Wednesday, September 2, 2020

A Valorant Portfolio of Sorts

I'm changing jobs (after almost 7 years at Riot, that's a long run!) and I wanted to post a bunch of links to public facing stuff from my time at Riot, mostly Valorant stuff from the past year, this is very self indulgent but think of it as a portfolio of sorts.


Riot Tech Blog - Fog of War




Ask Valorant #5

Dev Blog: Anti-cheat What, Why, and How


My Riot Reddit Account history

Reddit comment about the first cheaters banned

Reddit comment about running a driver at boot

Reddit comment about a performance regression

Tweet about how many cheaters exist in games and how that feels for players:

Valorant Game Features

Most of what I build for Valorant was security and anti-cheat features but there are some more game related features that I want to highlight below.

Fog of War

Map targeted abilities

omen ultimate minimap

Minimap footstep audio circles

Valorant: Beginners guide – Gameplay mechanics you need to know

Player facing no-hud/cinematic mode

Early grenade physics (~2015 version)

Character select (the first version ~2015)

VALORANT Early Thoughts | Phantom Distillery

Security error messages / ban messages (UI and plumbing)

Lots of behind the scenes stuff 

Network encryption, performance optimization, UI tweaks, gameplay telemetry system, an engine upgrade, middleware integrations, code analysis tools, lots more that I've forgotten.

Interviews / news quotes

I did a lot of interviews and got asked for quotes many times, I didn't do a good job keeping track of how those quotes and interviews were used but here are some of them that I could find after the fact.

IGN: Valorant Cheaters Remain Banned After Beta

Nerd Street Gamers Interview Video

ChinaJoy Keynote official page

ChinaJoy Keynote Video

VICE: The Vigilante Hunting Down Cheaters in Video Games

Polygon: Valorant: How Riot finally made something new

Polygon: Valorant team bans over 8,000 cheaters in closed beta

InvenGlobal: Valorant has prepared to deal with hacks from the very beginning

Riot: A Message About Vanguard From Our Security & Privacy Teams

Tuesday, June 2, 2020

VALORANT released!

It's been many years in the making but VALORANT has been released!

More information here or watch this animated trailer.

Tuesday, April 14, 2020

VALORANT is here!

The VALORANT closed beta is open in NA and EU and the response has been overwhelmingly positive!

However, the interest from cheaters has also been very high and we had to ban our first cheaters during the first week of the closed beta.

There's also been a lot of interest around the details of the Riot Vanguard anti-cheat system, especially the kernel component. I ended up talking on reddit about it a fair bit and even got some interest from the gaming press (I sent written statements to some outlets, don't know if they'll run the articles though Edit: Ars TechnicaKotaku and Polygon).

I also wrote a big article about the VALORANT Fog of War system that I'm really proud of. It has some gameplay clips and some illustrations I made as well as a good overview of the road we took to shipping that system.

It's been a really busy first week but it's all looking really promising!

Wednesday, November 13, 2019

What have I really been doing these last few years?

In addition to everything mentioned in the last post, I've been busy making a character based tactical shooter code-named "Project A". I'm the lead for anti-cheat and security but I've also put a lot of effort into many other parts of the game.

Here's me getting banned by my own anti-cheat system.
Chances are the next few blog posts here will be about my work on Project A as the game gets closer to launch, there's not much I can share right now but more details are coming in 2020.

If you're interested in more information about Project A, here's our first announce video: Project A: Riot’s Tactical FPS Announcement

Friday, November 23, 2018

What have I been doing these last few years?

I've been relatively quiet on this blog since I started working at Riot Games in 2013 in part because my day job has been more on the game development side than the security side so there haven't been a lot of security topics worth writing about. I thought since it has been five years now I'd do a round up now that I have a few years of bits and pieces that have some security crossover!

When I started at Riot I worked on the infosec team on a variety of things (primarily incident response and bug bounty) here's some of the cool work that team did:

Running a Bug Bounty Program - Blog post about Riot's approach to bug bounties
The Evolution of Security at Riot - Overview of Riot's infosec program
Cloud Inquisitor  - Security monitoring and policy enforcement tool for AWS (open source)

After I left Riot infosec I moved onto League of Legends where I worked on cheat detection and prevention systems as well as some networking and metrics collection changes. I wrote code that was deployed to hundreds of millions of computers and eventually led to some of things described in these articles:

Removing Cheaters From LoL - Player facing overview of Riot's anti-cheat activities
Riot's Approach to Anti-cheat - A good overview of Riot's anti-cheat strategies and tech
Riot Games wins $10 million in LeagueSharp suit - A tech and legal battle I influenced
Riot’s anti-cheat team just took down a huge scripting provider - Another battle for the team

Eventually I left League of Legends and its anti-cheat team behind. I entrusted it to the extra-ordinarily talented Nemi and Michael who by day build great anti-cheat systems and by night run the blog

In particular check out these great posts from them:
Spurious #DB exceptions with the "MOV SS" and "POP SS" instructions (CVE-2018-8897)
Enumerating process, thread, and image load notification callback routines in Windows
Detecting debuggers by abusing a bad assumption within Windows

So if I haven't been working on League of Legends what have I been doing? I've been exploring game development (and a helping of security/anti-cheat work) for on a new game at Riot, it's a project that I'm super excited about but one that's not ready for the limelight. There's a good chance my next blog post here will be pointing you all at the project so stay tuned!

