I build low-level security tools from scratch in C/C++ - the kind that sit between the OS kernel and user-mode defenses, where most interesting things happen.
My work spans both sides of the detection game: writing tools that break signatures and tools that understand why they broke. I reverse-engineer AV/EDR internals, build emulators and binary rewriters at the instruction level, and explore undermonitored OS surfaces that defenders haven't caught up to yet.
If it touches PE internals, x86-64 machine code, Win32/WinRT undocumented behavior, or the gap between what EDR hooks and what actually runs - I'm probably building something around it.
|
Polymorphic PE rewriter for Windows x64. Rewrites machine code into semantically identical but byte-different variants using YAML-defined equivalence rules, EFLAGS liveness analysis, and Unicorn-backed semantic verification. Includes data-section morphing with an anti-emulation gate that defeats Defender's mpengine emulator.
|
Windows malware analysis toolkit with a Unicorn-powered PE emulator. 90+ hooked Win32 APIs, runtime IOC extraction, and one-shot reports auto-mapped to MITRE ATT&CK (59 techniques) and capa (803 rules). Analyze malware behavior without executing it on a real system.
|
|
WinRT-only screen capture + OCR research tool. Captures any window (including hidden/minimized) using
|
|
| Area | Details |
|---|---|
| Binary Analysis | PE format, x86-64 disassembly, control-flow recovery, instruction-level semantics |
| Detection Engineering | YARA rules, Defender internals , signature durability, ETW |
| Windows Internals | Win32 API, WinRT activation surface, DWM, DXGI, Direct3D interop |
| Offensive Research | Polymorphic code generation, anti-emulation, API surface evasion |
| Emulation | Unicorn Engine for semantic verification and malware behavior analysis |
