The Engineer You Call When the Problem Has No Stack Overflow Answer

Ring −1 to Ring 3. Hypervisor, kernel, UEFI/EFI, reverse engineering, security bypass — 30 years.

Contact: marek@kvc.pl  ·  WhatsApp/Signal: +48 607-440-283  ·  Telegram: @wesmar  ·  github.com/wesmar

I have been in the industry since the early '90s – I remember when operating system vulnerabilities stemmed from architecture, not from cloud API implementation flaws. For 30 years, I have evolved from low-level Assembly to firmware engineering (UEFI/EFI) and kernel-mode development.

I am not looking for "team synergy", "Scrum", "workflows", or corporate fluff. I am an introvert and a craftsman. I operate alone, from binary analysis (A) to deployment and testing (Z). If you expect PowerPoint presentations and weekly status updates – you have the wrong address. If you have a hard engineering problem, rigorous requirements, and expect deterministic code and concrete tests – read on.

Who do I work with?

I cooperate exclusively with technical decision-makers, security architects, and R&D leaders. Middlemen, recruitment agencies, and "Scrum Masters" need not apply.

Core Capabilities

1. Security Bypass & Evasion Architecture

Instead of playing hide-and-seek with EDRs at the User-Mode (Ring-3) level, I operate where modern defense systems lack visibility or lose integrity. When Ring-3 is the right instrument — API-level AV/EDR manipulation, COM elevation chains, XAML UI Automation tree traversal to control Defender RTP state without kernel access or process injection — I use it with the same precision. The attack surface is wherever the defense model assumes it isn't.

Kernel & Boot Integrity: DSE (Driver Signature Enforcement) Bypass — three independent vectors: (a) direct SeCiCallbacks+0x20 patch — targets CiValidateImageHeader, the callback that validates PE code integrity before loading; the patch window is minimized to a single atomic load sequence (patch → load unsigned driver → restore) to remain below Kernel Patch Protection (KPP/PatchGuard) detection on Windows 11 26H1+, (b) CI PAGECONS trust store poisoning: in-memory replacement of a Microsoft root CA public key in ci.dll's PAGECONS section via kernel arbitrary R/W, loading a custom-signed driver without touching the UEFI Secure Boot database or any on-disk file, (c) Windows cert store trust injection — a kernel-primitive-free vector: a custom root CA installed into the system trust store, driver PE signed via undocumented mssign32.dll signing API with embedded full chain, then loaded through standard SCM/NtLoadDriver — CI validates against the system store and accepts the signature without BYOVD, without any kernel write. This vector is not published. TOCTOU (Time-of-Check to Time-of-Use) vulnerabilities at the kernel-driver boundary.

PPL & Token Manipulation: Surgical bypassing of Protected Process Light (PPL). Process Signature Spoofing: SignatureLevel/SectionSignatureLevel fields in EPROCESS — processes become indistinguishable from legitimate PP-Antimalware binaries under kernel debugger inspection. Security token and privilege manipulation at the kernel level.

HVCI Environments: Loading unsigned kernel drivers under Memory Integrity — SeCiCallbacks-based bypass with HVCI visual camouflage (HvciShutdownSvc — HVCI flag restoration on regular boots, windowsdefender://devicesecurity shows no warnings). EPT-protected PAGECONS constraint documented separately. EFI-layer HVCI bypass: a UEFI application (HvciBypass.efi) that hooks EFI_FREE_PAGES in UEFI boot services to intercept winload.efi loading. Detection uses PE debug directory scan — locates the RSDS CodeView record and scans the embedded PDB path for the winl pattern, with no reliance on file names or fixed addresses. Once winload.efi is identified, it patches the UTF-16LE string HypervisorEnforcedCodeIntegrity in-memory — replacing a single character at index 22 (I → l) via CR0.WP bypass — so the Windows boot loader silently fails to find the HVCI registry key and HVCI never activates. Optional: self-enrolls an embedded root CA directly into the UEFI Secure Boot db variable via EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS (requires Setup Mode), making the machine trust custom-signed drivers at firmware level. The result is a fully hardened-looking system — Secure Boot on, HVCI visually on — that loads unsigned kernel code without a single Windows-level API call.

Firmware & UEFI: Analysis, reverse engineering, and modification of firmware (UEFI/EFI), inspecting the Trust Chain during early boot stages (Bootkits, SecureBoot bypass). EFI undervolting (MSR 0x150, CFG Lock, Plundervolt-class techniques).

