Windows internals.
Reverse engineering.
Ironclad defense.
$ dt nt!_EPROCESS
ImageFileName: "explorer.exe"
DirectoryTableBase: 0x1a2b3c...
Kernel loaded at 0xfffff807`00000000
ntoskrnl.exe • May 2026 build
ntos.rest is your no-nonsense hub for Windows security research. We break down the NT kernel, reverse real-world binaries, and teach you how to defend against modern threats.
Kernel modules dissected
EDR techniques covered
Whether you're a red-teamer hunting for kernel callbacks, a blue-teamer building detection logic, or a student trying to understand why ObRegisterCallbacks matters — this is the place.
No fluff. Just deep technical truth about Windows NT.
Process creation, thread scheduling, object manager, executive services, and the HAL.
Virtual address spaces, paging structures, pool allocations, and modern mitigations (CET, HVCI).
KMDF, WDF, filter drivers, IRP handling, and how modern rootkits hide inside the kernel.
IDA Pro, Ghidra, x64dbg, WinDbg Preview, Binary Ninja, and custom kernel debuggers.
Static + dynamic analysis, unpacking, anti-anti-debug, symbolic execution, and kernel RE workflows.
Dissecting recent malware, analyzing signed driver abuse, and mapping undocumented NT APIs.
ASLR, CFG, CET, HVCI, Kernel Data Protection, and how attackers still bypass them.
Callback monitoring, ETW, Sysmon, AMSI, and writing your own behavioral rules.
Memory dumping, Volatility, kernel live forensics, and incident response playbooks.
We reverse-engineered 14 new telemetry providers and show you how defenders can abuse them for better visibility.
Step-by-step analysis of a new Bring-Your-Own-Vulnerable-Driver attack chain.
What changed in ObpCreateObject and why it matters for rootkit developers and defenders.
Monthly deep dives, new research drops, and early access to tools. No spam — just signal.
🔒 Your email is safe. You can unsubscribe anytime.