diversenok

A screenshot of DiaSymbolView inspecting combase.pdb

I wanted to understand what information is available in .pdb files, so I made a tool for it 🔎🐛

Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA: github.com/diversenok/D...

10.11.2025 21:04 — 👍 10    🔁 4    💬 1    📌 0

Attacking Assumptions Behind the Image Load Callback :: RomHack 2025

Here are my RomHack slides about low-privileged attack vectors against PsSetLoadImageNotifyRoutine and drivers that rely on it. Enjoy!
diversenok.github.io/slides/RomHa...

29.09.2025 23:29 — 👍 2    🔁 1    💬 0    📌 0

Improving AFD Socket Visibility for Windows Forensics & Troubleshooting This blog post explains the basics of Ancillary Function Driver API and how it can help explore networking activity on Windows systems.

My new blog post 🥳

Improving AFD Socket Visibility for Windows Forensics & Troubleshooting

It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥

www.huntandhackett.com/blog/improvi...

15.05.2025 09:38 — 👍 2    🔁 1    💬 0    📌 0

I think the list of unloaded modules (aka. RtlGetUnloadEventTraceEx) is underappreciated. Ntdll records metadata about DLLs that unloaded from the process and even includes modules that attempted to load but failed their DllMain.

learn.microsoft.com/en-us/window...

18.04.2025 18:34 — 👍 1    🔁 0    💬 0    📌 0

The feature is live in the latest Canary builds and displays even more properties than initially planned 😍

Also, a blog post that explains the basics of AFD API and its forensic potential is coming soon.😉

07.04.2025 12:29 — 👍 1    🔁 0    💬 0    📌 0

Better socket handle visibility coming soon to System Informer! 🔥

When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩

25.03.2025 13:30 — 👍 1    🔁 0    💬 0    📌 1