{"id":24165,"date":"2025-11-05T08:00:00","date_gmt":"2025-11-05T07:00:00","guid":{"rendered":"https:\/\/cirosec.de\/?p=24165"},"modified":"2026-03-03T11:35:27","modified_gmt":"2026-03-03T10:35:27","slug":"windows-instrumentation-callbacks","status":"publish","type":"post","link":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/","title":{"rendered":"Windows Instrumen\u00adtation Callbacks &#8211; Part 1"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"24165\" class=\"elementor elementor-24165\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7b19215f elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"7b19215f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-57f685f5\" data-id=\"57f685f5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7708c6e elementor-widget elementor-widget-template\" data-id=\"7708c6e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<header data-elementor-type=\"header\" data-elementor-id=\"6422\" class=\"elementor elementor-6422 elementor-941 elementor-941\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c20b09 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"3c20b09\" data-element_type=\"section\" data-e-type=\"section\" id=\"header--sticky\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;sticky&quot;:&quot;top&quot;,&quot;sticky_on&quot;:[&quot;desktop&quot;,&quot;tablet_extra&quot;],&quot;sticky_offset&quot;:0,&quot;sticky_effects_offset&quot;:0,&quot;sticky_anchor_link_offset&quot;:0}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-2c6b6ea\" data-id=\"2c6b6ea\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-920f2b0 elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"920f2b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" class=\"attachment-full size-full wp-image-5868\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/>\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-b85d260\" data-id=\"b85d260\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-db0098d elementor-widget__width-auto elementor-hidden-desktop elementor-widget elementor-widget-shortcode\" data-id=\"db0098d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\"\n            class=\"wpml-ls-flag\"\n            src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"\n            alt=\"German\"\n            loading=\"lazy\"\n            width=15\n            height=9\n    \/><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65a0be9 elementor-widget__width-initial elementor-widget-tablet__width-initial elementor-nav-menu--dropdown-mobile elementor-nav-menu--stretch elementor-nav-menu__align-start elementor-widget-mobile__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra elementor-widget-mobile_extra__width-initial elementor-nav-menu__text-align-aside elementor-nav-menu--toggle elementor-nav-menu--burger elementor-widget elementor-widget-nav-menu\" data-id=\"65a0be9\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;full_width&quot;:&quot;stretch&quot;,&quot;layout&quot;:&quot;horizontal&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;toggle&quot;:&quot;burger&quot;}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-horizontal e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26265\"><a href=\"https:\/\/cirosec.de\/en\/?page_id=26258\" class=\"elementor-sub-item\">Inci\u00addent Res\u00adponse Readi\u00adness Work\u00adshop<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t<div class=\"elementor-menu-toggle\" role=\"button\" tabindex=\"0\" aria-label=\"Menu Toggle\" aria-expanded=\"false\">\n\t\t\t<i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--open eicon-menu-bar\"><\/i><i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--close eicon-close\"><\/i>\t\t<\/div>\n\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26265\"><a href=\"https:\/\/cirosec.de\/en\/?page_id=26258\" class=\"elementor-sub-item\" tabindex=\"-1\">Inci\u00addent Res\u00adponse Readi\u00adness Work\u00adshop<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\" tabindex=\"-1\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ee7d03 elementor-widget-mobile__width-auto elementor-hidden-desktop elementor-widget-tablet_extra__width-auto elementor-widget-tablet__width-auto elementor-widget-mobile_extra__width-auto elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"9ee7d03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<a class=\"elementor-icon\" href=\"#elementor-action%3Aaction%3Dpopup%3Aopen%26settings%3DeyJpZCI6MTI1MDcsInRvZ2dsZSI6ZmFsc2V9\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-9aaaa68 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"9aaaa68\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eb812f4 elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-shortcode\" data-id=\"eb812f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\"\n            class=\"wpml-ls-flag\"\n            src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"\n            alt=\"German\"\n            loading=\"lazy\"\n            width=15\n            height=9\n    \/><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5c65bb elementor-search-form--skin-minimal elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-search-form\" data-id=\"d5c65bb\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;skin&quot;:&quot;minimal&quot;}\" data-widget_type=\"search-form.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<search role=\"search\">\n\t\t\t<form class=\"elementor-search-form\" action=\"https:\/\/cirosec.de\/en\/\" method=\"get\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__container\">\n\t\t\t\t\t<label class=\"elementor-screen-only\" for=\"elementor-search-form-d5c65bb\">Search<\/label>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-search\"><\/i>\t\t\t\t\t\t\t<span class=\"elementor-screen-only\">Search<\/span>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\n\t\t\t\t\t<input id=\"elementor-search-form-d5c65bb\" placeholder=\"Search...