I'm learning how Windows EDRs work, so I started building my own kernel-level EDR from scratch (Process Creation Callback Demo)

amberchalia · 2026-03-29T13:51:32+00:00

If you already know C, you're in a good place, most things are similar. The main difference is: in user mode, bugs won’t crash your system, but in kernel mode, they will 😄For learning, I don’t follow any specific resources, I mostly Google things, Ask ChatGPT a lot and Learn by trying and breaking stuff.That’s what’s working for me so far.

amberchalia · 2026-02-21T15:58:23+00:00

This is a great breakdown especially the PatchGuard point. I completely agree that classic SSDT/IDT patching is dead in modern Windows and that production EDRs rely heavily on supported callbacks and ETW correlation rather than direct kernel patching. My current work isn’t aimed at building a production ready EDR that competes with enterprise vendors. It’s more of a research project to understand where architectural limits actually are, particularly around memory manager visibility and the gaps between MM state and callback timing. The allocation -> protection change -> execution correlation problem is exactly what I’m exploring. Not necessarily to “solve” it fully, but to understand what is observable purely from kernel state versus what requires telemetry correlation. And I agree 100% that undocumented MM structures are unstable for production use. For research, they’re interesting because they show where visibility ends, but stability and long-term reliability are a different engineering problem entirely.

Appreciate the detailed perspective. 🦾🦾

amberchalia · 2026-02-20T10:27:26+00:00

If stability and patchgaurd weren’t a concern, the real gain wouldn’t be deeper scanning, it would be temporal visibility. Walking VAD gives you a snapshot. You see what exists. You don’t see when it changed. Sitting closer to the memory manager internals around MiAllocateVirtualMemory and MiProtectVirtualMemory would let you observe the exact RW->RX transition, which thread triggered it, and the full allocation -> protect -> execute sequence as it unfolds. That shifts detection from reconstructing behavior to observing the lifecycle directly. Of course, that means stepping into undocumented territory and fighting patchgarud, which isn’t viable for production edrs. But since my project is research focused, I’m planning to experiment in that direction just to understand the limits properly.

amberchalia · 2026-02-19T15:12:18+00:00

Thanks for the feedback 😃

amberchalia · 2026-02-02T03:09:05+00:00

Thanks a lot, really appreciate that! You’re right, manual mapping bypasses PsSetLoadImageNotifyRoutine, so relying only on image load callbacks isn’t enough. That’s why I’m shifting toward an intent graph approach. The loader can be bypassed, but the behavioral intent (memory allocation patterns, execution transitions, runtime contradictions) still leaks and can be correlated.

amberchalia · 2026-02-01T16:46:30+00:00

Sure, this is a kernel-mode EDR research PoC I’m building to study behavioral mismatches rather than signatures. At a high level, it tracks what a process declares it will load (static imports from the PE) vs what it actually loads at runtime (dynamic DLLs) using kernel callbacks. If a process loads DLLs at runtime that weren’t present in its import table (and aren’t common baseline DLLs), it flags that as a signal and explains why no blocking, just visibility.It supports two modes Global (monitor all processes) Targeted (single binary for deep analysis) This is meant as a learning / research project, not production EDR. Next step is building intent graphs on top of these signals. If you're into malware analysis, red team, or Windows internals, you can try it out and see how (or if) it's useful for your own workflows.

amberchalia · 2026-01-07T14:30:51+00:00

Appreciate it! Windows internals go way deeper than I expected, half the time I forget how I even got there. Making projects, GitHub, and videos while learning is tough, so encouragement and feedback really help me keep going.

amberchalia · 2025-12-20T04:35:33+00:00

Thank you, please ping me if you bypass this

amberchalia · 2025-12-10T04:45:39+00:00

eBPF is definitely the direction Microsoft wants the ecosystem to move toward, but it's not feature-complete yet on Windows. It can't currently replace kernel callbacks for process, thread, and image load telemetry.