BYOVD (Bring Your Own Vulnerable Driver): Designing attack vectors and research tools (PoCs) leveraging signed but vulnerable drivers to gain unprivileged access to Ring-0. I maintain a private collection of 37 independently researched vulnerable drivers — never published, never shared. Each is a working Ring-0 primitive with documented IOCTL attack surface, privilege escalation path, and tested exploitation code.

Kernel Primitive Driver (OmniDriver/kvcstrm): A purpose-built NT/KMDF control driver exposing a buffered IOCTL interface covering the full surface of kernel-level operations. The crown primitive is MmCopyVirtualMemory-based virtual memory read/write — including bulk batch operations up to 64 sub-requests per call — the exact capability Microsoft has been actively blocking in third-party kernel drivers for years. It is this primitive that drives the CI PAGECONS poisoning: the in-memory modulus replacement in ci.dll that allows sc start to load a custom-signed driver without touching the UEFI Secure Boot database or any on-disk file. Beyond virtual R/W: physical memory read/write with MmGetPhysicalMemoryRanges validation, protected memory write via CR0.WP bypass, process termination by PID or image name prefix, EPROCESS protection byte write (for PPL manipulation), primary token replacement with the SYSTEM token, kernel memory allocation (non-paged executable or non-paged non-executable), handle force-close in remote process handle tables. Access restricted via SDDL to SYSTEM and local Administrators. The full deployment wrapper — the toolchain that packages this driver for delivery against any AV/EDR stack and makes the entire operation undetectable from the moment of driver load to the moment the payload completes — is not public. The reason is straightforward: such a tool would trivially bypass every anti-cheat system currently deployed in commercial games, and the financial exposure for game publishers would be substantial. If you read the public repositories, the primitives are there and you can build excellent tooling for yourself. If you need special-purpose, fully undetectable tooling built for a specific target environment — that is exactly the kind of work I take on for clients.

Credential Extraction: DPAPI and App-Bound Encryption (APPB) key extraction. Live browser credential extraction (Chrome, Edge, Brave) via COM elevation chain (IEdgeElevatorFinal, IOriginalBaseElevator) without process termination. LSASS minidump credential parsing (KvcForensic) — supports all Windows 10/11 builds including build 28000.

Data-Only Attacks & Dispatch Table Corruption: In environments hardened by HVCI, CET Shadow Stacks, and CFG/XFG, classic code injection is obsolete — non-executable non-paged pools and control flow enforcement make shellcode and ROP chains unviable without a detectable signature. The alternative: corrupt data structures so that legitimate, signed Windows code executes the attacker's logic. Ring-0 vectors: HAL Dispatch Table — overwriting HalDispatchTable+0x8 (HalQuerySystemInformation) with a pointer to a kernel export, then triggering via NtQuerySystemInformation to obtain an arbitrary kernel R/W primitive without executing a single unsigned byte; WDF/FltMgr callback table hijacking — corrupting WDFQUEUE dispatch tables or FLT_OPERATION_REGISTRATION PreOperation pointers in registered minifilters (including WdFilter.sys — Windows Defender's own filter), triggered by legitimate IRP flow; ObRegisterCallbacks / CmRegisterCallback structure corruption — overwriting the Callback field in registered callback contexts in non-paged pool, triggered by standard object or registry operations. Ring-3 vectors: COM VTable hijacking — redirecting vtable method pointers in live COM objects (complements COM elevation chain RE); TLS callback table — overwriting _tls_used callback slots, triggered on thread creation or exit.

IFEO & Transient Process Redirection: Writing to Image File Execution Options directly is blocked under Tamper Protection. Bypass via offline hive cycle: RegSaveKeyEx dumps the live IFEO key, RegLoadKey mounts it under a temporary root, the Debugger value is written offline, then RegRestoreKey(REG_FORCE_RESTORE) force-replaces the live key — this API operates below the Tamper Protection filter. Transient IFEO: the entry exists only for the duration of the target operation, then is removed with no registry trace. Applied to session escalation: sethc.exe (Sticky Keys) IFEO redirect at the login screen — 5x Shift opens a TrustedInstaller command prompt. Beyond the registry approach: in-memory sethc session attack — monitoring sethc.exe process birth at 1ms intervals via NtQuerySystemInformation(SystemProcessInformation), reaching its handle in the initialization window before the security context is fully established; triggerable programmatically by switching a thread to WinSta0\Winlogon desktop and firing 5× VK_SHIFT via keybd_event — no physical keyboard, no user interaction required.

2. Advanced Reverse Engineering & Binary Analysis

Reversing undocumented operating system behaviors, malware analysis, DRM mechanisms, and commercial software without source code access.

