A field guide to your own machine
Look up anything running on your gaming PC: the drivers, the background processes, the anti-cheat that loads before the game does, each in plain words. Because the gate that decides what loads doesn't check what you think it checks, and the people who never get a reference made for them deserve one.
You probably have RTCore64.sys on your computer right now.
If you have ever installed MSI Afterburner, that one driver from MSI is sitting in C:\Windows\System32\drivers\ on your machine. It is signed. It loads at boot. It is what lets you read your GPU temperature and customize your fan curve. Millions of gamers have it. You almost certainly do.
It is also on a public list of drivers that criminal data-extortion crews drop onto computers they have already compromised, and use to disable the antivirus before encrypting every file on disk.
Both of those things are true at the same time. They have been true for years. Nobody told you.
This is the first paragraph of what we are calling, plainly, the Field Guide. It lives at veraproject.xyz/field-guide. It is a new permanent part of Vera now, with its own slot in the main navigation, because we think you deserve a reference that does not exist anywhere else.
This post is about what is in it, and more importantly, what it is for.
The thing nobody put in plain words
Modern Windows is built to load only signed kernel drivers. A driver is signed by a company Microsoft has vouched for: MSI, Intel, ASUS, Dell, Capcom, miHoYo, and so on. That signing process is the gate.
What almost nobody mentions is that the gate does not check whether the driver is good. It checks whether the driver was signed by someone with a valid certificate at the time of signing. Forever after, no matter what is discovered about that driver later, the signed binary still loads on every modern Windows machine. Code-signing certificates do not get revoked on a driver vulnerability the way an SSL certificate would on a leaked private key. And even when they do, Windows still loads them, because checking revocation at boot is fragile and would break too many things.
So when a vendor patches a kernel driver, and they do (MSI patched RTCore64, ASUS patched AsIO3, Dell patched the dbutil driver that lived in the wild for over a decade), the patched build replaces the old one only on the machines that actually install the update. The signed old build is still out there. It still loads. And it still does, by design, the same low-level thing it did before: read and write arbitrary kernel memory, talk to hardware ports, peek into processes.
This is what the security industry calls bring-your-own-vulnerable-driver, or BYOVD. An attacker who has gotten onto a machine does not need to write a kernel exploit. They drop an older signed copy of a driver someone already taught Windows to trust. MSI. ASUS. Capcom. miHoYo. Take your pick.
It is the dominant technique for loading unsigned kernel code in 2024 and 2025. It has been documented by Microsoft, by Cisco Talos, by Trend Micro, by SentinelOne, by Mandiant, by half the major security research shops on Earth. Several of the most-cited specimens are drivers gamers have installed on their own machines for entirely innocent reasons.
The community already knows the questions. What is this thing? Why is it on my system? Should I care? The honest answers tend to live in dry security blogs, vendor PDFs, sketchy forum threads, and academic papers. Nowhere is the answer also for them.
What the Field Guide is
It is the place we just built where the answer is for them.
Every driver on the public LOLDrivers list, 435 of them as of this writing, gets a page. The famous ones, the boring ones, the weird ones, the ones almost nobody has heard of. You can search. You can filter by vendor family (MSI, Intel, ASUS, Gigabyte, Dell, Corsair, Realtek, Capcom, miHoYo, and nearly forty more). You can switch from the catalog grid to a constellation view, where every driver becomes a star placed by its own identity. Touch one, and the rest of its family lights up across the sky.
Since launch the guide has grown a second wing: the everyday processes Vera actually observes across real sessions, the games and launchers and anti-cheats and creator tools and system background that quietly make up a gaming PC, each get a plate too. Drivers come from the public record. Processes come from the population, and only ever surface after they have been seen on more than one machine, so nothing peculiar to a single person is ever published. Same guide, same art, a different kind of inhabitant.
The headline ones (RTCore64, mhyprot2 from Genshin Impact, gdrv from Gigabyte, capcom.sys from Street Fighter V, procexp from Sysinternals, dbutil_2_3 from Dell, the AsIO3 family) carry curated field notes that explain in plain words:
- which hardware or software the driver actually ships with (the install reality)
- what the CVE allows, in language a gamer can read
- why the older signed binary still loads even though the vendor patched it (the truth about kernel-driver patching)
- which named public incidents documented its misuse, on the public record (Trend Micro, Talos, SentinelOne, Microsoft, BleepingComputer, PC Gamer, SC Media, Cisco)
- what a normal person can actually do about it
We are at 190 curated notes as of this writing, more than two of every five drivers in the catalog, and we keep writing them. They started as a single batch and have grown every week since.