\" class=\"elementor-search-form__input\" type=\"search\" name=\"s\" value=\"\">\n\t\t\t\t\t<input type='hidden' name='lang' value='en' \/>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/form>\n\t\t<\/search>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-071bdb7 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"071bdb7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4d21fed elementor-widget elementor-widget-button\" data-id=\"4d21fed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-9865c47 e-flex e-con-boxed e-con e-parent\" data-id=\"9865c47\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4efe62d elementor-widget elementor-widget-html\" data-id=\"4efe62d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script>\n\ndocument.addEventListener('DOMContentLoaded', function() {\njQuery(function($) {\nvar mywindow = $(window);\nvar mypos = mywindow.scrollTop();\nlet scrolling = false;\nwindow.addEventListener('scroll', function() {\nscrolling = true;\n});\nsetInterval(() => {\nif (scrolling) {\nscrolling = false;\nif (mypos > 40) {\nif (mywindow.scrollTop() > mypos) {\n$('#header--sticky').addClass('headerup');\n} else {\n$('#header--sticky').removeClass('headerup');\n}\n}\nmypos = mywindow.scrollTop();\n}\n}, 300);\n});\n});\n\n<\/script>\n<style>\n#header--sticky{\ntransition : transform 0.34s ease;\n}\n.headerup{\ntransform: translateY(-110px); \/*adjust this value to the height of your header*\/\n}\n<\/style>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/header>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6958c7b5 elementor-reverse-mobile elementor-section-height-min-height elementor-section-items-stretch elementor-section-boxed elementor-section-height-default\" data-id=\"6958c7b5\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-no\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-52c1c0fd\" data-id=\"52c1c0fd\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6aa7a0e6 elementor-widget elementor-widget-post-info\" data-id=\"6aa7a0e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Reverse Engineering<\/span>, <span class=\"elementor-post-info__terms-list-item\">Windows<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-17e400f4 elementor-widget elementor-widget-heading\" data-id=\"17e400f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Windows Instrumen\u00adtation Callbacks &#8211; Part 1<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-69965b78 elementor-widget elementor-widget-spacer\" data-id=\"69965b78\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65c550b4 elementor-widget elementor-widget-text-editor\" data-id=\"65c550b4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>November 5, 2025<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-598b13e2 elementor-hidden-mobile_extra elementor-hidden-mobile\" data-id=\"598b13e2\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2ee82e67 elementor-widget elementor-widget-spacer\" data-id=\"2ee82e67\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5275f32a elementor-reverse-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5275f32a\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-c36d6fb\" data-id=\"c36d6fb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2c734790 elementor-widget elementor-widget-menu-anchor\" data-id=\"2c734790\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section1\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-268fe5e2 elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"268fe5e2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Windows Instrumentation Callbacks\nPart 1<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4342e190 elementor-widget elementor-widget-text-editor\" data-id=\"4342e190\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Introduction<\/h2><p>This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs).<\/p><p>In the first part of the blog, you will learn how ICs are implemented and how you can use them to log and spoof syscalls without setting any hooks.<\/p><p>In the second part, you will learn how to use ICs for patchless hooking without registering or executing any exception handlers.<\/p><h2>Disclaimer<\/h2><ul><li>This series is aimed towards readers familiar with x86_64 assembly, computer concepts such as the stack and Windows internals. Not every term will be explained in this series.<\/li><li>This blog post will teach you how to set ICs on Windows 10 and 11; for older Windows versions, the API for setting an IC is different.<\/li><li>This series is aimed at x64 programs. We will not be discussing setting instrumentation callbacks on WoW64 processes, i.e. processes running through the x86 compatibility layer.<\/li><\/ul><h3>Credits<\/h3><p>This blog post is based on the research of multiple people, most notably Alex Ionescu and his <a href=\"https:\/\/www.youtube.com\/watch?v=bqU0y4FzvT0\" target=\"_blank\" rel=\"noopener\">Hooking Nirvana presentation at Recon 2015<\/a>. We recommend watching that presentation as he also shows other interesting hooking techniques.<\/p><p><a href=\"https:\/\/dx9.uk\/posts\/wave-roblox-reveral\" target=\"_blank\" rel=\"noopener\">dx9\u2019s blog post<\/a> about Hyperion (an anti-cheat) and wave (a cheat), which both utilize instrumentation callbacks, was also very informative.<\/p><p>Additionally, we want to thank ph3r0x for telling us about ICs and about the differences in WoW64 processes.<\/p><h2>What are instrumentation callbacks?<\/h2><p>A callback is a function that is passed to another function which then executes the callback function at a certain event or condition.<\/p><p>Instrumentation refers to the process of modifying a program to allow analysis of it.<\/p><p>In simple terms, an instrumentation callback instruments a program so that the specified callback function is executed on kernel-to-user-mode returns. According to Alex Ionescu, instrumentation callbacks are used by Microsoft in internal tools such as iDNA, which is apparently used for time travel tracing and for TruScan. We cannot confirm that; however, there is a mention of iDNA and TruScan in <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2016\/02\/microx.pdf\" target=\"_blank\" rel=\"noopener\">this Microsoft research paper<\/a>.