Tools & Environments: IDA Pro, Ghidra, WinDbg/cdb, x64dbg, proprietary research frameworks (KernelResearchKit).

Memory Analysis & Data Structures: DKOM (Direct Kernel Object Manipulation), NT Kernel structures, IRP Filtering, Syscalls and Trampoline Hooks. Live memory differential analysis methodology: targeted snapshot/diff isolation of undocumented in-memory state — e.g., pinpointing Windows Defender RTP control flag at MpSvc.dll+0x602F18 under active Tamper Protection without symbol server access.

Microarchitectural Side-Channel Research: KASLR bypass via cache timing side-channel — pure userspace, no privileges, no kernel access required. prefetchnta/rdtscp timing isolates the difference between mapped and unmapped kernel pages at the MMU level (TLB hit vs. page table walk latency). Intel and AMD exhibit inverted signatures: on Intel, mapped kernel pages are faster (prefetch speculation succeeds); on AMD, mapped pages are slower (Spectre-era speculative bounds-check penalty). 100% success rate on Intel i7-9750H across 50 consecutive runs. Statistical methodology: O(N) mode calculation to separate bimodal distributions, majority voting (4-of-7 consensus), invalid syscall as a lightweight CPU pipeline flush between measurements, thread affinity pinning to eliminate scheduler-induced cache pollution. Architecture-specific timing thresholds handle the Intel/AMD inversion cleanly at the analysis layer.

Undocumented COM RE: Full interface reconstruction from binary — elevation chains (IEdgeElevatorFinal, IOriginalBaseElevator), vtable layout, calling conventions, error paths.

Authenticode & Code Integrity Chain: PKCS7 structure, SPKI public key extraction, root cert embedding in WIN_CERTIFICATE, CI validation flow at runtime. FSFilter minifilter IOCTL protocol reconstruction without source (driver binary → full request/response protocol).

Steganography & Data Concealment: Embedding and extracting structured payloads in carrier formats — images, archives, firmware blobs. Covert storage and covert channel analysis.

Cryptography: DPAPI internals, BCrypt API primitives, NT/SHA1 LSA hash derivation, AES key extraction from live process memory. Custom crypto implementations in pure C/C++ and MASM. When the platform API falls short, I implement what is missing: the Windows BCrypt API exposes CFB only in 8-bit feedback mode (CFB8). CFB128 is not available natively. For forensic LSA credential parsing, CFB128 is required to match the exact encryption behavior of the LSA subsystem — so I implemented it manually on top of BCryptEncrypt in ECB mode: the counter block is encrypted to produce a 16-byte keystream, XOR-ed with 16 bytes of ciphertext, then the counter is updated with those ciphertext bytes before the next block. This matches LSA behavior precisely and avoids any third-party crypto dependency.

Forensic Tooling Without the Crutches: KvcForensic parses LSASS minidumps across all Windows 10/11 build variants — MSV1_0 NT/LM/SHA1/DPAPI, WDigest cleartext, Kerberos tickets, CredMan, DPAPI master key cache — using pure Win32 API only. No DbgHelp, no third-party libraries, no symbol server. Structure offsets for each Windows build are encoded in a JSON template database resolved at runtime, making the tool immune to build-to-build layout changes and operational in air-gapped environments where symbol access is impossible.

3. Injection, Hooking & Code Loading Engineering

I don't care about stock GitHub libraries. I write my own highly specialized tools for memory and control flow manipulation that bypass heuristics and signatures.

Hooking: IAT/EAT, Inline (Detours-style), Trampoline Hooks, native function hooking. Delay-import table (INT) scanning for ordinal hooks — including high-bit ordinal encoding (DataDirectory[13], bit-63 set: 0x800000000000007E). COM CLSID proxy injection.

Code Loading: Reflective DLL Injection, Manual Mapping, Memory Execution. Loading unsigned kernel binaries via SeCiCallbacks patch or PAGECONS trust store replacement. Boot-phase unsigned driver loading via /SUBSYSTEM:NATIVE application deployed through BootExecute — executing before any antivirus or EDR user-mode thread initializes, before Win32 subsystem exists, entry via NtProcessStartup with no CRT dependency.

