kernel
-
[Hypervisor Part 3] Making Your Kernel Hook Invisible with EPT Shadow Pages
EPT shadow page hooks split a physical page into two views — one seen by reads (original bytes), one executed (hooked bytes). Integrity scanners see clean code. The CPU …
-
[Hypervisor Part 2] Hijacking Hyper-V's VM-Exit Handler from Inside the Guest
How EPTraitor detours Hyper-V’s VM-exit handler, the CPUID-based hypercall ABI including the bitfield bug that burned me, and how we resolve arbitrary process CR3 …
-
[Hypervisor Part 1] What a Hypervisor Actually Does (And Why Your Ring-0 Code Should Care)
A ground-up explanation of what hypervisors do at the CPU level, how Windows runs under Hyper-V by default, what a VM-exit is and when it happens, and why this matters …
-
BattleEye's Handle Protection: Code Caves, IAT Tricks, and the Callback You Can't Just Yank
How BattleEye’s kernel driver uses ObRegisterCallbacks to strip process handles, how it intercepts registration via an IAT hook on MmGetSystemRoutineAddress, and a …
-
Walking a Driver's IOCTL Dispatch by Hand
Finding the IOCTL dispatch table in a stripped kernel driver, decoding CTL_CODEs from first principles, and the triage methodology I use in DriverDigger to prioritise …