About This Blog
This blog serves as a repository for articles and short posts on my projects in cybersecurity. The content ranges from breakdowns of malware obfuscation techniques to custom implementations of security tools, analyses of CVEs, and low-level programming experiments. I believe in understanding systems from first principles - whether that’s tracing through assembly code, unpacking obfuscated malware, or building tools that interact with cloud APIs in novel ways.
Some recurring themes you’ll find here:
- Reverse engineering of malware and software
- Vulnerability research and exploit analysis
- Low-level systems programming in C, C++, and Assembly
- Cloud security tooling and AWS penetration testing
- Windows internals and security research
These posts represent my notes from the field, structured into (mostly) coherent technical narratives. While the code samples and techniques demonstrated here have legitimate educational and professional uses, I maintain a strong emphasis on responsible disclosure and ethical application of security research.
The blog theme is currently based on The Monospace Web project, with a few tweaks, built on Hugo. I firmly believe in the power of text and simple documents for sharing ideas.
Recent Posts
- ETW Research Scripts
- Kernel Driver Debug Helper
- Review: Elastic 2024 Global Threat Report
- A Tale of a Quick Evening Malware Reversing Session
- Internals of Poylmorphic Engines
- Gödel Numbering in Go: A Mathematical Quiche
- WinGadgetHunter: Finding ROP Gadgets in Windows DLLs
- Dynamic Import Obfuscation: Evading Memory Analysis
- AWS Pentesting Toolkit: Practical Tools for Cloud Security Assessment
- Analyzing CVE-2020-11492 Docker Desktop Privilege Escalation
- PEB-less GetModuleHandle
- Simplest Indirect Syscall
Latest Post: ETW Research Scripts
Another brief post sharing some quick-hack PowerShell scripts I’ve created while researching ETW on Windows 11 and following along in Matt Hand’s Evading EDR.
The Scripts
The scripts are:
Get-PossibleEtwRefs.ps1
: A dumbed-down version of FindETWProviderImage, useful for hunting potential ETW provider GUID references in files and directories.Get-EtwProviderAces.ps1
: Attempt to obtain ACE’s associated with a provider.
Both of these scripts are quick experiments but have proved useful in my testing. Improvements could be made to increase accuracy and performance. Additionally, for Get-PossibleEtwRefs.ps1
, it would likely not be so difficult to leverage SDKs for IDA/Ghidra/Binja to compute cross-references to the identified GUIDs and see if any are near any relevant ETW functions, allowing us to easily associate the reference with Provider / Controller / Consumer code (similar to what is demonstrated manually in Evading EDR ch. 8), or do similar analysis.
Note: The versions here won’t see any updates. I will do that on the respective GitHub gists.
Get-PossibleEtwRefs
# Get-PossibleEtwRefs.ps1
#
# Search for GUIDs in a target file or directory and check
# if it might be an ETW provider GUID using logman.
#
# Inspired by chapter 8 of "Evading EDR" by Matt Hand.
#
# Not fast but easy to deploy and use.
param (
[string]$Path
)
function Get-GUIDsFromFile($filePath) {
$regex = '[{(]?[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}[)}]?'
$foundGuids = @{}
# Process file in chunks
$stream = [System.IO.File]::OpenRead($filePath)
$buffer = New-Object byte[] 4MB
...
Previous Post: Kernel Driver Debug Helper
Brief post.
Just sharing here a script I’ve been using to assist in Windows 11 kernel driver testing.
The script provides quick and easy deployment of kernel drivers to accessible Hyper-V virtual machines.
Requirements:
- Hyper-V
- Available Windows VM with enabled guest integrations
Features:
- Automated copy and start of driver on target VM
- Default inclusion of available PDB to the target and local symbols cache
- Suitable for quick experiments.
Out!
# Deploy-DriverToVM.ps1
# Script to deploy debug drivers to Win11 Debug VM
param (
[string]$VMName = "win-11-dbg",
[string]$DriverPath = ".\x64\Debug\EtwResearchDriver\EtwResearchDriver.sys",
[string]$VMDestPath = "C:\Drivers\EtwResearchDriver\",
[string]$symbolPath = "C:\Symbols",
[switch]$InstallDriver = $true,
[System.Management.Automation.PSCredential]$Credential = $null
)
# Verify the driver file exists
if (-not (Test-Path $DriverPath)) {
Write-Error "Driver file not found at: $DriverPath"
...
All Posts
- ETW Research Scripts
- Kernel Driver Debug Helper
- Review: Elastic 2024 Global Threat Report
- A Tale of a Quick Evening Malware Reversing Session
- Internals of Poylmorphic Engines
- Gödel Numbering in Go: A Mathematical Quiche
- WinGadgetHunter: Finding ROP Gadgets in Windows DLLs
- Dynamic Import Obfuscation: Evading Memory Analysis
- AWS Pentesting Toolkit: Practical Tools for Cloud Security Assessment
- Analyzing CVE-2020-11492 Docker Desktop Privilege Escalation
- PEB-less GetModuleHandle
- Simplest Indirect Syscall
- Game Hacking - Writing a Radar in Go
- MASM64 Peb Walking and Export Resolution
- Dumping Syscall Numbers and Offsets
- Changelog