Sunday, September 27, 2015

KPROCESS - InstrumentationCallback - Get callbacks on return from kernel mode

Long time no see everybody!

I was pointed at a really interesting article this week and thought I'd share.

It turns out in Windows Vista x64 and later you can ask the kernel to invoke a callback on transition out of kernel mode. KPROCESS has a field called InstrumentationCallback that you can set with a call to NtSetInformationProcess with a ProcessInfoClass of 0x28 and a InputBuffer that contains the pointer to your callback.


  • User mode only, no driver or kernel debugger required
  • Affects the entire process (including injected threads)


  • Windows x64 only
  • Apparently doesn't work on WOW64 (though maybe some jiggery-pokery could get it done)
  • Required Dr7 to be set in most cases so not great at catching malicious actors

The original article: Windows x64 system service hooks and advanced debugging and check out the author's blog for other interesting RE posts.

Tuesday, November 5, 2013

Authenticode and Antivirus Detection Revisited

It's time to revisit code signing and antivirus detection! Two years ago I looked into whether or not Authenticode signatures (Microsoft object code signing for PE files) influenced the decisions of antivirus engines.

In the first part I described the process of finding, signing and testing some malware with VirusTotal and it appeared that adding an Authenticode signature to a known piece of malware drastically lowered its detection rate. After an astute observation in the comments and some thinking about it, I decided this was more likely due to the fragility of the signatures created by antivirus vendors. In the second part I test this theory by using the VirusTotal API to test 100 malware samples to compare the response of adding an Authenticode signature to changing the binary in other ways. The result largely confirmed that rather than code signing that was defeating the antivirus scans, it was that the binary was changing at all.

These results were ultimately unsatisfying, partly because of the surprising fragility of the antivirus signatures but also because of the test methodology. VirusTotal is a wonderful resource but is only testing the core antivirus engine of these security products which these days is only a small part of the protective services provided by security software. Additionally, the certificate that the malware was signed with was not endorsed by any certificate authority and was not deemed trusted by the operating system.

This time around I investigated how the actual security products responded, and used a trusted certificated to sign the malware. Unlike last time, the number of engines tested is much lower and the number of samples used is only one. Turns out that this kind of testing is very time intensive if you don't already have the infrastructure set up. While I did have some free time during the US Government shutdown while waiting for a US visa, there's a limit to how many virtual machines I felt like setting up.

Part 1 - The Malware
This time the malware sample used is VPN-Pro.exe (MD5: 8eda7dfa4ec4ac975bb12d2a3186bbeb) as contributed by the redoubtable @headhntr to the Syrian Malware Samples Project. As described by the Citizenlab analysis it is a trojanized version of Freegate 7.35 written using .NET 3.5 that drops the ShadowTech RAT. The campaign was targeted at dissidents in Syria, make sure that you check out the analysis, it's fascinating but a little outside the scope of this post.

When Citizenlab submitted VPN-Pro.exe to VirusTotal in June 2013 it was detected by 5/46 antivirus engines. When I checked in October the VirusTotal report had been updated to show detection by 34/47 antivirus engines.

Part 2 - The Antivirus Suites
The test environment is a series of Windows 8.1 Virtual Machines with the following security software suites installed.

  • Sophos Endpoint Client Protection
  • McAfee All Access
  • Norton 360
  • Windows Defender (as installed by default with Windows 8.1)
In addition Chrome was installed in each VM, and each sample was submitted to VirusTotal.

Part 3 - The Transformations
Six versions of the sample were tested, the original and five transformed versions.

1. Padded
VPN-Pro.exe with 1024 'A' characters appended to the end.

2. Random Padding
VPN-Pro.exe with random bytes added to match the length of the signed version.

3. Authenticode (Self-signed certificate)
VPN-Pro.exe signed with a test certificate (as describe in part 1 of this series)

4. Damaged Authenticode (Self-signed certificate)
VPN-Pro.exe as prepared in number 3 but with roughly 10% of the signature bytes replaced randomly.

5. Authenticode (Trusted certificate)
VPN-Pro.exe signed with a trusted code signing certificate from (thanks to the anonymous benefactor that helped me with this part).

