Reverse engineering · Windows internals · Exploitation
Building low-level security tooling and learning pwn in public.
I write tools that take Windows and PE internals apart and put them back together — kernel callbacks, hooks, PE rewriting, system instrumentation. Most of it starts as "how does this actually work?" and ends as something runnable.
| Project | What it is | Stack |
|---|---|---|
| aegis | Windows kernel-mode EDR built from scratch — driver registers OS callbacks and streams events to a user-mode agent | C / WDK |
| apiscope | API monitoring and interception framework that maps an import-free DLL, installs trampolines across multiple target DLLs, and streams structured events through shared memory | C++ |
| peforge | C++17 library for parsing and modifying PE files — bounded views, separate read/mutate APIs, code-cave discovery | C++ |
| exe2dll | Converts Windows PE executables into DLLs by patching headers and injecting an export directory into code caves | C++ |
| goosquery | SQL-powered OS instrumentation for Windows, inspired by osquery | Go |
| CTFs | rev / pwn / malware writeups, plus challenges I've authored for local events | Python / asm |
- Building aegis into a real kernel EDR, one telemetry source at a time — and writing it up on the blog.
- Grinding pwn (heap, ROP, kernel) and posting writeups as I go.
ᓚᘏᗢ