Notes From Building One When I began building a kernel-level EDR, I assumed visibility was the hard part and privilege was the solution. Running in ring 0 should mean total awareness. What I learned instead is this: Kernel privilege gives you authority — not observability. The limitations are architectural, not technical skill issues. Below are … Read more
Endpoint Detection and Response (EDR) solutions closely monitor how processes interact with the Windows loader. One common behavioral signal used by EDRs is dynamic API resolution, which is frequently abused by malware to evade static analysis and signature-based detection. This section explains, from a custom EDR (NORM) perspective, how dynamic API resolution can be detected … Read more
If you’re new to malware development (maldev), the sheer complexity can be overwhelming. How do you even begin to understand something as advanced as in-memory execution? The answer is simple: you break it down. This post is the culmination of my first major milestone: combining five core sub-projects into a single, functional loader that downloads … Read more
Introduction In this post, I demonstrate how to write a simple in-memory shellcode loader using the Windows API. The loader reads an XOR-encrypted reverse shell payload from disk, decrypts it in memory, and executes it — avoiding detection from basic signature-based AV. Tools Used Code Sections XOR Encryption Script (Python) C Loader Code Explanation Break … Read more
“Understanding how shellcode actually resolves API addresses — not just calling functions blindly.” When I started exploring shellcode and reverse engineering, I kept running into examples that used Windows APIs without explaining how those functions were actually found or called in shellcode. I wanted to go deeper — to really understand how to write a … Read more
Introduction: Why Build a Reverse Shell in Assembly? Ever wondered how low-level code can create a powerful remote shell? In this post, we’ll dive into crafting a Linux reverse shell using x86 assembly. This shellcode connects back to an attacker’s system, spawns a shell, and redirects input/output over the network—all in a compact, efficient package. … Read more
Before you read this post, make sure to check out my blog on Native API, as I’m using the same template here. So, what is Direct Syscall? In simple terms, Direct Syscall means invoking system calls directly, without relying on Windows Native APIs like NtCreateFile or NtOpenProcess. Instead of calling these functions through ntdll.dll, we … Read more
Proof of Concept Explanation Now lets discuss the code before i forget how it works, winternl.h is used to include the Windows Native API functions and types like NTSTATUS. typedef is used to define a data type so that we don’t have to explain it to the compiler again and again. For NtAllocateVirtualMemory, you need … Read more
What is Dynamic API Resolution? Dynamic API Resolution is a technique where Windows API function addresses are resolved at runtime, instead of being imported and declared upfront when the program is compiled or loaded. In simpler terms — rather than saying: “Hey system, I’ll need VirtualProtect and WriteProcessMemory, here’s the list in advance.” You say: … Read more
Introduction AMSI (Anti-Malware Scan Interface) is a Windows feature that allows security solutions to inspect scripts and detect malicious content at runtime. In this post, we’ll explore how to bypass AMSI detection for a known malicious PowerShell command — Invoke-Mimikatz — using Frida to hook and manipulate the AmsiScanBuffer function at runtime. What is AMSI? … Read more