Eidolon (d2r_loader.dll) — Complete Reverse-Engineering Dossier

Document version: v4 (definitive, supersedes eidolon_analysis.md and all round-specific docs) Date: 2026-04-17 Subject: D2R PTR 3.2 snapshot, d2r_loader.dll (codenamed "Eidolon") Status: Consolidated synthesis of rounds 1-13 of static-IDA agents + live Lua probes + injector-side regression analysis.

This document is self-contained. A fresh analyst should read this and nothing else to come up to speed on Eidolon. All prior docs (eidolon_analysis.md, round_6_findings.md through round_13_findings.md, round_10_final_defense_plan.md) are superseded.

1. Executive Summary

Eidolon is the in-process front-half of a Blizzard cloud attestation/telemetry harness shipped inside the Diablo II: Resurrected loader. It is not a kernel anti-cheat, not a memory scanner, not a bytecode VM, and not a code-section hashing engine.

What Eidolon is:

• A synthetic-IAT polymorphic import system that hides its real Win32 surface from static analysis (248 heap trampolines, per-API randomized decode chains, PEB.Ldr-bound).
• A telemetry pipeline (Standard.* events) to telemetry-in.battle.net, pinned-TLS + AWS SigV4 signed.
• A VEH + UEH pair that ships crash telemetry out-of-process before WER tears the process down.
• A host for two broker tokens (Aegis crash slot, Warden data slot) consumed by a sibling Blizzard process via ReadProcessMemory.
• A decoy canary IID table for 39 DLLs designed to fool CFF Explorer, PE-Bear and IDA auto-import recovery.
• Wrapped in OLLVM/Tigress control-flow flattening throughout, with no true bytecode interpreter (Round 5 A4; reconfirmed R6–R13).

What Eidolon does NOT do (all verified):

• No inline caller-provenance / stack-walk check (R6 I1, reconfirmed R13 I27/I35 after R12 mis-reversal).
• No CFG/XFG enforcement (R6 CFG probe).
• No bot-DLL blocklist scanning (R6 I5; module enumeration exists per R13 I28 but is passive).
• No on-disk .text hash beyond WinVerifyTrust self-verify.
• No DRx arming via NtSetContextThread (R13 I33 — uses CONTEXT_FULL, not CONTEXT_DEBUG_REGISTERS).
• No ProcessInstrumentationCallback (R13 I29).
• No rolling-checksum integrity check (R13 I30 — dword_7FF927C21FE0 is a CFF opaque predicate).

Practical consequence for the analysis process: the PTR 3.2 hijack-injection regression is not caused by anything in d2r_loader.dll. It is most plausibly caused by the out-of-process Warden broker observing thread state via RPM. The correct defense is to replace the hijack with an NtCreateThreadEx(StartAddress = LoadLibraryA, ...) helper thread (Option 2). Eight Tier-1 defenses in total (see §16).