<\/p><p>The more thorough explanation of the inner workings of instrumentation callbacks is as follows: ICs are a process-specific user mode callback to system traps, for example syscalls or exceptions like access violations. Once a trap is triggered, a switch to kernel mode occurs to handle the trap. If an IC is set, the kernel will return to the IC instead of the original return point. This means, the IC is the first execution step back in user mode after the trap was executed. The IC is also responsible for continuing the program flow, as otherwise the program would crash or yield. For this purpose, the kernel passes the original return point in a CPU register as we will find out by reversing later.<\/p><p>For visualization, let\u2019s trace the flow of a typical Windows API call. Please note that the kernel part of this diagram is by no means complete; the diagram is meant to show the execution flow with and without an instrumentation callback; it\u2019s not meant to teach you the inner workings of the kernel. If that interests you, we recommend the explanation of the <a href=\"https:\/\/hammertux.github.io\/win-syscall-re\" target=\"_blank\" rel=\"noopener\">Windows syscall handler by hammertux<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3cb738aa elementor-widget elementor-widget-image\" data-id=\"3cb738aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild1a.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Bild1a\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjQyODgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI1XC8xMFwvQmlsZDFhLnBuZyJ9\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"471\" height=\"451\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild1a.png\" class=\"attachment-medium_large size-medium_large wp-image-24288\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild1a.png 471w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild1a-300x287.png 300w\" sizes=\"(max-width: 471px) 100vw, 471px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 1: Exemplary OpenProcess call without IC<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-5557e904\" data-id=\"5557e904\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-591dc1f elementor-position-top elementor-widget elementor-widget-image-box\" data-id=\"591dc1f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><figure class=\"elementor-image-box-img\"><a href=\"https:\/\/cirosec.de\/en\/news\/author\/linofacco\/\" tabindex=\"-1\"><img decoding=\"async\" width=\"640\" height=\"640\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/01\/Quadrat_Lino_-Facco.png\" class=\"attachment-full size-full wp-image-25582\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/01\/Quadrat_Lino_-Facco.png 640w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/01\/Quadrat_Lino_-Facco-300x300.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/01\/Quadrat_Lino_-Facco-150x150.png 150w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/figure><div class=\"elementor-image-box-content\"><div class=\"elementor-image-box-title\"><a href=\"https:\/\/cirosec.de\/en\/news\/author\/linofacco\/\">Lino Facco<\/a><\/div><p class=\"elementor-image-box-description\">Consultant<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-61dd073f elementor-widget elementor-widget-heading\" data-id=\"61dd073f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Category<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3146e50 elementor-widget elementor-widget-post-info\" data-id=\"3146e50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Reverse Engineering<\/span>, <span class=\"elementor-post-info__terms-list-item\">Windows<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1c73d03 elementor-widget elementor-widget-heading\" data-id=\"1c73d03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Date<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53898a85 elementor-widget elementor-widget-post-info\" data-id=\"53898a85\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t\t\t\t<time>2025-11-05<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-30a28930 elementor-widget elementor-widget-heading\" data-id=\"30a28930\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Navigation<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-381b0eb0 elementor-widget elementor-widget-table-of-contents\" data-id=\"381b0eb0\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;marker_view&quot;:&quot;bullets&quot;,&quot;icon&quot;:{&quot;value&quot;:&quot;fas fa-chevron-right&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-toc__381b0eb0\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-ef8006d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ef8006d\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-7f89fb0b\" data-id=\"7f89fb0b\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-51003a75 elementor-widget elementor-widget-menu-anchor\" data-id=\"51003a75\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"info-event\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-42df2f84 elementor-widget elementor-widget-menu-anchor\" data-id=\"42df2f84\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section2\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3b001b7a elementor-widget elementor-widget-text-editor\" data-id=\"3b001b7a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>With an IC set, this flow would look as follows:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c23fb6a elementor-widget elementor-widget-menu-anchor\" data-id=\"4c23fb6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section3\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14ab4b07 elementor-widget elementor-widget-image\" data-id=\"14ab4b07\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild2b.