Blogs
Detecting SSDT Hook with User Mode Program via BYOVD
Introduction Github Link: github.com/0xbekoo/SSDT-Hook-Detector Welcome to my blog! Today we will dive into a little adventure… Recently, I developed malware related to SSDT Hooking, but it’s not the kind of software that causes damage. The main goal of the malware is detecting the Hooked routines. However, my real goal was to develop malware that performs SSDT Unhooking in the first place. But after a few problems, i developed this project.
September 18, 2025
PatchGuard Analysis - Part 4
Verification Routines This phase is the heart of PatchGuard’s self-defense mechanism. Once PatchGuard is triggered—either by a timer, a DPC, a system thread, or other dispatch mechanisms—it enters the validation routine. The validation code decrypts and inspects internal PatchGuard state and memory-resident kernel structures. There are several checking routines involved, with the main one called FsRtlMdlReadCompleteDevEx. Other routines include: TVCallBack Routine: The routine looks very much like FsRtlMdlReadCompleteDevEx. We showed previously that it was called from a global variable set up from KiFilterFiberContext. CcBcbProfiler We saw that this function is used to check a randomly choosen routine from ntoskrnl. In this section, we will focus mainly on FsRtlMdlReadCompleteDevEx. This function is really long and the function can be summed up into multiple parts:
August 9, 2025
PatchGuard Analysis - Part 3
Triggering a check As we have seen before, the several methods used to setup some contexts. In this section, we will see that how these contexts are triggered. DPC Execution The frequently way to trigger a check is to use a DPC. The routine set as DeferredRoutine are picked among the following: 0 CmpEnableLazyFlushDpcRoutine 1 ExpCenturyDpcRoutine 2 ExpTimeZoneDpcRoutine 3 ExpTimeRefreshDpcRoutine 4 CmpLazyFlushDpcRoutine 5 ExpTimerDpcRoutine 6 IopTimerDispatch 7 IopIrpStackProfilerDpcRoutine 8 KiBalanceSetManagerDeferredRoutine 9 PopThermalZoneDpc 10 KiTimerDispatch OR KiDpcDispatch 11 KiTimerDispatch OR KiDpcDispatch 12 KiTimerDispatch OR KiDpcDispatch Among index 0 to 9, functions use an exception handler to fire the check. KiTimerDispatch and KiDpcDispatch functions call the DPC directly without any exception handler. In other words, these functions do their job while PatchGuard hijacks them to hiding itself.
August 8, 2025
PatchGuard Analysis - Part 2
Arguments of KiInitPatchGuardContext Now, we can see another Arguments of the function. Argument 1: DPC Routine Pointer As we have seen before, the several method used a DPC Structure to hide PatchGuard and queue it. This DPC actually contains a pointer to function that is known to unqueue DPC, and will perform specific operation when the DPC is actually a PatchGuard one. The first argument is an index to choose a routine randomly and this routine will be set as one of these routines:
August 7, 2025
PatchGuard Analysis - Part 1
This article is dedicated to B. who the dark shadow. Thx for your all help, the dark shadow B. Introduction Most of us have probably come across PatchGuard (Kernel Patch Protection) at some point. Developed by Microsoft, it plays a critical role in 64-bit Windows operating systems. Its mission is simple yet vital: preventing unauthorized modifications to kernel-level structures in order to preserve system integrity. Today, it still stands as one of the core components of modern Windows security architecture.
August 6, 2025
Loading Driver from User-Mode Program via SSDT Hooking
Welcome to my blog. In this blog, i will demonstrate SSDT Hooking technique. In this article, we will examine how SSDT Hooking works, why it is used, and how it can be implemented. We will begin by understanding the System Service Descriptor Table (SSDT) and its role in managing system calls within the Windows kernel. Next, we will take a closer look at this technique through a project I have prepared for SSDT Hooking. We will walk through the process of dynamically locating the SSDT, identifying a target system call (such as NtLoadDriver), and modifying its entry to redirect execution flow to a custom function.
February 22, 2025
Reversing System Call Mechanism in Windows Kernel
Hi everyone! Today we will dive into Syscalls in Windows Kernel. After the information I had for SSDT, this information seemed insufficient to me. Then i decided to dive in the windows kernel. In this blog, we will examine that how windows kernel it works a syscall. So, i will not include what’s NTAPI, Syscall or SSDT etc. in this blog because i wrote many documents for these topics and if you’re beginner in the topics, you can start with the documents mentioned.
December 31, 2024
ARM Firmware Reverse Engineering
Hello everyone. In this blog we continue with Firmware Reverse Engineering. We will dive into Bare Metal Reversing. If you remember, in our previous topic, we analyzed the firmware of TP-LINK Archer AX 21 V4.6 in 2024. Here, we will take things a little further. I have a Nucleo F030R8 board (with ARM Cortex M0 processor) and I wanted to use it for Firmware Reverse Engineering. What we will do in this blog is to simply program the board and then reverse the firmware and reinstall it on the board. Let’s think typically like hacking an IoT board but with a simpler scenario:
December 4, 2024
Router Firmware Reverse Engineering
Hello there. Welcome to my first blog for Firmware Reverse Engineering. In this post we will reverse the firmware of TP-Link’s Archer AX 21 V4.6 modem. You can check TP-Link’s original page to download the firmware. Warning
December 3, 2024
Is Valorant Spyware?
Understanding How Anti-Cheat Software Works To begin our exploration, we first need to understand how anti-cheat software works. In general, anti-cheat software is developed for two main purposes: to prevent cheating within a game and to detect those who do. We can categorize how this software operates into two main methods: server-side and client-side[1]. Server-side anti-cheat software typically monitors and analyzes the data a player sends to the game server. This data can include how the player is playing, what commands they are sending, and how quickly they react. Its goal is to detect discrepancies between normal gameplay behavior and potential cheat usage.
April 17, 2024