The discipline that makes it Vera
The Field Guide describes. It does not condemn.
When the note for RTCore64 tells you it has been used by criminal data-extortion crews to disable antivirus, it tells you that because the security industry has published it, named the crews, and put the evidence on the public record. We are pointing at what is already written down by people whose job is to know. We never make a claim of our own about whether a specific person's system is compromised. Presence is evidence. It is not a verdict.
Where we cannot vouch for something, we say so. Of those 435 drivers, 190 have curated field notes as of this writing. The rest get a respectful "what the record shows" plate that states only the ground truth (filename, status, hash count, refresh date) and links to the canonical entry on LOLDrivers. Ground truth or silence. No filler.
We never explain how to abuse a driver. The Field Guide is a reference, not a manual. There are plenty of other places on the internet that will teach the offensive technique. The thing missing from the public internet was a place that translated the defensive record into the kind of plain reference a thoughtful gamer would actually read. That is the gap we are filling.
The art
This part is just for the joy of it.
Every inhabitant of the guide wears a creature, generated only from its own identity. Same identity, same creature. Forever. Nobody draws them; the design is the algorithm, so it scales to a million entries with no new artwork.
The shape is not just decoration. It means something. There are five body plans, and which one a thing wears tells you what kind of thing it is. A driver takes its body plan from its vendor family, so kin look like kin: every ASUS driver is recognizably an ASUS driver, the family resemblance plain at a glance. A process takes its body plan from its kind, so a game and a quiet background service read as different animals on sight. And because a driver's family is read straight from its filename, the creature is still a pure function of the thing's own identity.
The detail is where the craft lives: concentric rings, a ticked bezel like the rim of a scientific instrument, ornamented limbs, a luminous nucleus, all drawn in Vera's cool palette, with each family and kind sitting at its own color temperature.
Status never changes the creature. A vulnerable driver is the same animal as a clean one, wearing an amber warning ring; a malicious one wears red. The shape is what the thing is; the marking is what the public record says. Describe, do not condemn.
The same emblem you see on the catalog grid is the emblem on the driver's own page, is the emblem on the share image when you paste the URL into Discord, is the emblem in the proof window when one of those drivers shows up on someone's real session. The art carries the identity across every surface it appears on. You build a kind of muscle memory for the catalog without realizing it.
The constellation view is the same idea, taken to its conclusion. Hundreds of stars on a dark sky, placed forever. Touch one, its vendor family lights up.
We almost shipped this differently. The version that did not happen was a much more clinical, table-heavy thing, the kind of interface security tooling normally looks like. We threw it out. The whole point of this guide is that the people we built it for are the ones who never get the reference made for them. They deserve craft.
The loop
Vera already shows you what was running during a session. That has always been the product. Now, on a session's drivers tab, the flagged drivers show their Field Guide creatures inline, with their plain known-as and their vendor family, each linking back to its full plate. The catalog speaks the product's language. The product speaks the catalog's. The proof became literate about what it shows.
For someone reading another player's session, the alarm is no longer an opaque cryptic name and a red badge. It is "RTCore64.sys, MSI Afterburner's kernel driver, part of the MSI family," with a creature you recognize from the Field Guide and a link to the full plate. The judgment still stays with the person reading. The context shows up in plain words.
Why we did this
Because the conversation about anti-cheat is broken.
The industry's answer to cheating, year after year, is: a bigger kernel-level shield, deeper system access, more invasive monitoring. The conversation never includes the person whose machine those shields are running on. They are not invited. They are told what to install and asked to trust.
We think the better long-term answer is legibility. Show the player what is on their own machine. Show them what those things are, where they come from, what is publicly known about them. Let them have the language to ask their own questions. The arms race will keep going. The trust crisis will not be solved by escalating it. It starts to be solved by people who actually know what is running on the computer they are sitting in front of.
The Field Guide is a small piece of that. Vera is the larger piece. They share a spine:
The record before the accusation. The reference before the alarm. The art before the argument.
We hope you find it useful.
Open the Field Guide: veraproject.xyz/field-guide
The Vera Team
Have a reaction to this? Vera's ideas board exists for exactly this. Bring your disagreements, your edge cases, your "but what about..." moments.
