Kernel

:)

📄️ VAD Unlinking

In this blog we will diver a little deeper and understand how a memory region are represented in the OS and how we can tamper with these kernel structures to hide any memory region in a process. This technique is used in my project YetAnotherReflectiveLoader, I have intentionally not uploaded this specific code for security reasons, but we will talk about the logic here in this blog.

📄️ Fake DriverObject

A manually mapped driver without a DRIVER_OBJECT is deaf and mute. It can run internal threads and manipulate memory, but it cannot safely interact with standard Windows I/O subsystems. Crafting a structurally perfect fake driver object is the bridge that allows a ghost module to use standard, powerful Windows APIs without crashing the system or triggering immediate detection. This technique is used in my project YetAnotherReflectiveLoader, I have intentionally not uploaded this specific code for security reasons, but we will talk about the logic here in this blog.

📄️ Kernel Callback Integrity Bypass

When attempting to register a callback via PsSetCreateProcessNotifyRoutine from a manually mapped driver, the kernel will typically block the request and return STATUSACCESSDENIED. This happens because the API internally calls MmVerifyCallbackFunctionCheckFlags to validate the caller. In this blog, we will explore how to bypass these checks and successfully register our unbacked driver.