2. Architecture Overview

                             ┌───────────────────────────────────────────┐
                             │            d2r_loader.dll (Eidolon)        │
                             │                                             │
  PE loader ──► DllMain ──► ┌─────┐   seeds    ┌──────────────┐            │
                            │ TLS │───────────►│ gs:[0x20]    │  per-thread│
                            │ cb  │            │ FiberData    │  state ptr │
                            └──┬──┘            └──────────────┘            │
                               │                                           │
                               ▼                                           │
               ┌────────────────────────────┐     decrypts IDD from .eid  │
               │ eidolon_iat_resolver_main  │────► rolling-XOR layer 1    │
               │ (per-DLL, 6 MBA rounds)    │                              │
               └─────────────┬──────────────┘                              │
                             │ for each API                                │
                             ▼                                             │
      ┌───────────────────────────────────────┐                           │
      │ .eid emitter (runtime-decrypted       │  VirtualAlloc(RWX)        │
      │ shellcode — R13 I34 not in .text)     │─────────────► Trampoline  │
      └─────────────┬─────────────────────────┘               arena @     │
                    │ emits polymorphic thunk                0x2049BCF0000│
                    ▼                                                      │
        ┌───────────────────────────┐                                     │
        │ Synthetic IAT thunk table │   248 entries                       │
        │ byte_7FF927BFE190         │   indirect call sites               │
        └──┬────────────────────────┘                                     │
           │                                                               │
           │          ┌─────────────────────────────────┐                 │
           └─────────►│ CFF megadispatcher 0x7FF9264624A0│                │
                      │ (405 KB single OLLVM-flattened  │                │
                      │ function, 104K insns, 25K BBs)  │                │
                      └─────────┬───────────────────────┘                 │
                                │ re-entrant, mutable cookie              │
                                ▼      dword_7FF927C71A4C                 │
                      ┌──────────────────┐                                │
                      │ VEH dispatcher   │ sub_7FF926CEFDA0                │
                      │ → fiber-scheduler│ → 0x7FF92728D200 (inner)        │
                      └─────────┬────────┘                                 │
                                │                                          │
               ┌────────────────┴──────────┐                               │
               ▼                           ▼                               │
       ┌──────────────┐          ┌───────────────────┐                    │
       │ BTel shipper │          │ UEH (telem)       │                    │
       │ cert-pinned  │          │ warden_emit_excn  │                    │
       │ SigV4 HTTPS  │          │ 0x7FF926072B40    │                    │
       └──────┬───────┘          └──────────┬────────┘                    │
              │                             │                              │
              │  reads                      │ returns CONTINUE_SEARCH      │
              ▼                             ▼                              │
      telemetry-in.battle.net        WER kills the process                │
                                                                           │
       Aegis token slot  @ 0x488CC0 ──┐                                    │
       Warden token slot @ 0x488CC8 ──┤  read via RPM by                   │
       39-entry canary IID 0x7FF928101A70  out-of-proc broker              │
       (DECOY — R12 I26 / R11 I17)                                         │
                                                                           │
└───────────────────────────────────────────────────────────────────────────┘

The entire system has one runtime-exposed export (Ordinal_1) consumed by D2R.exe at IAT slot RVA 0x15D7BF0. The CFF megacaller at 0x7FF9277703C0 drives 6 call sites into the megadispatcher, with dispatch keyed on the mutable cookie at dword_7FF927C71A4C (current 0x2EB7282F, R7 I7). The entire CFF mega-system runs inside the VEH/fiber callback (R7 I7, R8 I12, R13 I35).

3. The Synthetic IAT System

3.1 Layout and mechanics

Eidolon replaces the standard PE import table with a runtime-populated thunk table. The canonical runtime artifacts:

Each trampoline in the arena begins with 48 B8 imm64 (mov rax, imm) and ends with FF E0 (jmp rax). The middle is a per-API polymorphic decode chain mixing \{DEC, INC, ROL, ROR, ADD, SUB, XOR, OR, AND, NOT, NEG\} with up to 4 PEB.Ldr folds, producing the real target address. Frequency distribution of folds across 64 decoded thunks (R13):

Thunk +0x40 has the shortest chain observed (mov rax, imm64; sub rax, imm32; ...) where the immediate 0x00007FF947B9124C already lies within the kernelbase range — so only one arithmetic op is needed (R8 live probe).

3.2 Emitter location

The trampoline emitter is NOT in .text (R13 I34 — definitive negative, confirmed after three rounds of dedicated static hunts in R8 I14, R11 I19/I23, R12 I23). Three independent static scans found:

• Zero 48 B8 ... FF E0 templates in .rdata (only a spurious C++ mov rax,0;ret epilogue).
• Zero rep movsq template copies.
• Zero byte-store sequences emitting two adjacent trampoline opcodes.

