dev/blog/obfuscating-kernel-drivers/Standard obfuscation libraries assume user mode. Kernel mode forbids heap allocation at elevated IRQL, lacks the C runtime, and has no static destructor mechanism. Porting obfuscation to ring 0 requires rebuilding every primitive from scratch.Sun, 08 Feb 2026 00:00:00 GMThttps://ckoi.dev/blog/why-anti-cheats-walk-your-call-stack/https://ckoi.dev/blog/why-anti-cheats-walk-your-call-stack/Stack walking gives anti cheats a detection primitive that survives manual mapping, direct syscalls, and kernel execution. Each return address reveals origin, module backing, and execution plausibility without scanning a single byte of memory.Fri, 30 Jan 2026 00:00:00 GMThttps://ckoi.dev/blog/circular-buffer-mouse-injection/https://ckoi.dev/blog/circular-buffer-mouse-injection/Kernel mouse input injection through mouclass's internal circular buffer bypasses MouseClassServiceCallback, the HID stack, and every filter driver — producing data indistinguishable from physical hardware.Wed, 21 Jan 2026 00:00:00 GMThttps://ckoi.dev/blog/etw-cover-traffic/https://ckoi.dev/blog/etw-cover-traffic/Windows places no authenticity checks on ETW provider registration. A kernel driver that registers a profiler GUID and emits real sampling telemetry becomes forensically indistinguishable from legitimate monitoring software.Sat, 10 Jan 2026 00:00:00 GMThttps://ckoi.dev/blog/breaking-claude-code/https://ckoi.dev/blog/breaking-claude-code/Claude Code enforces its content policy through unprotected string literals in a local JavaScript file. Three find-and-replace operations strip the refusal logic, and a hash-tracking persistence layer keeps the modification alive across updates.Mon, 15 Dec 2025 00:00:00 GMThttps://ckoi.dev/blog/windows-code-integrity-research/https://ckoi.dev/blog/windows-code-integrity-research/CI.dll enforces structure, certificate chains, authenticode hashes, and timestamps for pre-2015 drivers but never checks the RSA signature bytes. A driver whose EncryptedDigest is entirely zeroed loads under Secure Boot and HVCI without error.Mon, 01 Dec 2025 00:00:00 GMT