Category: Uncategorized
-
Building a Scalable Windows Driver Vulnerability Analyzer (Part 2)
In [Part 1], I built a pipeline to churn through gigabytes of drivers. I started with a massive raw dataset of 58.5 GB of drivers. However, feeding this volume into a static analyzer is inefficient. I aggressively filtered the set: This left me with a curated dataset of 28,000 unique drivers and a lot of…
-
Why This Blog Exists
Most malware analysis content focuses on what a sample does. This blog focuses on why it matters during an incident. Through case studies, technical deep dives, and operational reflections, I write about: Clarity matters, assumptions are dangerous, and systems fail in ways their designers rarely expect. The goal is not to teach malware analysis from…
-
Reversing a Microsoft-Signed Rootkit: The Netfilter Driver
A detailed technical analysis of Netfilter.sys, a malicious kernel driver that was legitimately signed by Microsoft through attestation signing. This post explores how the rootkit harnesses the Windows Filtering Platform for stealthy IP redirection, the C2 communication mechanisms, and how Microsoft strengthened driver signing processes afterwards. Why I’m Picking Apart This Driver While digging into…
Threat Unpacked 