About me
OS security researcher with over 10 years of experience in Windows and Linux kernel security, rootkit detection, memory forensics, and bare‑metal hypervisors. My work focuses on designing protection mechanisms and studying how advanced attackers can bypass them.
I have published more than 40 research papers and a patent, and presented my work at conferences including BlackHat (USA & Europe), HITB, LABScon, ADFSL, REcon, and others.
Research interests
I am particularly interested in:
Kernel‑mode security
Hypervisors & VT‑x/EPT
Memory forensics
Rootkit detection
EDR / AV evasion & defenses
Security analytics for OS events
Recent highlights
- Co‑authored ALPChecker – Detecting Spoofing and Blinding Attacks, presented at HITBSecConf 2023 (Phuket) and published on arXiv.
- Presented Blasting Event‑Driven Cornucopia: WMI‑based User‑Space Attacks Blind SIEMs and EDRs at BlackHat USA, LABScon, and Ekoparty.
- Presented Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors at BlackHat Europe.
- Published Protected Process Light is not Protected: MemoryRanger Fills the Gap Again at the IEEE S&P Workshops (SADFE).
- Developed and presented MemoryRanger – a VT‑x/EPT‑based hypervisor that isolates Windows kernel drivers.
Selected publications
-
ALPChecker – Detecting Spoofing and Blinding Attacks
HITBSecConf 2023, arXiv 2023. -
Blasting Event‑Driven Cornucopia: WMI‑based User‑Space Attacks Blind SIEMs and EDRs
BlackHat USA 2022. -
Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors
BlackHat Europe 2021. -
Protected Process Light is not Protected: MemoryRanger Fills the Gap Again
IEEE S&P Workshops (SADFE), 2021. -
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations
Journal of Digital Forensics, Security and Law, 2015.
A more complete list of talks and publications is available on my research page and in the research repository.