~/posts
Build Your Own EDR - Part 3: More Eyes (Threads & Image Loads)
Cash in the architecture from Part 2. Two new notify callbacks (PsSetCreateThreadNotifyRoutine, PsSetLoadImageNotifyRoutine) become two new driver modules and two new event types - and the queue, IOCTL, and build script don't move an inch. Threads get a security punchline: a thread created by a different process than the one it runs in is the shape of remote-thread injection.
Build Your Own EDR - Part 2: Watching Process Creation
Turn the kernel channel into a real sensor: a PsSetCreateProcessNotifyRoutineEx callback captures process create/exit, an event queue bridges the kernel-to-user gap, and the agent pulls a packed event stream. We also compare the requested parent with the process that owns the creating thread to detect PPID spoofing.
Build Your Own EDR - Part 1: Talking to the Kernel
Learn how to build a basic Windows kernel driver and a user-mode agent, establishing the foundation of an EDR's communication channel via IOCTLs.
Reconstructing the Puzzle: Automating Malware String and IAT Recovery
Restored malware readability by automating string recovery through emulation and reconstructing a full IAT from dynamic API hashes.
Lại Thêm Một Vụ Mất Tiền Do Lừa Đảo Tải App Dịch Vụ Công
APK giả mạo dịch vụ công được pack bằng dpt-shell. Bài viết phân tích cơ chế pack, cách unpack để lấy DEX gốc, và các hành vi độc hại của malware.