The emitter lives in the encrypted .eid section (RVA 0x1F50000..0x22D0000, ~3.5 MB), decrypted at runtime into RWX memory. R13 I34 recommends a dynamic DR0 write-trap on the arena page as the only way to locate it. sub_7FF9271EBBD0 is the VirtualAlloc-backed arena allocator (R13 I31), not the emitter.

3.3 Per-DLL resolver protocol (R11 I21 symbolic equations)

The resolver entry at 0x7FF926042AF0 (eidolon_resolve_one_api per R11 rename; misnomer — it's actually per-DLL per R12 I24) executes 6 sequential MBA-mixer rounds per API, invoking sub_7FF927057340 each round.

Inputs consumed: 9 IDD slots at qword_7FF927C2AF80..AFD0 (stride 8, reads offsets 0, 8, 16, 24, 48, 80).

Per-round symbolic equations (R11 I21):

Per-API scratch struct (at r13):

Output-table commit (r14 buffer, stride 0x18, R11 I21):

lea rax, [rax + rax*2]          ; *3
mov [r14 + rax*8 + 0x00], rcx   ; round-5 staging ptr
mov [r14 + rax*8 + 0x08], rcx   ; ARENA trampoline ptr (double-deref)
mov [r14 + rax*8 + 0x10], rcx   ; metadata / NT-IAT entry ptr

The outer wrapper at 0x7FF927571DD0 (R11 I20, R12 I24) iterates per-DLL at stride 0x48, calling resolver_main 39 times. Arena allocation is done via sub_7FF9271EBBD0 → VirtualAlloc(NULL, size, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) (R13 I31, correcting R12 I24's operator new[] claim). The hardening pass sub_7FF926C8BC80 subsequently calls VirtualProtect → PAGE_EXECUTE_READ and FlushInstructionCache.

3.4 Verified-decoded API map (63 from R12 + 1 from R13)

See §14 for the full table. Headline finding (R11 I19 → R12 → R13): Eidolon's real Win32 surface includes thread control, module enumeration, crypto, registry, and CreateProcessW — but not RtlLookupFunctionEntry as a real caller (see §4 and §9).

4. The Decoy Canary Table

Location: 0x7FF928101A70 (RVA 0x22B1A70), 39 one-DLL-one-API IIDs (R12 I26).

Every record has sentinel FT = 0x01DAE188 and a 16-byte OFT pool holding exactly one API name plus a null. Record 0 is a pseudo-header (anomalous TimeDateStamp = 0x022B17FB); record 40 is a zero terminator. The 39 canary APIs include WinVerifyTrust, NtClose, RtlFreeHeap, GetAdaptersInfo, SetupDiGetDeviceInterfaceDetailW, WSAStartup (ord #116), SysAllocString (ord #7), etc.

Purpose: This table exists to mislead static tools — CFF Explorer, PE-Bear, IDA auto-import recovery all consume the standard IMAGE_IMPORT_DIRECTORY pointed here. Anyone grepping for "does Eidolon import RtlLookupFunctionEntry?" based on this table would answer no — which is what happened in R6 Agent I1 and R6 Agent I5.

R6 was misled for 2 rounds because of this. R6 I1 concluded "no stack-walking APIs imported", R6 I5 concluded "no Module32*" — both wrong, because the real imports are in the encrypted IDD + runtime thunk table, not this decoy. R12 I26 identified it as a decoy; R13 I27/I35 confirmed that although the real IAT does contain RtlLookupFunctionEntry, Eidolon itself never calls it (only the linked MSVC CRT does). The decoy misled the analysis in both directions: R6 underestimated Eidolon's visible surface; R12 briefly overestimated its capability.

There is no stable slot↔name correspondence between the canary table and the 248-thunk runtime table.

