dkom.dev
kernel internals · reverse engineering · detection engineering
Field notes on Windows kernel internals, driver reverse engineering, and the detection engineering that comes after. Mostly things I wish I’d found written down when I went looking.
recent posts
-
Writing an x64 Inline Hook by Hand (Without Reaching for MinHook)
How x64 inline hooks actually work, when to use a 5-byte relative jump versus a 14-byte absolute trampoline, why displaced instructions break when you copy them naively, …
-
Process Injection Without the Obvious Thread: Early Bird APC and Beyond
Why CreateRemoteThread+LoadLibraryA is immediately detectable, how Early Bird APC avoids the worst of the telemetry, and the injection techniques that push further into …
-
[Hypervisor Part 3] Making Your Kernel Hook Invisible with EPT Shadow Pages
EPT shadow page hooks split a physical page into two views — one seen by reads (original bytes), one executed (hooked bytes). Integrity scanners see clean code. The CPU …
-
[Hypervisor Part 2] Hijacking Hyper-V's VM-Exit Handler from Inside the Guest
How EPTraitor detours Hyper-V’s VM-exit handler, the CPUID-based hypercall ABI including the bitfield bug that burned me, and how we resolve arbitrary process CR3 …
-
[Hypervisor Part 1] What a Hypervisor Actually Does (And Why Your Ring-0 Code Should Care)
A ground-up explanation of what hypervisors do at the CPU level, how Windows runs under Hyper-V by default, what a VM-exit is and when it happens, and why this matters …
-
BattleEye's Handle Protection: Code Caves, IAT Tricks, and the Callback You Can't Just Yank
How BattleEye’s kernel driver uses ObRegisterCallbacks to strip process handles, how it intercepts registration via an IAT hook on MmGetSystemRoutineAddress, and a …
-
Walking a Driver's IOCTL Dispatch by Hand
Finding the IOCTL dispatch table in a stripped kernel driver, decoding CTL_CODEs from first principles, and the triage methodology I use in DriverDigger to prioritise …