Elastic's Endpoint Protections team is hiring! If you're passionate about malware tradecraft and OS internals, check us out! 100% remote. The reqs are a bit flexible. Don't worry if you're not an exact match. EMEA: grnh.se/0c04df331us Canada: grnh.se/6aee6e8a1us

You know IMAGE_SCN_MEM_NOT_PAGED attribute for PE section? The one which supposedly makes your driver section non-pageable? Shocking truth: this attribute is totally ignored! Decisions for what parts of image should be locked are based on... substrings in section names. 🤣😂🤣

Excited to share my latest article: PgC - a novel approach to disable Patchguard during runtime using basic memory management principles. It has worked against every version of Patchguard for the last 7 years, without needing any updates! blog.can.ac/2024/06/28/pgc…

安坂星海 Azaka || VTuber There is a grain of truth to the kernel thing: You really shouldn’t be writing custom file format parsers in your C kernel driver. Just look at the font mess Windows had until they moved that stuff into a usermode service.

Writing about low-level Windows concepts is more challenging than writing about Linux. Each term requires defining three other terms and a history lesson, making it hard to convey the "big picture" without getting bogged down in the minutiae to ensure complete accuracy

If you've updated WinDbg in the last week or so and open a kernel dump, you may have noticed that there's an "Extensions" tab on the ribbon and a few icons in that tab. On the latest debuggers -- extensions can add icons to the ribbon that invoke data model visualizations!

New blog entry: C++ Unwind Metadata: A Hidden Reverse Engineering Bonanza msreverseengineering.com/blog/2024/8/20…

Intel HW is too complex to be absolutely secure! After years of research we finally extracted Intel SGX Fuse Key0, AKA Root Provisioning Key. Together with FK1 or Root Sealing Key (also compromised), it represents Root of Trust for SGX. Here's the key from a genuine Intel CPU😀

Introducing RansomGuard, an anti-ransom filter driver, capable of dealing with challenges posed by memory mapped I/O, understanding how file-systems handle file deletions and more! Shoutout Mattiwatti & Jonas L for their respective contributions🙂 0mwindybug.github.io/RansomGuard/

Yarden Shafir A function of leadership is to produce more leaders, not more followers. That’s how you ensure (hopefully) continued success within a team.

If you want an entertaining and educational read about a missed optimization in one of the core components of LLVM (author doesn't Twitter, he's a mastodon enjoyer): secret.club/2024/10/21/unn…

Pong, but it's VBS enclave tulach.cc/using-vbs-encl…

I created a hypervisor-based emulator for Windows x64 binaries. This project uses Windows Hypervisor Platform to build a virtualized user-mode environment, allowing syscalls and memory accesses to be logged or intercepted. elastic.co/security-labs/… Project: github.com/x86matthew/Win…

Given all the Claude+IDA MCP hype, I present to you the Anti-Clida: .rept 200001 pushq %rax addq $8, %rsp .endr Duncan Ogilvie 🍍 must be stopped.

Love this article. It’s something that I’ve tried to follow throughout my career, having a line of sight to business profit centres. Even more important in the days of tech layoffs seangoedecke.com/where-the-mone…

Getting code execution in a process that cannot be located using traditional kernel APIs and is untouchable from usermode? All while staying PatchGuard-friendly? Sign me up: archie-osu.github.io/2025/04/13/pow…

I often get asked what to do after running !analyze -v on a kernel memory dump. If you're wondering what steps you could take next to explore it further, check out this section: github.com/DebugPrivilege…

Unpopular opinion? I think we have too many people within InfoSec who want to play the “coordinator” role rather than actually doing hands-on work?

My new blog post 🥳 Improving AFD Socket Visibility for Windows Forensics & Troubleshooting It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥 huntandhackett.com/blog/improving…