5. IDD Layer-1 Encryption

Round 6 Agent I4 identified the IDD encryption as a rolling 8-byte XOR with baked key 0xFFFF834A942B7856, phase-7, drop-leading-byte. R7 live probe (probe_r7_idd_decrypt.lua) confirmed by producing 18/22 fully-zero plaintext slots (the gold-standard signature of correct key recovery). R8 live sibling-IDD probe reproduced it for a second IDD at 0x7FF92431B8F9.

Canonical decryptor (R10):

# eidolon_idd_decrypt.py
KEY = bytes.fromhex("56782B944A83FFFF")   # 0xFFFF834A942B7856 LE
 
def decrypt_idd(ciphertext: bytes) -> bytes:
    """Rolling 8-byte XOR, phase=7, drop the leading byte."""
    out = bytearray(len(ciphertext))
    for i, b in enumerate(ciphertext):
        out[i] = b ^ KEY[(i + 7) % 8]
    return bytes(out[1:])

No layer-2 obfuscation exists. R9 I11 confirmed that the residual "fingerprint constants" in IDD slots B/C/D/E are plaintext integrity tags, not XOR-keystream material. The IDD has 3 record types (R7 I6):

Record 21's encrypted bytes spell SETUPAPI because the name table at +0x376 overruns it — the last real record is 20.

6. Control-Flow Flattening (CFF)

There is no Eidolon bytecode VM. Rounds 3-4 labelled the big flattened functions as "VM dispatcher" / "VM state"; R5 A4 corrected this to OLLVM/Tigress CFF; R6 I2 + R7 I7 + R13 I35 reconfirmed.

Calling convention for all Eidolon CFF helpers: (rcx_byte, rdx_byte, r9d_byte, state_ptr) with r8 = rsi (R7 I7).

What sub_7FF9264E3480 is NOT: R6 I2 guessed "IAT resolver kernel"; R7 I8 proved it's an MD5 driver wrapping MD5_Transform at 0x7FF927B65F90. Called by IAT resolver to hash IDD records and by BTel to hash HTTP payloads.

The mega-system runs inside a VEH/fiber callback (R7 I7, R13 I35). The thunk eidolon_cff_dispatcher_clone_megacaller_thunk at 0x7FF927038110 is scheduled on a fiber by the VEH inner dispatcher at every heavy-path exception.

7. VEH / UEH Exception Machinery

7.1 VEH

R13 I35 full decompile of the inner dispatcher proves: filters 5 noisy exception codes to CONTINUE_SEARCH; heavy path reads TEB.FiberData, decrypts per-thread block via thunk +0x550 (TlsGetValue), schedules fiber via thunk +0x040 (CreateFiber-like), writes per-thread slot via thunk +0x558 (FlsSetValue), returns CONTINUE_SEARCH unless per-thread block's [+0x48] is pre-seeded.

The inner dispatcher never calls RtlCaptureContext, RtlLookupFunctionEntry, RtlRestoreContext, ZwQueryInformationProcess, the rolling checksum, or the panic stub. It is a demultiplexer, not a validator.

7.2 UEH

Registered at 0x7FF9273F4523 (R13 I32) in eidolon_antidbg_veh_install_self. The registered UEH is eidolon_warden_emit_exception_event @ 0x7FF926072B40 — same function that services VEH chain-walks (shared telemetry backend). Returns EXCEPTION_CONTINUE_SEARCH → WER does the actual kill. Previous UEH saved at qword_7FF927CDE840 for chain-call purposes.

The UEH emits a crash telemetry event (via the Aegis slot to crashy::Report) before returning, so by the time WER terminates the process, the analysis process has already been fingerprinted unless an injected payload's head UEH swallows the exception.

7.3 Key negative result

Neither the VEH nor the UEH does stack-walking (R13 I27, I35). This reverses R12's brief suggestion that the presence of RtlLookupFunctionEntry in the runtime IAT implied caller-provenance. All 100% of callsites for that API + RtlCaptureContext + RtlRestoreContext are in statically-linked MSVC CRT boilerplate (__scrt_fastfail, capture_current_context, __FrameHandler3::GetEstablisherFrame, __acrt_call_reportfault). Linker artifact, not Eidolon behaviour.

8. Anti-tamper Primitives (Complete Inventory)

Eidolon deliberately does NOT import: RaiseFailFastException, NtTerminateProcess, NtRaiseException, NtRaiseHardError, RtlReportCriticalFailure, IsDebuggerPresent, CheckRemoteDebuggerPresent, DebugBreak, _exit, quick_exit, abort (R6 I3).

9. Kill Paths

Four in-DLL kill paths exist (R6 I3). All four terminate via the synthetic IAT thunk at byte_7FF927BFE190 + 0xB0 which resolves to ExitProcess (R9 I15, confirmed via UCRT's ?exit_or_terminate_process@@YAXI@Z calling through the same slot).

Panic stub sub_7FF9268F1140 has ZERO direct static callers (R9 I15, reconfirmed R13 I34/I35). Either orphan code or reached only via runtime-dispatched calls from the .eid decrypted emitter. The "panic vtable slot at 0x7FF927D34F98" from R6 I3 was actually the BeginAddress DWORD of an IMAGE_RUNTIME_FUNCTION_ENTRY in .pdata (R7 I9). Patching it does nothing useful.

Single-shot kill disarm (Tier-3): atomically swap *((void**)0x7FF927BFE240) (content of byte_7FF927BFE190 + 0xB0) to a the analysis process ret stub. Disarms all paths simultaneously. Caveat: legitimate D2R shutdown also routes through this thunk, so conditional gating is required.

10. Telemetry & Out-of-Process Brokers

10.1 BTel HTTPS pipeline

9 Standard.* event types: Process.Start, Process.Finish, Network.Request.Start/Finish, Network.Connection.Start/Finish, Network.Reachability, Metric.MetricSet, Alert. Fan-out via eidolon_symmetra_emit_event.

Flow-rules engine is closed: only SamplingRule, ParticipationRule, RetryPolicyRule. No Eval/Exec — early RCE-lite concern was incorrect.

10.2 Broker token slots

The DLL never reads these slots itself (R5 A2, reconfirmed R6 via xref analysis, R7 live probe). They are host-side tokens written once at init and consumed out-of-process via ReadProcessMemory by the broker. R7 I10 identifies the broker as most likely Battle.net Agent.exe (not yet confirmed via handle scan — see §17).

10.3 crashy::Report

Fixed 1 KiB struct populated by the VEH unhandled path, handed to Warden via Aegis slot. Contains: exception record, last-N telemetry IDs, CPU state, small backtrace. The out-of-process property is critical: even if Eidolon dies mid-handler, the report has already left the process.

11. Cryptographic Primitives

Bootstrap-cached module bases ntdll @ 0x7FF927C3CDC0, kernel32 @ 0x7FF927C3CDC8 are themselves PEB.Ldr-folded (R7 live probe: live values 0xDA077F72427B86B8 / 0xBFA554FF2A841A63) — Eidolon stores no plaintext module bases anywhere.

12. Complete Address Registry

Live addresses from session with loader base 0x7FF922070000 (IDA base 0x7FF925E50000, delta -0x3DE0000).

12.1 Core structures

12.2 Code

12.3 Data globals

13. Verified-Decoded API Map

Live-emulator walked 128-byte trampoline bodies, executed arithmetic chain + PEB.Ldr fold (live PEB.Ldr 0x00007FFA3AC528E0), matched final target against live exports of kernelbase/ntdll/kernel32 (4,389 total). Combined results from R11 I19 + R12 I23 + R13 extended emulator: 64 of 248 thunks decoded.

13.1 Kernelbase (49 APIs)

CreateEventW, CreateFiber, CreateProcessW, CreateThread, DeactivateActCtx, FlsAlloc, FlushInstructionCache, GetCommandLineW, GetComputerNameW, GetCurrentDirectoryW, GetCurrentProcessId, GetFinalPathNameByHandleW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcessId, GetStartupInfoW, GetVersionExW, GlobalMemoryStatusEx, IsThreadAFiber, MapViewOfFile, Module32FirstW, Module32NextW, QueryPerformanceFrequency, ReadFile, ResetEvent, SetEndOfFile, SetEvent, SetFilePointer, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadContext, SetUnhandledExceptionFilter, Sleep, SleepEx, SuspendThread, SystemTimeToTzSpecificLocalTime, Thread32First, TlsGetValue, UnmapViewOfFile, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualProtect, WaitForMultipleObjects

13.2 Ntdll (11 APIs)

RtlExitUserThread, RtlReleaseSRWLockShared, RtlTryAcquireSRWLockExclusive, RtlRunOnceInitialize, TpStartAsyncIoOperation, ZwContinue, ZwQueryInformationProcess, RtlCaptureContext, RtlLookupFunctionEntry, RtlRestoreContext, VerSetConditionMask

13.3 Kernel32 (6 APIs)

CryptDestroyKey, CryptEncrypt, GetUserNameW, RegCloseKey, RegOpenKeyExW (plus one unresolved target at 0x7FFA390A2900)

13.4 Key thunk-offset map

The remaining 184 thunks are "modified PEB.Ldr fold" variants that require a more flexible fold matcher than the current emulator (R13).

14. Phantom List (30+ Debunked Claims)

Every hypothesis a future agent should NOT chase, organized by correcting round.

Round 5 corrections (of rounds 1-4)

1. "5 hook trampolines in .text" (R3 Agent W) → OLLVM obfuscation salts, not hooks.
2. "Foreign call to 0x7FF8B2858213" (R3 Agent W) → IDA mis-resolution of indirect call.
3. "Per-thread Eidolon TLS at MSVC _tls_index" (R3 Agent Z) → Eidolon uses gs:[0x20] (FiberData); _tls_index refs are MSVC C++ thread-local template plumbing.
4. "VM dispatch table at 0x7FF927D3A044" (R3 Agent H) → .pdata reconstruction singleton.
5. "FNV-1a IAT resolver at 0x7FF926ABF3E0" (R4 Agent F) → Address is the CFF dispatcher of one flattened function.
6. "Hyper-V / VMCALL probe" (R2 Agent 3) → byte coincidence.
7. "SHA-256 hash over .text" (R2 Agent B) → no hash exists.
8. "Eidolon VM with bytecode interpreter" (R3-R4) → OLLVM/Tigress CFF (R5 A4).
9. "Aegis/Warden slots decoded in-DLL via PEB-Ldr" (R1-R4) → Host-side tokens (R5 A2).
10. "Resolved-pointer table = 32-byte rows" (R4 + v1 doc) → variable-length records (R5 A3 → R6 I4 further correction).

Round 6 corrections (of round 5)

11. "Resolved-pointer table = 16-byte rows" (R5 A3) → Actually variable-length DLL-marker + function-entry records.
12. "Trampoline arena at single contiguous 0x2049C330000" (R5) → That was one trampoline's target, not an arena. Real arena (one of potentially multiple) at 0x2049BCF0000 (R8).
13. "Caller-provenance check lives in d2r_loader.dll" (pre-R6 plan) → Not in this DLL (R6 I1, reconfirmed R13 I27/I35).
14. "CFG/XFG enforcement causes hijack failure" (post-R6 hypothesis) → Both binaries have GuardFlags = 0x100 only, function table empty, dispatch stub no-op FF E0 (R6 CFG probe).
15. "IDD encryption is PEB.Ldr-keyed" (R5 hypothesis) → Baked constant 0xFFFF834A942B7856 (R6 I4).

