diversenok
@diversenok.bsky.social
Aspiring Windows security researcher & system programmer; student.
GitHub: https://github.com/diversenok
GitHub: https://github.com/diversenok
I wanted to understand what information is available in .pdb files, so I made a tool for it 🔎🐛
Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA: github.com/diversenok/D...
Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA: github.com/diversenok/D...
November 10, 2025 at 9:04 PM
I wanted to understand what information is available in .pdb files, so I made a tool for it 🔎🐛
Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA: github.com/diversenok/D...
Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA: github.com/diversenok/D...
Here are my RomHack slides about low-privileged attack vectors against PsSetLoadImageNotifyRoutine and drivers that rely on it. Enjoy!
diversenok.github.io/slides/RomHa...
diversenok.github.io/slides/RomHa...
September 29, 2025 at 11:29 PM
Here are my RomHack slides about low-privileged attack vectors against PsSetLoadImageNotifyRoutine and drivers that rely on it. Enjoy!
diversenok.github.io/slides/RomHa...
diversenok.github.io/slides/RomHa...
My new blog post 🥳
Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥
www.huntandhackett.com/blog/improvi...
Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥
www.huntandhackett.com/blog/improvi...
Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
This blog post explains the basics of Ancillary Function Driver API and how it can help explore networking activity on Windows systems.
www.huntandhackett.com
May 15, 2025 at 9:38 AM
My new blog post 🥳
Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥
www.huntandhackett.com/blog/improvi...
Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥
www.huntandhackett.com/blog/improvi...
I think the list of unloaded modules (aka. RtlGetUnloadEventTraceEx) is underappreciated. Ntdll records metadata about DLLs that unloaded from the process and even includes modules that attempted to load but failed their DllMain.
learn.microsoft.com/en-us/window...
learn.microsoft.com/en-us/window...
April 18, 2025 at 6:34 PM
I think the list of unloaded modules (aka. RtlGetUnloadEventTraceEx) is underappreciated. Ntdll records metadata about DLLs that unloaded from the process and even includes modules that attempted to load but failed their DllMain.
learn.microsoft.com/en-us/window...
learn.microsoft.com/en-us/window...
The feature is live in the latest Canary builds and displays even more properties than initially planned 😍
Also, a blog post that explains the basics of AFD API and its forensic potential is coming soon.😉
Also, a blog post that explains the basics of AFD API and its forensic potential is coming soon.😉
Better socket handle visibility coming soon to System Informer! 🔥
When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩
When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩
April 7, 2025 at 12:29 PM
The feature is live in the latest Canary builds and displays even more properties than initially planned 😍
Also, a blog post that explains the basics of AFD API and its forensic potential is coming soon.😉
Also, a blog post that explains the basics of AFD API and its forensic potential is coming soon.😉
Better socket handle visibility coming soon to System Informer! 🔥
When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩
When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩
March 25, 2025 at 1:30 PM
Better socket handle visibility coming soon to System Informer! 🔥
When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩
When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