All recipes (40+)
Every technique in the Meridian arsenal. Production-grade snippets for DRM engineers, red teams, and kernel developers.
Silent injection via manual-map
Walk a DLL into a target process without touching LoadLibrary. PE mapping, relocations, TLS callbacks, IAT resolve.
Direct syscall stub generation
Extract SSN from ntdll prologue at runtime. Build RWX stub with proper stack alignment and ret.
PEB-walk anti-debug bundle
Check BeingDebugged, NtGlobalFlag, ProcessDebugPort via direct syscall. Hardware breakpoint scan.
Hardware fingerprinting pipeline
Collect TPM EK, machine SID, disk serial, BIOS UUID, MAC. Normalize and hash for licensing.
Ed25519 loader signature verification
Verify signed payload against embedded public key before execution. Constant-time comparison.
Themida runtime unwrap and OEP detection
Trace virtualized entry until original entry point. Detect tail jump patterns and stolen bytes.
IAT rebuild from memory snapshot
Walk import directory of dumped PE. Resolve thunks against live module exports. Reconstruct FT.
ETW consumer for process creation
Subscribe to Microsoft-Windows-Kernel-Process. Parse event payload for injection indicators.
KMDF kernel driver skeleton
DriverEntry, device create, IOCTL dispatch. Signed with EV cert. Ready for VAD walk extension.
VAD tree enumeration via NtQueryVirtualMemory
Walk own-process VAD nodes. Identify image, mapped, private regions. Detect hidden allocations.
DLL hijack detection at load time
Verify every loaded module path against expected system directory. Authenticode signature check.
Self-hash integrity with link-time baseline
Hash .text section in memory. Compare against embedded compile-time digest. Alert on mismatch.
IAT integrity verification
Walk import thunks at runtime. Verify each resolved address still points into expected module.
Authenticode self-verify
Call WinVerifyTrust on own image file. Confirm signature chain and thumbprint match build-time values.
RDTSC timing anti-debug
Measure instruction sequences with RDTSC. Flag outliers indicating single-step or breakpoint latency.
ChaCha20-Poly1305 payload decryption
Decrypt staged payload with libsodium. Authenticate before mapping. Constant-time tag verification.
AES-GCM license token decryption
Decrypt KeyAuth license response. Verify GCM tag. Extract expiry and feature flags.
HMAC offline grace cache
Cache license validity with HMAC-signed expiry. Allow offline operation within grace window.
Circuit breaker with token bucket
Rate-limit license checks. Exponential backoff with jitter on failure. Fail open with grace cache.
PE relocation directory walk
Paginate IMAGE_BASE_RELOCATION blocks. Apply delta to each entry. Skip ABSOLUTE type.
TLS callback enumeration and dispatch
Walk TLS directory. Collect callback addresses. Invoke in order before DllMain.
Export directory parse for syscall SSN
Walk ntdll export table. Locate Zw* stub. Read SSN from mov eax, imm32 prologue.
ProcessDebugPort via direct syscall
Invoke NtQueryInformationProcess with ProcessDebugPort (0x07). Return nonzero if debugger attached.
Hardware breakpoint register scan
Read DR0-DR3 via GetThreadContext. Flag any nonzero debug register as active hardware breakpoint.
NtGlobalFlag heap check
Read PEB+0xBC. Mask with FLG_HEAP_ENABLE_TAIL_CHECK and friends. Flag debug heap indicators.
TPM endorsement key extraction
Query TPM 2.0 EK certificate via NCrypt. Extract public key modulus for hardware binding.
Machine SID retrieval
LookupAccountName for machine account. Convert SID to string. Hash for licensing fingerprint.
Disk serial via IOCTL_STORAGE_QUERY_PROPERTY
Send storage property query to physical drive. Extract serial number from STORAGE_DEVICE_DESCRIPTOR.
BIOS UUID from SMBIOS
Walk SMBIOS table via GetSystemFirmwareTable. Parse type 1 structure for UUID field.
IPv6 MAC derivation
Read interface MAC via GetAdaptersAddresses. Derive EUI-64 IPv6 suffix. Hash for fingerprint.
Threat Intelligence ETW subscription
Subscribe to Microsoft-Windows-Threat-Intelligence. Parse ALLOC_VM events for remote injection.
Section reconstruction from memory dump
Walk dumped PE headers. Align raw data to section RVA. Rebuild valid section table.
OFT vs FT resolution during IAT rebuild
Distinguish OriginalFirstThunk hint/name table from FirstThunk runtime addresses. Rebuild both.
Stolen byte repair at OEP
Identify bytes overwritten by protector at original entry point. Restore from clean disk image.
Loader stub with RWX alloc and execute
Allocate RWX region. Copy decrypted payload. Flush instruction cache. Transfer control.
KeyAuth session initialization
Establish session with KeyAuth API. Exchange application secret for session token. Cache locally.
SellAuth webhook verification
Verify SellAuth webhook signature with shared secret. Parse purchase event. Provision license.
Auto-update manifest fetch and verify
Download signed manifest from CDN. Verify Ed25519 signature. Compare version against local.
Differential update patching
Apply binary diff to current payload. Verify resulting hash against manifest. Stage for next launch.
Discord bot license lookup command
Slash command to query license status. Fetch from Upstash KV. Return expiry and feature flags.
Upstash KV license cache layer
Cache license state in Upstash KV with TTL. Invalidate on webhook. Serve dashboard reads from cache.
Next.js dashboard license overview
Server component fetching license stats from KV. Display active, expired, trial counts with violet accent.