Part 4 - The Method
Each VM had the trial version (as found on the vendor's website) of the security software installed. Windows and the security software were then updated. Next Chrome was used to download each sample and the reactions of the browser and security software were recorded. If there was no reaction from the security software or browser a manual scan was initiated where possible. In the case of Windows Defender the same tests were undertaken using Internet Explorer as well as Chrome.

Part 5 - The Results

OriginalPaddedRandom PaddingDamaged SignatureSelf SignedTrusted Signature
McAfee All Access
Norton 360
Sophos Endpoint
Windows DefenderMild Warn
Virus Total34/477/477/467/477/478/47
Nothing detected
Warning, this may harm your PC
Reputation based detection
Explicitly marked as virus

McAfee All Access

The original sample was detected as malware and automatically removed.

All other samples were detected as malware and quarantined.

Considering that on the VirusTotal scan McAfee did not detect any of the transformed samples, my guess is that the Quarantined dialog is shown on heuristic or binary reputation based matches while the automated removal dialog is for signature based matches.

Norton 360

The original sample was detected as malware and automatically removed.

The transformed samples were also all detected and automatically removed.
The difference being that all the transformed files were detected as the threat "WS.Reputation.1" and the Threat Type of "Insight Network Threat". This suggests to me that the cloud binary reputation service is flagging these files as harmful largely because they have note been seen before. Again, the Symantec engine did not detect the transformed files during the VirusTotal submission (I assume that Norton 360 uses the Symantec antivirus engine).

Sophos Client Endpoint Protection

Again, the original sample was detected and removed.

In fact all the transformations (except one) of VPN-Pro.exe were detected in the same way as the original and were tagged as Mal/Generic-S. The original was flagged as Mal/Generic-S on VirusTotal as well but the transformations weren't likewise flagged at the time, unsure whether this is due to some fuzzy matching or updated signatures.

However, the Authenticode version with the trusted certificate was downloaded without complaint. Considering that the self signed version was flagged as malicious, I'm drawn to conclude that the validity of the signature was taken into account.

A manual scan was run after the initial download completed.

Windows Defender

Windows Defender on Internet Explorer gave the largest variety of messages, here's all six:

Like all the other security suites, the original was flagged as a virus and removed. What happens with the transformed versions is rather more interesting. Firstly the padded version was still detected as a virus, while the randomly padded one wasn't (the random padding was longer than the non-random padding). Unique to IE the damaged signature transformation was reported as a 'corrupt or invalid' signature and treated differently to the random padding transformation. The self-signed Authenticode transformation was flagged as "not commonly downloaded" rather than a virus, and the the trusted certificate Authenticode transformation was flagged the same way but with a yellow bar rather than a red one.

The diversity of messages here was surprising, clearly the signature of the file is being examined and being combined with some cloud based binary reputation system (Smartscreen filter?) before a determination is given to the user. It's worth noting that a non-malicious, unsigned, uncommon binary gave the same message as the signed (untrusted) executable and that a non-malicious, unsigned, common binary (putty.exe) gave no warning message. This means that the malicious, signed binary landed somewhere in between these two cases.

Part 6 - Conclusion
First a caveat: with only a single malware sample and a small handful of security suites we can not come to any sweeping conclusions.

However, it looks like Windows Defender / Internet Explorer as well as Sophos take into account Authenticode signatures when scanning executables. All tested security suites seem to have very fragile signature driven engines that were defeated by almost any change to the sample but these systems are backed up by heuristic systems that are at least partially powered by a cloud based binary reputation mechanism. Windows Defender and Sophos both differentiated between untrusted Authenticode signatures and trusted signatures and Windows Defender differentiated between Authenticode signatures, a corrupted Authenticode signature, and arbitrary appended data.

A Change!

Hey everyone, just dropping in to tell you that I'm moving from Google to Riot Games. I've loved my time at Google but I'm really excited to be able to work on security in the context of online games (also I'm a huge fan of League of Legends). I'll still be blogging (possibly more so than before) and as always the views on this blog represent my opinions and not that of my employer.

Stay tuned for a new blog post very soon now, I have some notes compiled that I just have to polish.

Friday, January 18, 2013

Hardcode 2013 Starts Today!

Hardcode 2013, Google and Syscan's secure coding competition, has started! The contest information has been posted at

From the description:
Teams must develop a marketplace web application that allows people to organize bartering of academic goods or services in a school setting (e.g., selling used books, supplies, tutoring services). The Application should support a general marketplace where any Seller can post an Item they want to sell and any Buyer can express interest in or bid on an item. This Application does NOT include a payment transaction system; the Application connects potential Buyers with Sellers but does not perform actual payment transactions.
If you're a student take a look!

Thursday, January 10, 2013

Hardcode: Google and Syscan's secure coding competition

Google and Syscan are running a secure coding competition with sizable cash prizes. Teams of students  will build web applications of App Engine that will be judged on their features and overall security.

Original post: