Nik Zerof

Defending Windows: DIY Security Without Antivirus Software

Date: 19/07/2025

If you want to protect yourself from viruses, you need antivirus software, right? Not necessarily. Antivirus programs have several drawbacks, so if you’re willing to think and act wisely, you can minimize the risk of infection on your own. All it takes is following some digital hygiene practices and making a few important system adjustments. That’s exactly what we’ll discuss.

Read full article →

Essential Tools for Software Reverse Engineering and Cracking

Date: 10/07/2025

Author: Nik Zerof

Every reverse engineer, malware analyst, and researcher eventually develops a personal toolkit of utilities they regularly use for analysis, unpacking, or cracking. In this review, I will share my own version. This will be useful for anyone who hasn’t yet compiled their own set and is just beginning to explore this field. However, even seasoned reverse engineers might find it interesting to see what tools their peers are using.

Read full article →

Partying by the pool. Mastering PoolParty process injection techniques

Date: 26/06/2025

Author: Nik Zerof

PoolParty is a new type of injections into legitimate processes that abuses Windows Thread Pools, a sophisticated thread management mechanism. Let’s dissect Windows Thread Pools to find out how it can be used for pentesting purposes.

Read full article →

Bring Your Own Vulnerable Driver! Meet BYOVD – one of the most dangerous attacks targeting Windows systems

Date: 27/05/2025

Author: Nik Zerof

Many notorious hacker groups (e.g. North Korea’s Lazarus) use the BYOVD attack to gain access to kernel space and implement complex advanced persistent threats (APTs). The same technique is employed by the creators of the Terminator tool and various encryptor operators. This paper discusses BYOVD operating principles and why this attack has become so popular nowadays.

Read full article →

Agent Tesla: Reversing combat malware in Ghidra

Date: 15/05/2025

Author: Nik Zerof

Recently I encountered an interesting piece of malware called Agent Tesla. It’s still widespread and actively used by cybercriminals (the analyzed sample was dated 2023). Let’s dissect this remote access trojan and find out what’s hidden inside it.

Read full article →

Threadless Injection. Injecting shellcode into third-party processes to circumvent EDR

Date: 07/05/2025

Author: Nik Zerof

This article discusses Threadless Injection: a technique making it possible to make injections into third-party processes. At the time of writing, it effectively worked on Windows 11 23H2 x64 running on a virtual machine isolated from the network with OS security features enabled.

Read full article →

Process Ghosting. Circumvent antiviruses in the most dangerous way

Date: 28/04/2025

Author: Nik Zerof

One of the main priorities for hackers is to hide the execution of their malicious code. This article explains how to start processes using the Process Ghosting technique and discusses operation principles of malware detection systems.

Read full article →