Round 7 corrections (of round 6)

16. "0x7FF927D34F98 is a panic vtable slot" (R6 I3) → IMAGE_RUNTIME_FUNCTION_ENTRY.BeginAddress in .pdata (R7 I9). Patching does nothing.
17. "sub_7FF9264E3480 is the IAT resolver kernel" (R6 I2) → MD5 driver (R7 I8).
18. "Each megadispatcher call passes a distinct r8 op-tag" (R6 I2) → r8 = rsi state ptr; real op is (rcx, rdx, r9) triplet, dispatch keyed on mutable global cookie (R7 I7).
19. "Cached ntdll/kernel32 base globals are plaintext pointers" (R6 probe assumption) → PEB.Ldr-folded (R7 live probe).

Round 8 corrections

20. "IAT resolver has 23 direct callees" (IDA func_profile in R6-R7) → Only 5 real direct callees; 18 were CFG-flattening artifacts (R8 I13).
21. "The megacaller thunk is a VEH handler" (R7 I7 hypothesis) → It's a fiber-state CFF dispatcher; real VEH is sub_7FF926CEFDA0 (R8 I12).
22. "byte_7FF927BFE190 + 0x40 is AddVectoredExceptionHandler" (R7) → It's a lock-acquire-shape (R8 I12); R11 narrowed that +0x4A8 = SetLastError kills the "lock pair" narrative.
23. "Trampoline emitter has a static template in .rdata" (implicit R1-R7) → No static template; per-byte arithmetic (R8 I14).
24. ".pdata is wiped on disk and reconstructed at runtime" (R5) → Probably wrong for PTR 3.2; live probe showed .pdata intact (R6 live-probe correction).

Round 9 corrections

25. "Panic stub sub_7FF9268F1140 has direct callers" (implicit R6) → Zero direct static callers (R9 I15). Orphan or runtime-computed dispatch only.
26. "IDD has layer-2 obfuscation" (R8 hypothesis) → No layer-2; the "fingerprint constants" are plaintext integrity tags (R9 I11).

Round 11-12 corrections

27. "sub_7FF92604CE40 is the trampoline emitter" (R11 I19 heuristic) → CFF byte-aliasing artifacts misread as byte writes (R12 I23). Emitter is in .eid.
28. "dword_7FF927C93348/dword_7FF927CA4168 are per-API RNG counters" (R11 I19) → Zero write sites each; build-time embedded CFF seeds (R12 I25).
29. "Runtime IID at 0x7FF928101A70 has 248 entries" (R9 I11 assumption) → 39 canary IIDs, decoy table (R12 I26).
30. "CRT operator new[] allocates the arena" (R12 I24) → VirtualAlloc with PAGE_EXECUTE_READWRITE (R13 I31).

Round 13 corrections (of round 12)

31. "Eidolon stack-walks for caller-provenance because RtlLookupFunctionEntry is imported" (R12 reversal of R6) → R6 was right. 100% of callsites live in MSVC CRT boilerplate (R13 I27). Eidolon itself never calls stack-walk APIs (R13 I35 full VEH decompile).
32. "Rolling checksum dword_7FF927C21FE0 is an integrity check" (R11 I21 + R12 I25 hypothesis) → CFF opaque predicate; safe to corrupt (R13 I30).
33. "SuspendThread + SetThreadContext arms DRx" (implicit since R6) → Uses CONTEXT_FULL (0x10000B), not CONTEXT_DEBUG_REGISTERS (0x10010). Purpose is RIP hijacking / stack poisoning (R13 I33).
34. "No module enumeration at all" (R6 I5) → Partial reversal: sub_7FF926DF20B0 DOES walk Toolhelp at init; but feeds passive VM state, not a kill-switch (R13 I28). PEB-unlink defense still sufficient.

