THREAT UNPACKED
Operational Malware Analysis
-
Building a Scalable Windows Driver Vulnerability Analyzer (Part 2)
In [Part 1], I built a pipeline to churn through gigabytes of drivers. I started with a massive raw dataset of 58.5 GB of drivers. However, feeding this volume into a static analyzer is inefficient. I aggressively filtered the set: This left me with a curated dataset of 28,000 unique drivers and a lot of…
-
Building a Scalable Windows Driver Vulnerability Analyzer (Part 1)
Background As I spent more time looking at kernel drivers, that interest gradually grew. Finding my first CVE in a Windows driver pushed me to pay closer attention to this area. Around the same time, I started reading more practical write-ups on driver work, including a post by eversinc33 on unpacking a VMProtected kernel driver.…
-
Why This Blog Exists
Most malware analysis content focuses on what a sample does. This blog focuses on why it matters during an incident. Through case studies, technical deep dives, and operational reflections, I write about: Clarity matters, assumptions are dangerous, and systems fail in ways their designers rarely expect. The goal is not to teach malware analysis from…
-
Reversing a Microsoft-Signed Rootkit: The Netfilter Driver
A detailed technical analysis of Netfilter.sys, a malicious kernel driver that was legitimately signed by Microsoft through attestation signing. This post explores how the rootkit harnesses the Windows Filtering Platform for stealthy IP redirection, the C2 communication mechanisms, and how Microsoft strengthened driver signing processes afterwards. Why I’m Picking Apart This Driver While digging into…
Threat Unpacked 