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Bild2b\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjQyOTAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI1XC8xMFwvQmlsZDJiLnBuZyJ9\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"471\" height=\"451\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild2b.png\" class=\"attachment-medium_large size-medium_large wp-image-24290\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild2b.png 471w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/10\/Bild2b-300x287.png 300w\" sizes=\"(max-width: 471px) 100vw, 471px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 2: Exemplary OpenProcess call with IC<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9347467 elementor-widget elementor-widget-text-editor\" data-id=\"9347467\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>You might be wondering why we are jumping to r10. We will get to that in the next chapter.<\/p><p>example.exe refers to the memory region of that process; the IC does not need to be a part of the original program\u2019s binary; it can be added dynamically at runtime.<\/p><p>Looking at that diagram, it might become more obvious how powerful ICs are. The kernel returns right to our code, before even the ret instruction after the syscall is executed: our IC is the first code to be executed after the kernel returns to user mode. We will discuss what can be done with that later. Let\u2019s first check out how the IC is handled by the kernel.<\/p><h2>Reversing<\/h2><h3>KiSetupForInstrumentationReturn<\/h3><p>ntoskrnl.exe includes a function called KiSetupForInstrumentationReturn. Let\u2019s check out what this function does; as one could guess by the name, it has something to do with ICs.\u00a0<\/p><table style=\"height: 166px;\" width=\"232\"><tbody><tr><td><pre>mov rax, qword [gs:0x188]<br \/>mov rdx, qword [rax+0xb8]<br \/>mov r8, qword [rdx+0x3d8]<br \/>test r8, r8<br \/>jne 0x140482a86<br \/>retn<\/pre><\/td><\/tr><\/tbody><\/table><p>Let\u2019s go through this step by step.<\/p><p>Line 1: At the start of the gs register in the kernel, the <a href=\"https:\/\/www.geoffchappell.com\/studies\/windows\/km\/ntoskrnl\/inc\/ntos\/amd64_x\/kpcr.htm\" target=\"_blank\" rel=\"noopener\">Kernel Processor Control Region (KPCR) structure<\/a> is located. At an offset of 0x180 of that structure, a member structure called <a href=\"https:\/\/www.geoffchappell.com\/studies\/windows\/km\/ntoskrnl\/inc\/ntos\/amd64_x\/kprcb\/index.htm\" target=\"_blank\" rel=\"noopener\">Kernel Processor Control Block (KPRCB)<\/a> is located. So, by accessing gs:0x188, we access the KPRCB structure member at an offset of 8. At offset 8 of the KPRCB, the CurrentThread member of type KTHREAD* is located, which is dereferenced. So, after the first operation, the register rax holds the address of the start of the current thread\u2019s <a href=\"https:\/\/www.geoffchappell.com\/studies\/windows\/km\/ntoskrnl\/inc\/ntos\/ke\/kthread\/index.htm\" target=\"_blank\" rel=\"noopener\">KTHREAD<\/a> structure.<\/p><p>Line 2: This operation loads the base of the KPROCESS processes into rdx. This might not fit the KTHREAD structure definition before mentioned; however, if we disassemble PsGetCurrentProcess, we will see the same operations.<\/p><p>Line 3-6: At an offset of 0x3d8 of the KPROCESS structure, the InstrumentationCallback member is located, which gets moved into r8 and tested to check if it is null. If it is null, the function returns. As rax still holds the the start of the current thread\u2019s <a href=\"https:\/\/www.geoffchappell.com\/studies\/windows\/km\/ntoskrnl\/inc\/ntos\/ke\/kthread\/index.htm\" target=\"_blank\" rel=\"noopener\">KTHREAD<\/a> structure, this is what the function returns.<\/p><p>The following disassembly gets executed if an IC is set:<\/p><table><tbody><tr><td><pre>cmp word [rcx+0x170], 0x33<br \/>jne 0x14036d228<br \/>mov rax, qword [rcx+0x168]<br \/>mov qword [rcx+0x58], rax<br \/>mov qword [rcx+0x168], r8<br \/>retn<\/pre><\/td><\/tr><\/tbody><\/table><p>Now the parameter passed to KiSetupInstrumentationReturn in rcx is used: it\u2019s the address of the base of the KTRAP_FRAME structure of the trap \u2013 you will just have to believe us on that one \ud83d\ude09<\/p><p>Line 1-2: This check is done to verify that the trap didn\u2019t originate from a WoW64 program by checking the SegCs member of KTRAP_FRAME. For 64-bit programs, it should equal 0x33; for programs executed through the WoW64 compatibility layer, this is most likely 0x23. We\u2019d recommend you check out <a href=\"https:\/\/www.malwaretech.com\/2014\/02\/the-0x33-segment-selector-heavens-gate.html\" target=\"_blank\" rel=\"noopener\">this blog article by Marcus Hutchins<\/a> if you are interested in an explanation.<\/p><p>Line 3-4: TRAP_FRAME.r10 is set to KTRAP_FRAME.rip. To clarify, the trap frame\/the register members of that structure hold the values the thread had when the trap occurred in user mode. Meaning KTRAP_FRAME.rip does not hold a kernel address but one in userland.<\/p><p>Line 5: KTRAP_FRAME.rip is set to KPROCESS.InstrumentationCallback, which was already moved into r8 before.<\/p><p>Now we know that r10 will hold the actual instruction pointer and saw how the IC is implemented. By checking the cross-references to that function, the following functions show up: KiInitializeUserApc, KiDispatchException, KeRaiseUserException, KiRaiseException. Additionally, an unnamed function shows up. This gives us hints to what we can catch with ICs.<\/p><p>We now know we somehow need to set KPROCESS<em>.<\/em>InstrumentationCallback; however, this is obviously a kernel structure, which we can\u2019t directly set from user mode.<\/p><h3>NtSetInformationProcess<\/h3><p>Of course there is a function to set KPROCESS.InstrumentationCallback from user mode, as otherwise this blog post would not exist. As mentioned before, we did not reverse ntoskrnl ourselves to find this function; that credit goes to Alex Ionescu.