A screenshot of DiaSymbolView inspecting combase.pdb
I wanted to understand what information is available in .pdb files, so I made a tool for it ๐๐
Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA: github.com/diversenok/D...
Attacking Assumptions Behind the Image Load Callback :: RomHack 2025
Here are my RomHack slides about low-privileged attack vectors against PsSetLoadImageNotifyRoutine and drivers that rely on it. Enjoy!
diversenok.github.io/slides/RomHa...
My new blog post ๐ฅณ
Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer ๐ฅ
www.huntandhackett.com/blog/improvi...
I think the list of unloaded modules (aka. RtlGetUnloadEventTraceEx) is underappreciated. Ntdll records metadata about DLLs that unloaded from the process and even includes modules that attempted to load but failed their DllMain.
learn.microsoft.com/en-us/window...
The feature is live in the latest Canary builds and displays even more properties than initially planned ๐
Also, a blog post that explains the basics of AFD API and its forensic potential is coming soon.๐
Better socket handle visibility coming soon to System Informer! ๐ฅ
When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets ๐คฉ