15. Phantom-Debunk Index by Round

16. the analysis process Defense Plan (Consolidated R10 + R13)

16.1 Tier 1 — Required (8 defenses)

16.2 Tier 2 — Hygiene

Don't touch:

• Aegis slot 0x7FF9224F8CC0, Warden slot 0x7FF9224F8CC8 (host tokens)
• d2r_loader.dll .text (no integrity check today, but VirtualProtect delta is cheap server-side addition)
• Synthetic IAT thunk table 0x7FF923E1E190 (corrupts Eidolon's imports)
• Trampoline arena 0x2049BCF0000 (PEB.Ldr-bound)
• qword_7FF927CDE8A0 (Eidolon worker thread handle)
• qword_7FF927CDE840 (saved old UEH — for chain call)
• dword_7FF927C3EE94..EEAC (PVA anti-debug cluster)
• dword_7FF927C5FF38, dword_7FF927C5FF88 (CFF seeds)
• dword_7FF927C92FAC..FD4 (fingerprint state — triggers kill-path B)
• Eidolon's 3 named exports (eidolon_run, g_warden_aegis_crash_callback_export, g_warden_telemetry_callback_export)

Safe to touch (R13 confirmations):

• dword_7FF927C21FE0 (rolling CFF predicate, not integrity — R13 I30)
• Thunk +0x598 VirtualProtect (R13 I31)
• Thunk +0x610 ZwQIP (R13 I29)
• Panic stub sub_7FF9268F1140 (zero callers — R9 I15, R13 I34/I35)
• 0x7FF927D34F98 (.pdata metadata, nothing dispatches through it — R7 I9)

Do:

• Install hooks AFTER Eidolon's VEH install completes
• Stay below gadget rate-guard threshold (unknown exact value)
• Leave DR0..DR3 at zero (reads without clears)
• Avoid rapid RDTSC in callbacks under Eidolon scrutiny
• Don't call IsDebuggerPresent if debugger-attached

Eject path:

• permanent_restore PE headers
• relink_module into all 3 PEB.Ldr lists
• RemoveVectoredExceptionHandler for our head VEH
• SetUnhandledExceptionFilter(nullptr) then restore Eidolon's saved UEH
• Restore inline hooks
• FreeLibraryAndExitThread

16.3 Tier 3 — Optional / speculative

• ExitProcess thunk swap — conditional single-shot disarm of all 4 kill paths via *((void**)0x7FF927BFE240) = eidolon_ret_stub. Caveat: legitimate CRT shutdown uses the same slot; gate on "game still healthy"
• Offline IDD decrypt — the Python decryptor in §5 is the full layer-1 pipeline
• Dynamic trampoline emitter hunt — DR0 write-trap on arena page (only way; R13 I34 definitive)

16.4 Coverage matrix

17. Open Questions (Ranked by Importance)

18. Dynamic Probe Roadmap (R14)

R14 probes being developed to answer §17:

1. probe_r14_arena_writewatch.lua — set DR0 write-trap on arena first page, catch the emitter instruction address, dump the containing .eid decrypted page. Answers §17 Q1.
2. probe_r14_handle_scan.lua — walk NtQuerySystemInformation(SystemHandleInformation), filter to PROCESS_VM_READ handles into D2R's PID, identify the broker. Answers §17 Q2.
3. probe_r14_createprocess_watch.lua — detour thunk +0x60, log lpApplicationName + lpCommandLine. Answers §17 Q3.
4. probe_r14_fiber_trace.lua — breakpoint 0x7FF927038110 entry, capture register state + first 256 bytes of fiber stack. Answers §17 Q4.
5. probe_r14_fold_emulator_v2.py — flexible fold matcher that accepts arithmetic between fold anchors. Answers §17 Q5.
6. probe_r14_ctxflags_watch.lua — DR1 on sub_7FF926629CF0's mov [rax], 0x10000B site, alert on any non-0x10000B write. Answers §17 Q6.

19. Credits

Per-round contributors to the final truth:

End of dossier. For corrections or new findings, supersede this document with v5 rather than editing in place; preserve the round-round chain so future agents can trace the correctness history.