Ever wanted to debug the secure kernel but couldn't figure out how? Me too. It's awful. But I eventually got it working and managed to do some cool stuff, so I documented my solutions here in case it helps anyone else: windows-internals.com/secure-kernel-…

I spoke at BSidesPhilly last year on how kernel rootkits operate on Windows 10+ systems and how to detect and defend against them. My closing argument was to enable HVCI everywhere possible or it’s hopeless. Full talk is online: youtu.be/Ow7Az1tcKeU?si…

MSFT blog is here: techcommunity.microsoft.com/blog/windowsos…

The BSides Canberra 2024 keynote is now available to watch! "The Exploit Development Life Cycle: From Concept to Compromise" – chompie breaks down the art of exploit dev, from that first spark to full pwnage. Missed it live? Watch it now: youtu.be/ce0bXORSMX4

In case you missed it, check out my Youtube channel with videos mostly related to Windows Internals: youtube.com/@zodiacon.

My talk about the recent SMM architecture and security at TheSAS2025 : youtube.com/watch?v=AIGj6Q… The conference was well organized and had plenty of networking opportunities. Though, the best thing was the venue :) It is at a beautiful resort again this year, so you will love it.

Unpacking VMProtect 3 (x64) 🤷‍♂️

It is amazing to see someone taking a class and then making stellar output by extending what they learned in the class. Obviously, Jael Koh dedication was the key, but also, Cedric Halbronn must have done a fabulous job helping his students learn and get started. Very cool.

The original video that got a DMCA takedown from VMPSoft had 48K views, let's try and match that number... (p.s. you can pinch to zoom on the video if the text is too small on your phone, or pop open a viewer on your desktop)

Brand new 😍 40-hour EDR Internals: Research & Development live workshop with my friend Pavel Yosifovich Starts 23 Oct 2025 🚀🔥 Early-bird $1,450 ends 30 Sep; Details: trainsec.net/courses/edr-in… #EDRInternals #KernelDevelopment #ReverseEngineering #CyberSecurityTraining #MalwareAnalysis

The heavily updated version of the Advanced Exploit Dev course "SEC760" with my coauthor Alexandre Becholey was just recorded and available at sans.org/sec760 Updates include Linux Chrome V8 Exploitation, IDA 9.1, Kernel Debugging Windows Mitigations, 2025 patch diffs, etc...

You can trace calls to VslpEnterIumSecureMode ("enter/exit" into VTL 1) through the (the value is undocumented?) PERF_VTL1_ENTER ETW perf info mask value and get information about the type of secure call call which occurred (and PID/TID info). The event data is also undocumented.

Today at Sikkerhetsfestivalen, I attended Yarden Shafir and Greg’s presentation. Yarden has been a huge inspiration to me and my work as a rootkit dev and anything to do with windows internals. Huge highlight for me this year 😊

Stack tracing and symbol resolution now working side-by-side with the secure call data itself! Going to clean this up a bit more and publish soon.

Chaos is just a system that you don’t understand

I cleaned up the code I have been working on for the last few days into a tool I’m calling “Vtl1Mon”! Vtl1Mon traces VTL 1 enter (“secure call”) operations via ETW and also call stack/symbol enhances the events! github.com/connormcgarr/V…

My blog is back online \o/ The new domain is alice.climent.red

Today I am releasing a new blog post on VSM "secure calls" + the SkBridge project to manually issue them!! This blog talks about how VTL 0 requests the services of VTL 1 and outlines common secure call patterns!!! Blog: connormcgarr.github.io/secure-calls-a… SkBridge: github.com/connormcgarr/S…

Going to finish every paper I write like this

Today I am releasing a new blog on Windows on ARM! It comes from the perspective of one, like myself, who comes from an x86 background and is new, but, interested in Windows on ARM! ELs, OS & hypervisor behavior (with VBS), virtual memory, paging, & more! connormcgarr.github.io/arm64-windows-…