About This Blog

This blog serves as a repository for articles and short posts on my projects in cybersecurity. The content ranges from breakdowns of malware obfuscation techniques to custom implementations of security tools, analyses of CVEs, and low-level programming experiments. I believe in understanding systems from first principles - whether that’s tracing through assembly code, unpacking obfuscated malware, or building tools that interact with cloud APIs in novel ways.

Some recurring themes you’ll find here:

These posts represent my notes from the field, structured into (mostly) coherent technical narratives. While the code samples and techniques demonstrated here have legitimate educational and professional uses, I maintain a strong emphasis on responsible disclosure and ethical application of security research.

The blog theme is currently based on The Monospace Web project, with a few tweaks, built on Hugo. I firmly believe in the power of text and simple documents for sharing ideas.

Recent Posts

Latest Post: ETW Research Scripts

Another brief post sharing some quick-hack PowerShell scripts I’ve created while researching ETW on Windows 11 and following along in Matt Hand’s Evading EDR.

The Scripts

The scripts are:

Both of these scripts are quick experiments but have proved useful in my testing. Improvements could be made to increase accuracy and performance. Additionally, for Get-PossibleEtwRefs.ps1, it would likely not be so difficult to leverage SDKs for IDA/Ghidra/Binja to compute cross-references to the identified GUIDs and see if any are near any relevant ETW functions, allowing us to easily associate the reference with Provider / Controller / Consumer code (similar to what is demonstrated manually in Evading EDR ch. 8), or do similar analysis.

Note: The versions here won’t see any updates. I will do that on the respective GitHub gists.

Get-PossibleEtwRefs

# Get-PossibleEtwRefs.ps1
#
# Search for GUIDs in a target file or directory and check
# if it might be an ETW provider GUID using logman.
#
# Inspired by chapter 8 of "Evading EDR" by Matt Hand.
#
# Not fast but easy to deploy and use.

param (
    [string]$Path
)

function Get-GUIDsFromFile($filePath) {
    $regex = '[{(]?[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}[)}]?'
    $foundGuids = @{}
    
    # Process file in chunks
    $stream = [System.IO.File]::OpenRead($filePath)
    $buffer = New-Object byte[] 4MB
      

...

Read more

Previous Post: Kernel Driver Debug Helper

Brief post.

Just sharing here a script I’ve been using to assist in Windows 11 kernel driver testing.

The script provides quick and easy deployment of kernel drivers to accessible Hyper-V virtual machines.

Requirements:

  • Hyper-V
  • Available Windows VM with enabled guest integrations

Features:

  • Automated copy and start of driver on target VM
  • Default inclusion of available PDB to the target and local symbols cache
  • Suitable for quick experiments.

Out!

# Deploy-DriverToVM.ps1
# Script to deploy debug drivers to Win11 Debug VM

param (
    [string]$VMName = "win-11-dbg",
    [string]$DriverPath = ".\x64\Debug\EtwResearchDriver\EtwResearchDriver.sys",
    [string]$VMDestPath = "C:\Drivers\EtwResearchDriver\",
    [string]$symbolPath = "C:\Symbols",
    [switch]$InstallDriver = $true,
    [System.Management.Automation.PSCredential]$Credential = $null
)

# Verify the driver file exists
if (-not (Test-Path $DriverPath)) {
    Write-Error "Driver file not found at: $DriverPath"
      

...

Read more

All Posts