<\/p><p>NtSetInformationProcess is a common syscall that does multiple things; it receives the same parameters as its kernelbase counterpart SetProcessInformation. The second parameter is an enum called ProcessInformationClass that specifies the operation to execute.<\/p><p>With the knowledge of the Nirvana Hooking presentation by Alex Ionescu, finding the relevant code in NtSetInformationProcess is easy. Within the function, a switch case on the second parameter, the ProcessInformationClass enum, is performed. Case 0x28 is what is relevant for us to set an IC.<\/p><p>For brevity, we will not be going through the entirety of the function. If you are interested in looking at it yourself, you can find it in ntoskrnl.exe at NtSetInformationProcess+0x1b42.<\/p><p>Right after validating the passed handle, a call to PsGetCurrentProcess and SeSinglePrivilegeCheck with SeDebugPrivilege passed as parameter is made.<\/p><p>Then, a big if statement (NtSetInformationProcess+0x1c2b) is opened, which checks if the return value of SeSinglePrivilegeCheck is true or if an unknown variable is equal to PsGetCurrentProcess. This lets us guess we require the SeDebugPrivilege to set an IC on other processes, but we don\u2019t need it to set it on our own process.<\/p><p>At NtSetInformationProcess+0x1d09, we see a familiar looking offset: 0x3d8. This is the line where our IC gets set.<\/p><p>This logic can be represented by the following shortened pseudo code:<\/p><pre>struct PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION {<br \/>  ULONG Version;<br \/>  ULONG Reserved;<br \/>  PVOID Callback;<br \/>};<br \/>NTSTATUS NtSetInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, [...]) {<br \/>  \u00a0 switch (ProcessInformationClass) {<br \/>  \u00a0 \u00a0 \u00a0 \/\/ [...]<br \/>  \u00a0 \u00a0 \u00a0 case 0x28:<br \/>  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 NTSTATUS status = ObReferenceObjectByHandle(ProcessHandle, PROCESS_SET_INFORMATION, PsProcessType, [...]);<br \/>  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 if (status &lt; 0)<br \/>  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 return status;<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 KPROCESS current_process = PsGetCurrentProcess();<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 bool has_debug_priv = SeSinglePrivilegeCheck(SeDebugPrivilege, KPRCB[0x232]);<br \/>          if (!has_debug_priv &amp;&amp; requested_process != current_process)<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 return STATUS_PRIVILEGE_NOT_HELD;<br \/>  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 if (IsWow64Process(requested_process))<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 return STATUS_NOT_SUPPORTED;<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 void* ic_address = ProcessInformation.Callback;<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \/\/ IC Sanity checks<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ [...]<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \/\/ KPROCESS structure<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 requested_process.InstrumentationCallback = ic_address;<br \/>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ [...]<br \/>\u00a0 \u00a0 \u00a0 \u00a0 }<br \/>\u00a0 }<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4cdd3f8f elementor-widget elementor-widget-text-editor\" data-id=\"4cdd3f8f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Setting up a basic IC<\/h2><p>Now that we have partially reversed KiSetupForInstrumentationReturn and NtSetInformationProcess we know the following things:<\/p><ul><li>An IC can be set from user mode with NtSetInfomationProcess.<ul><li>ProcessInformationClass needs to be set to 0x28.<\/li><li>If we want to set an IC on another process, we need to have the SeDebugPrivilege<em>.<\/em><\/li><\/ul><\/li><li>When the IC is executed, r10 will hold the original rip.<\/li><\/ul><p>For a successful NtSetInformationProcess call, the following struct needs to be passed as ProcessInformation parameter. We will also need the type definition of NtSetInformationProcess.<\/p><table><tbody><tr><td><pre>struct PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION {<br \/>  ULONG Version;<br \/>  ULONG Reserved;<br \/>  PVOID Callback;<br \/>};<\/pre><\/td><\/tr><\/tbody><\/table><p>Only the Callback member matters to us, the other two need to be set to 0. You can try setting Callback to a function pointer; however, you will not be very successful as the stack was not set up for a function call. The Callback member should instead point to some assembly code. This assembly code, which we will call the bridge, needs to do the following:<\/p><ol><li>Save the registers<\/li><li>Set up a function call<\/li><li>Restore stack and registers after function call<\/li><li>Jump to r10 as that holds the actual address the code should resume at.<\/li><\/ol><p>Depending on what you want to use your IC for, you will most likely trigger syscalls from within the IC itself. This would cause an infinite recursion, as the IC would be called again when the syscall is triggered; thus, we will also need an option to disable the IC for the current thread.<\/p><p>Let\u2019s try setting up a very simple IC that will trigger a breakpoint on a kernel to usermode return.<\/p><h2>Setting the IC<\/h2><p>The following is our exemplary code to set an IC. You will of course need to have a function definition for NtSetInformationProcess.