#Windows
Build Your Own EDR - Part 3: More Eyes (Threads & Image Loads)
In Part 2, our driver gained the ability to capture process creation and exit events, storing them in a spinlock-protected queue, while our agent pulls a packed stream over the IOCTL channel. By the end of this post, the …
Build Your Own EDR - Part 2: Watching Process Creation
In Part 1, we built a “hello world” driver: it creates a device, setup a dispatch table to route IRPs, and exposes an IOCTL the agent calls to pull a fixed greeting: "hello from kernel". Now, we …
Build Your Own EDR - Part 1: Talking to the Kernel
EDR (Endpoint Detection and Response) is a cybersecurity solution that monitors endpoints - such as desktops, laptops, and servers - and responds to threats targeting them. EDR solutions provide real-time visibility into …
How to Convert EXEs to DLLs: PE Internals and Practical Steps
If you’ve worked with Windows applications, you’re likely familiar with EXE (executable) and DLL (dynamic link library) files. While these file types serve different purposes, they share a common underlying structure …
Low-Level Interception: A Guide to Windows NT API Hooking
The Windows NT API is the lowest level of user-mode interaction with the operating system. While most developers use the Win32 API (CreateFile, ReadFile), these functions are ultimately wrappers around the underlying NT …