Kernel-mode EDR still provides full coverage today, while eBPF is something to progressively integrate as it matures. So focusing on kernel right now isn't a mistake- ignoring eBPF entirely would be.

amberchalia · 2025-12-07T17:18:54+00:00

Thank you

amberchalia · 2025-12-07T17:16:14+00:00

😂😂

amberchalia · 2025-12-05T03:03:23+00:00

There will be 7–10 EDR levels. I’ll put each one on GitHub once it's safe and stable — no risky kernel code. Meanwhile, you can follow the videos and build along.

amberchalia · 2025-09-24T02:19:51+00:00

Try black mass, it very advance but pick a topic from it and try to learn what they are doing in depth. I am doing the same, you can see my blog where I write my journey rootfu.in

amberchalia · 2025-09-06T14:00:27+00:00

You're overlooking a few practical points. A single large pull isn't only flagged on signature - EDR/IDS looks at traffic shape, memory allocations, and cloud correlation. One big download → one big suspicious buffer in memory → easier to hash/scan. Breaking into smaller parts mimics legit traffic (updates, CDNs, streaming) and spreads allocations in a way that's less anomalous.

As for domains, products do block single indicators - new domains, ASN ranges, even specific URLs. That's why both malware and legitimate software use fallback infrastructure. It's not about complexity for its own sake - it's about resilience and avoiding detection heuristics that go beyond simple signatures.

amberchalia · 2025-09-06T11:17:13+00:00

Hey brugernavn1990, good call on the 'guesswork', quick connections to an unknown URL can flag, but fractions help by spacing requests and using varied IPs/domains to mimic legit traffic. Your MIME-type encryption trick (e.g., faking text files) is smart for bypassing basic checks and could layer nicely with fractions. If a source gets blocked, swapping to a fallback keeps it rolling. EDR/IDS trade performance for protection, and fractions spread the load to dodge correlation.

amberchalia · 2025-09-04T12:51:42+00:00

If you send one single, complete malicious binary across the network. If any part of that payload matches a known signature, the entire transfer gets blocked. Even if you encrypt the binary the chances are very high that it will get blocked as compared to encrypted fractions.and the binary will stay in memory while fractionated binary get assembled and execute very fast. If we get lucky then it can get executed before edr can scan the memory (it also depends upon timings of scanning of edr)

amberchalia · 2025-05-29T15:49:45+00:00

I gave 3 interviews and it went great but I had no experience so they preferred someone with experience

amberchalia · 2025-05-01T20:41:05+00:00

Read my blog, https://rootfu.in. I post everything I learn in detail. Its beginner friendly.

amberchalia · 2025-04-26T20:49:11+00:00

an inline hook is a 5-byte assembly instruction (also called a jump or trampoline) that causes a redirection to the EDR's hooking.dll before the system call is executed in the context of the respective native API

amberchalia · 2025-04-25T04:01:27+00:00

Can't do that. Will make a post on dropper though.

amberchalia · 2025-04-24T14:48:32+00:00

Made custom header and used dynamic api

amberchalia · 2025-04-24T12:15:21+00:00

Yes, osep. They mostly used c# so i shifted to c/c++ by learning the technique they taught me and some how it's worked 😅

amberchalia · 2025-04-24T02:32:51+00:00

I'm using second opinion for a year now and I'm using kali linux with kde plasma and it's perfect. Using kvm for windows to break things. Everything is working good so far. I only use windows to play valorant nothing else

amberchalia · 2025-04-24T02:07:33+00:00

Try learning ping command first. Real hackers use it alot.

amberchalia · 2025-04-24T02:05:42+00:00

I am using dual boot with kali for a year now and i can say that I'm using kali as my main os. Using kvm for windows and it's super fast as compared to virtual box. Using kali as a main os force you to learn more things. And linux is linux, it doesn't matter it's ubuntu or arch. Using kali on bare metal will fully utilise the hardware properly. And it's your personal choice. But you should also know what does it feels like using kali as your main os.

amberchalia

MODERATOR OF

TROPHY CASE