<\/p><table><tbody><tr><td width=\"612\"><pre>#include &lt;print&gt;<br \/>#include &lt;Windows.h&gt;<br \/>extern \"C\" void instrumentation_bridge();<br \/>extern \"C\" void instrumentation_callback() {<br \/>\u00a0 __debugbreak();<br \/>} <br \/><br \/>int main()<br \/>{\u00a0 <br \/>  PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION instrumentation_info{};<br \/>\u00a0 instrumentation_info.Callback = reinterpret_cast&lt;void*&gt;(&amp;instrumentation_adapter);<br \/>\u00a0 const auto nt_set_info_proc = reinterpret_cast&lt;NtSetInformationProcess_t&gt;(GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtSetInformationProcess\"));<br \/>\u00a0 if (!nt_set_info_proc) {<br \/>\u00a0\u00a0\u00a0 std::println(\"Could not resolve NtSetInformationProcess\");<br \/>\u00a0\u00a0\u00a0 return false;<br \/>\u00a0 }<br \/>\u00a0 auto status = nt_set_info_proc(GetCurrentProcess(), static_cast&lt;_PROCESS_INFORMATION_CLASS&gt;(0x28), &amp;instrumentation_info, sizeof(instrumentation_info));<br \/>\u00a0 if (status) {<br \/>\u00a0\u00a0\u00a0 std::println(\"NtSetInformationProcess returned {:x}\", status);<br \/>\u00a0 } else {<br \/>\u00a0\u00a0\u00a0 std::println(\"Successfully installed instrumentation callback\");<br \/>\u00a0 }<\/pre><\/td><\/tr><\/tbody><\/table><p>extern \u201cC\u201d is used to disable C++ name mangling and instead use C style linkage.<\/p><p>With the line extern &#8220;C&#8221; void instrumentation_bridge(); we are linking to our not-yet-written assembly bridge.<\/p><p>instrumentation_callback is the function we want to call through our assembly bridge. For now, we just set a breakpoint there, as we will not be implementing a flag to avoid recursion just yet.<\/p><h3>Writing the assembly bridge<\/h3><p>For writing the assembly bridge, we\u2019ll be using NASM. If you are using MASM or another assembler, you will of course need to adjust the assembly accordingly.<\/p><p>We will start by pushing the registers, setting up the function call, calling it and then undoing our changes. After that, we will jump to r10 to continue the execution flow. There are multiple ways you can save the current registers, either you just push them to the stack, save them to a structure or call Windows functions doing that for you. Please note that the following snippets do not save, for example, the floating-point registers.<\/p><table><tbody><tr><td><pre>extern instrumentation_callback<br \/>section .code<br \/>global instrumentation_adapter<br \/>instrumentation_adapter:<br \/>  pushfq<br \/>  push rax<br \/>  push rbx<br \/>  push rcx<br \/>  push rdx<br \/>  push rdi<br \/>  push rsi<br \/>  push r8<br \/>  push r9<br \/>  push r10<br \/>  push r11<br \/>  push r12<br \/>  push r13<br \/>  push r14<br \/>  push r15<br \/>  push rbp<br \/>  mov rbp, rsp<br \/>  sub rsp, 0x20<br \/>  call instrumentation_callback<br \/>  add rsp, 0x20<br \/>  pop rbp<br \/>  pop r15<br \/>  pop r14<br \/>  pop r13<br \/>  pop r12<br \/>  pop r11<br \/>  pop r10<br \/>  pop r9<br \/>  pop r8<br \/>  pop rsi<br \/>  pop rdi<br \/>  pop rdx<br \/>  pop rcx<br \/>  pop rbx<br \/>  pop rax<br \/>  popfq<br \/>  jmp r10<\/pre><\/td><\/tr><\/tbody><\/table><p>By running the program with an attached debugger, you should now trigger the breakpoint in the C++ code. This means, our function is correctly called. However, we obviously want to do more with our callback than trigger a breakpoint, but for that we will need to implement a check to avoid infinite recursion as the IC would be executed for every syscall, even if the syscall was made by the IC itself.<\/p><p>This flag should be thread-local, as otherwise we would not catch syscall executions in other threads while our IC in one thread is executing.<\/p><p>For this purpose, we\u2019ll be misusing the legacy member InstrumentationCallbackDisabled of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Win32_Thread_Information_Block\" target=\"_blank\" rel=\"noopener\">Thread Environment Block<\/a> (TEB). This is, at least in x64 versions, no longer used. There are smarter ways of implementing such a check, for example with Thread Local Storage, as using the InstrumentationCallbackDisabled member is an obvious giveaway to EDRs\/ACs that something weird is going on.<\/p><p>If you look at the structure of the TEB, you will see InstrumentationCallbackDisabled is located at 0x1b8. The idea is that once the IC is triggered, InstrumentationCallbackDisabled gets set to\u00a01 (true) and then our C++ function is executed. If that functions triggers syscalls, they will not call the function again because before that our assembly bridge will check if InstrumentationCallbackDisabled is set to 1 (true). If it is, it continues execution. Once our C++ function is over and the assembly bridge restores the registers, the flag will be cleared.<\/p><p>To do this, the following assembly can be used. The first part before the dots is meant to be added right after the pushfq, and the bottom part is meant to replace everything after pop rax.<\/p><table><tbody><tr><td><pre>  mov rcx, gs:[30h] ; TEB<br \/>\u00a0 add rcx, 1b8h ; TEB-&gt;InstrumentationCallbackDisabled\u00a0 <br \/>  cmp byte [rcx], 1<br \/>\u00a0 je _ret<br \/>\u00a0 [\u2026]<br \/>\u00a0 mov rcx, qword gs:[30h] ; TEB<br \/>\u00a0 add rcx, 1b8h ; TEB-&gt;InstrumentationCallbackDisabled<br \/>\u00a0 mov byte [rcx], 0<br \/>_ret:<br \/>\u00a0 popfq<br \/>\u00a0 jmp r10<\/pre><\/td><\/tr><\/tbody><\/table><p>The careful eye might\u2019ve noticed something: with this code we are no longer backing up and restoring rcx. Why\u2019s that?<\/p><p>If you attach a debugger to a program, place a breakpoint on the instruction after a syscall and trigger it, you will see the address of the instruction after the syscall being in rcx. If you do the same with an IC, you will see that the address of the IC is in rcx. If you wanted to hide the existence of your IC, this would obviously be counterproductive. Fixing this, is not part of this article and will not be covered here<\/p><p>We would also recommend checking the value of r10 with and without an IC set.<\/p><h2>Logging and spoofing syscalls<\/h2><p>Let\u2019s recap: by now we can execute our own C\/C++ function after every exception and make syscalls from within it. This is cool; however, we can\u2019t do specific things for certain executed syscalls, as we do not have access to the executed syscalls\u2019 address in our C++ function. Let\u2019s fix this and while we are it, let\u2019s pass even more parameters that will be useful to us. In total we are planning to add three parameters giving us the address of the syscall that was executed, the return value and the original stack pointer. Why the original stack pointer is interesting will be explained shortly.