Kernel offset discovery without PDB or symbol server: SeCiCallbacks is an unexported, undocumented kernel global — not in any public symbol, not reachable by name. The scanner locates it in the ntoskrnl.exe that will actually boot through a three-phase probability-weighted algorithm developed from scratch in IDA Pro and Python before a single line of C was written. Phase 1 (Fast): LEA r64,[RIP+rel32] targeting a writable section at SeCiCallbacks+4. Phase 2 (Structural exhaustive): scans all executable sections for the C7 05 <rel32> <imm32> DWORD store in SepInitializeCodeIntegrity — each candidate is scored across multiple independent signals: base candidate weight (+80), 0x108 flags value match (+12), nearby QWORD store proximity and gap penalty (+8 to +38), struct size alignment match (+18–+20), zeroing window pattern, .pdata RUNTIME_FUNCTION bounds to constrain the backwards search to the containing function's prologue. Minimum acceptance threshold: 110 points. Observed scores on correct candidates: 120–185 points. Phase 3 (Legacy anchor): the 0x108 flags constant alone — covers all builds from Windows 10 1607 (RS1) onward where the zeroing pattern is absent.

HVCI raw hive patching without registry API: when Memory Integrity is detected, the SYSTEM hive is opened directly with SeBackupPrivilege + SeRestorePrivilege and walked at binary level — no RegOpenKey, no NtOpenKey. The NK cell for HypervisorEnforcedCodeIntegrity is located by signature (nk at −0x4C from the key name), the values-list is resolved by raw ULONG hive offsets, and the VK cell for Enabled is patched in-place via NtWriteFile with immediate read-back verification. Win10 and Win11 require different handling: on Win11 the NK and VK cells are close; on Win10 registry compaction places the VK megabytes away in the hive file — handled by chunked 1 MB reads with 256-byte overlap for boundary safety plus random-access NtReadFile for distant VK resolution. HVCI visual camouflage (HvciShutdownSvc) restores Enabled=1 + WasEnabledBy=2 + ChangedInBootCycle=KeBootTime where KeBootTime is read via NtQuerySystemInformation(SystemTimeOfDayInformation) — not the Win32 LastBootUpTime, which drifts after VMICTimeSync correction on Hyper-V — so DeviceGuard considers the protection state complete and Windows Security Center shows the Memory Integrity slider active.

Kernel R/W Primitives: MmCopyVirtualMemory + CR0.WP bypass, physical-address read/write, page table manipulation.

4. Mobile & Cross-Platform

Android + KernelPatch: Kernel-level work on Android — KernelPatch-based root primitives, kernel patching, APK analysis and modification.

Linux: Kernel module development, ELF binary analysis, LSM hooks. Cross-platform forensic tooling — same hash and offset logic, byte-for-byte identical output to Windows builds (documented in KvcForensic Linux build).

OSX: Binary analysis, sandbox inspection, codesign bypass research.

5. Critical Systems & Performance

Low-level software does not forgive mistakes. I build drivers and utilities for real-time systems, including critical infrastructure (e.g., reactor controllers).

Mathematical and algorithmic optimization. Memory management, leak avoidance, and race-condition elimination at the kernel level. Code that just works. Always.

The same algorithmic discipline that applies to kernel primitives applies everywhere I work. My chess engine (C++20, pure WinAPI, zero external dependencies, ~200 KB binary that runs even in Windows Recovery Environment) implements the full competitive search stack: minimax with alpha-beta pruning, Principal Variation Search, iterative deepening with aspiration windows, quiescence search, null move pruning (disabled in endgame to avoid zugzwang), Late Move Reduction and Late Move Pruning, futility pruning, razoring, delta pruning in quiescence, mate distance pruning, and Zobrist-keyed transposition tables. The architecture is Data-Oriented Design throughout — cache-line-aware board representation, branch-minimized move generation, no heap allocation in the hot path. This is not a side project; it demonstrates that the precision I apply to kernel structures I apply equally to algorithms at any level of the stack.

Rules of Engagement

Facts, not visions: You approach me with a problem, an environment specification, and a clearly defined goal (e.g., "we need a PoC bypassing mechanism X in system Y to verify mitigations").

Full autonomy: I deliver results, source code, test frameworks, and technical documentation. I do not need micro-management. I define the milestones and the research path myself.

Ethics & Law: Security bypass, reverse engineering, and evasion work are performed strictly within authorized research (Security Research), Red Teaming, vulnerability analysis tool development (PoC), or compatibility engineering (e.g., watermarks, DRM, legacy hardware).

Speed & Quality: Thanks to 30 years of experience and zero knowledge gaps (from Windows NT to the latest x86/x64 and ARM instruction sets), the time required for research is cut to the absolute minimum. You pay for the result and know-how, not for hours spent reading documentation.

Direct Contact

Have a specific topic? Write directly.

Make sure the first email contains a technical description of the problem (no NDA at this stage, engineering facts only).