Architectural Limits of Kernel-Level EDR
Notes From Building One When I began building a kernel-level EDR, I assumed visibility was the hard part and privilege was the solution. Running in ring 0 should mean total awareness. What I learned instead is this: Kernel privilege gives you authority — not observability. The limitations are architectural, not technical skill issues. Below are…
How EDR Detects Dynamic API Resolution at Runtime
Endpoint Detection and Response (EDR) solutions closely monitor how processes interact with the Windows loader. One common behavioral signal used by EDRs is dynamic API resolution, which is frequently abused by malware to evade static analysis and signature-based detection. This section explains, from a custom EDR (NORM) perspective, how dynamic API resolution can be detected…
From URL to Execution: Assembling a Payload Entirely In-Memory
If you’re new to malware development (maldev), the sheer complexity can be overwhelming. How do you even begin to understand something as advanced as in-memory execution? The answer is simple: you break it down. This post is the culmination of my first major milestone: combining five core sub-projects into a single, functional loader that downloads…