<\/p><p>As mentioned before, there are different ways of saving the registers and different ways of passing information to your function. If you saved the registers in, for example, a CONTEXT structure, you could just pass that to your IC.<\/p><p>Let\u2019s first change our function definition to add the three parameters. Additionally, it would be nice to change the return value of syscalls.<\/p><p>Like specified in the <a href=\"https:\/\/learn.microsoft.com\/en-us\/cpp\/build\/x64-calling-convention?view=msvc-170#return-values\" target=\"_blank\" rel=\"noopener\">windows x64 calling convention<\/a>, return values are passed in the rax register. When a syscall is made and the IC is triggered, rax will hold the return value of the syscall. By changing the return type of the instrumentation_callback function from void to uint64_t we can easily overwrite the return value of the syscall by returning another value from our C++ code as rax is overwritten by that.<\/p><p>After implementing those changes, the instrumentation_callback function looks as follows:<\/p><table><tbody><tr><td><pre>uint64_t instrumentation_callback(uint64_t original_rsp, uint64_t <br \/>return_addr, uint64_t return_val) {<br \/>__debugbreak();<br \/>}<\/pre><\/td><\/tr><\/tbody><\/table><p>Now we need to adjust the assembly bridge. We can use rcx to store the original stack pointer, as we do not need to back up rcx because of the reasons mentioned before.<\/p><table><tbody><tr><td><pre>extern instrumentation_callback<br \/>section .code<br \/>global instrumentation_adapter<br \/>instrumentation_adapter:<br \/>\u00a0 mov rcx, rsp<br \/>\u00a0 pushfq<br \/>  push rcx<br \/>\u00a0 mov rcx, gs:[30h] ; TEB<br \/>\u00a0 add rcx, 1b8h ; TEB-&gt;InstrumentationCallbackDisabled\u00a0 <br \/>  cmp byte [rcx], 1<br \/>\u00a0 pop rcx<br \/>\u00a0 je _ret<br \/>\u00a0 [\u2026]<br \/>\u00a0 push rbp<br \/>\u00a0 mov rbp, rsp<br \/>\u00a0 sub rsp, 0x20<br \/>\u00a0 ; rcx already contains the stack pointer<br \/>\u00a0 mov rdx, r10<br \/>\u00a0 mov r8, rax<br \/>\u00a0 call instrumentation_callback<br \/>\u00a0 add rsp, 0x20<br \/>\u00a0 pop rbp<br \/>\u00a0 [\u2026]<\/pre><\/td><\/tr><\/tbody><\/table><p>This should trigger the placed breakpoint in our C++ code and shows that the parameters contain the correct values.<\/p><h3>Logging syscalls<\/h3><p>To log syscalls with their function name, we will use the dbghelp library, which you need to link against.<\/p><p>Additionally, the following code needs to get added to the start of main to allocate a console and initialize the symbol handler.<\/p><table><tbody><tr><td><pre>[\u2026]\u00a0<br \/>if (!AllocConsole())<br \/>\u00a0\u00a0\u00a0 return -1;<br \/><br \/>FILE* fp;<br \/>freopen_s(&amp;fp, \"CONOUT$\", \"w\", stdout);<br \/>freopen_s(&amp;fp, \"CONIN$\", \"r\", stdin);<br \/>freopen_s(&amp;fp, \"CONERR$\", \"w\", stderr);<br \/>SymSetOptions(SYMOPT_UNDNAME);<br \/>if (!SymInitialize(reinterpret_cast&lt;HANDLE&gt;(-1), nullptr, TRUE)) {\u00a0\u00a0\u00a0 <br \/>  std::println(\"SymInitialize failed\");<br \/> \u00a0return -1;<br \/>\u00a0 }<br \/>[\u2026]<\/pre><\/td><\/tr><\/tbody><\/table><p>The following instrumentation_callback function then prints out all the called function names, their address, the displacement from the function start and the return value.<\/p><table><tbody><tr><td><pre>extern \"C\" uint64_t instrumentation_callback(uint64_t original_rsp, uint64_t return_addr, uint64_t return_val) {<br \/>  std::array&lt;byte, sizeof(SYMBOL_INFO) + MAX_SYM_NAME&gt; buffer{ 0 };<br \/>  const auto symbol_info = reinterpret_cast&lt;SYMBOL_INFO*&gt;(buffer.data());<br \/>  symbol_info-&gt;SizeOfStruct = sizeof(SYMBOL_INFO);<br \/>  symbol_info-&gt;MaxNameLen = MAX_SYM_NAME;<br \/>  uint64_t displacement = 0;<br \/>  if (!SymFromAddr(reinterpret_cast&lt;HANDLE&gt;(-1), return_addr, &amp;displacement, symbol_info)) {<br \/> \u00a0\u00a0 printf(\"[-] SymFromAddr failed: %lu\", GetLastError());<br \/>\u00a0\u00a0\u00a0 return return_val;<br \/>  }<br \/>\u00a0 if (symbol_info-&gt;Name)<br \/> \u00a0\u00a0 printf(\"[+] %s+%llu \\n\\t- Returns: %llu\\n\\t- Return address: %llu\\n\", symbol_info-&gt;Name, displacement, return_val, return_addr);<br \/>\u00a0 return return_val;<br \/>}<\/pre><\/td><\/tr><\/tbody><\/table><p>This functionality is obviously the most useful if the project is a DLL and not an EXE, as it can then be injected into a process to see which syscalls the program triggers.<\/p><h2>Spoofing syscalls<\/h2><p>Let\u2019s now start doing cool stuff with our IC: as ICs are the first code being executed in user mode after a syscall, we can spoof its return values from our IC.<\/p><p>For this example, our test program will be using OpenProcess to open a handle to another process. Our IC will then retrieve the opened handle from the stack, close it and then return ACCESS_DENIED.<\/p><p>Our IC only gets a callback to NtOpenProcess, which is called by OpenProcess, not to OpenProcess itself. Let\u2019s look at the function definitions for both functions:<\/p><table><tbody><tr><td><pre>HANDLE OpenProcess(<br \/>  [in] DWORD dwDesiredAccess,<br \/>  [in] BOOL\u00a0 bInheritHandle,<br \/>\u00a0 [in] DWORD dwProcessId<br \/>);<br \/>NTSTATUS NtOpenProcess(<br \/>  [out]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PHANDLE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ProcessHandle,<br \/>  [in]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ACCESS_MASK\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DesiredAccess,<br \/>  [in]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 POBJECT_ATTRIBUTES ObjectAttributes,<br \/>  [in, optional] PCLIENT_ID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ClientId<br \/>);<\/pre><\/td><\/tr><\/tbody><\/table><p>As we can see, rax, the register containing the return value of the syscall, will hold a NTSTATUS value and not the handle. First, we need to check if NtOpenProcess was executed without an error and then we need to retrieve the handle from the stack for which we need a stack offset.<\/p><p>As OpenProcess returns a HANDLE, we know the required logic to retrieve the handle is already implemented in OpenProcess after the NtOpenProcess function call.<\/p><p>Let\u2019s reverse OpenProcess in kernelbase to retrieve the offset:<\/p><table><tbody><tr><td><pre>[\u2026]<br \/>call qword [rel NtOpenProcess]<br \/>nop dword [rax+rax]<br \/>test eax, eax<br \/>js 0x1800338c5<br \/>mov rax, qword [rsp+0x88]<br \/>add rsp, 0x68<br \/>retn<\/pre><\/td><\/tr><\/tbody><\/table><p>Most of the function is not important for us; we just need to check how the handle gets loaded into rax. This is done through the operation mov rax, qword [rsp+0x88], so we know that if we have the stack pointer of the OpenProcess function, the handle is at an offset of 0x88. Our original_rsp parameter holds the stack pointer of NtOpenProcess, not OpenProcess. This means that the top of the stack holds the address NtOpenProcess should return to in OpenProcess. Therefore, we need to add eight to that value of 0x88 to access the handle.<\/p><p>You might understand now why we added an original_rsp parameter to our C++ function. We could still access the handle from the function with inline assembly; however, every time we add, for example, a local variable in our C++ function, we would need to recalculate our offset to the handle, as a bigger stack frame would be allocated for our function.<\/p><p>Let\u2019s recap what we require to spoof the handle access:<\/p><ol><li>We need to calculate the return address of the NtOpenProcess<\/li><li>We need to check if the return address is that of the ret operation of NtOpenProcess.<\/li><li>We should check the value of rax. If it contains a non-zero value NtOpenProcess<\/li><li>We need to change the handle at the offset of 0x90 of the original stack pointer to INVALID_HANDLE_VALUE.<\/li><li>We need to change the return value to STATUS_ACCESS_DENIED (0xC0000022).<\/li><\/ol><p>As we can now do this in C++, this is very easy and can be done with the following code:<\/p><table><tbody><tr><td><pre>extern \"C\" uint64_t instrumentation_callback(uint64_t original_rsp, uint64_t return_addr, uint64_t return_val) {<br \/>  static uint64_t nt_open_proc;<br \/>\u00a0 if (!nt_open_proc) {<br \/> \u00a0\u00a0 nt_open_proc = <br \/>reinterpret_cast&lt;uint64_t&gt;(GetProcAddress(GetModuleHandleA(\"ntdll.dll\"), \"NtOpenProcess\"));<br \/> \u00a0\u00a0 if (!nt_open_proc)<br \/> \u00a0\u00a0\u00a0\u00a0 return return_val;<br \/>\u00a0\u00a0\u00a0 nt_open_proc += 20;<br \/>  }<br \/>  if (return_addr != nt_open_proc)<br \/> \u00a0\u00a0 return return_val;<br \/>  if (return_val != 0)<br \/> \u00a0\u00a0 return return_val;<br \/>  auto handle_ptr = reinterpret_cast&lt;HANDLE*&gt;(original_rsp +\u00a0 0x90);<br \/>   if (*handle_ptr == INVALID_HANDLE_VALUE)<br \/> \u00a0\u00a0 return return_val;<br \/>\u00a0 std::println(\"[+] IC: Detected program NtOpenProcess call: {}\", *handle_ptr);<br \/>  CloseHandle(*handle_ptr);<br \/>\u00a0 std::println(\"[+] IC: Closed opened handle and spoofing Access denied\");<br \/>\u00a0 *handle_ptr = INVALID_HANDLE_VALUE;<br \/>\u00a0 return 0xC0000022; \/\/ Access denied NTSTATUS value<br \/>}<\/pre><\/td><\/tr><\/tbody><\/table><p>To test this, let\u2019s open a handle to a process with and without an IC set. For this example, we\u2019ll be using notepad.exe as a test program. As OpenProcess requires a process ID, we have also added a basic process ID enumeration function.<\/p><table><tbody><tr><td><pre>#include &lt;tlhelp32.h&gt;<br \/>[\u2026]<br \/>uint32_t get_process_id(const std::string_view&amp; process_name) {<br \/>  PROCESSENTRY32 proc_entry{ .dwSize = sizeof(PROCESSENTRY32) };<br \/>  HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);<br \/>\u00a0 if (snapshot == INVALID_HANDLE_VALUE)<br \/> \u00a0\u00a0 return 0;<br \/>  if (!Process32First(snapshot, &amp;proc_entry))<br \/> \u00a0\u00a0 return 0;<br \/>\u00a0 do {<br \/> \u00a0\u00a0 if (std::string{ proc_entry.szExeFile } != process_name)<br \/> \u00a0\u00a0\u00a0\u00a0 continue;<br \/> \u00a0\u00a0 CloseHandle(snapshot);<br \/> \u00a0\u00a0 return proc_entry.th32ProcessID;<br \/>  } while (Process32Next(snapshot, &amp;proc_entry));\u00a0 CloseHandle(snapshot);<br \/>  return 0;<br \/>}<br \/>int main()<br \/>{<br \/>  PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION instrumentation_info{};<br \/>  instrumentation_info.Callback = reinterpret_cast&lt;void*&gt;(&amp;instrumentation_adapter);<br \/>\u00a0 const auto nt_set_info_proc = reinterpret_cast&lt;NtSetInformationProcess_t&gt;(GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtSetInformationProcess\"));<br \/>  if (!nt_set_info_proc) {<br \/> \u00a0\u00a0 std::println(\"Could not resolve NtSetInformationProcess\");<br \/> \u00a0\u00a0 return -1;<br \/>  }<br \/>\u00a0 const auto pid = get_process_id(\"notepad.exe\");<br \/>   if (pid == 0) {<br \/> \u00a0\u00a0 std::println(\"Could not find notepad.exe\");<br \/> \u00a0\u00a0 return -1;<br \/>  }<br \/>\u00a0 auto handle = OpenProcess(GENERIC_ALL, 0, pid);<br \/>\u00a0 if (handle != INVALID_HANDLE_VALUE)<br \/> \u00a0\u00a0 std::println(\"Successfully opened process handle: {}\", handle);<br \/>  else<br \/> \u00a0\u00a0 std::println(\"Failed opening process handle: {}\", handle);<br \/>  CloseHandle(handle);<br \/>\u00a0 auto status = nt_set_info_proc(GetCurrentProcess(), static_cast&lt;_PROCESS_INFORMATION_CLASS&gt;(0x28), &amp;instrumentation_info, sizeof(instrumentation_info));<br \/>  if (status) {<br \/> \u00a0\u00a0 std::println(\"NtSetInformationProcess returned {:x}\", status);<br \/>  } else {<br \/> \u00a0\u00a0 std::println(\"Successfully installed instrumentation callback\");<br \/>  }<br \/>\u00a0 handle = OpenProcess(GENERIC_ALL, 0, pid);<br \/>\u00a0 if (handle != INVALID_HANDLE_VALUE)<br \/> \u00a0\u00a0 std::println(\"Successfully opened process handle: {}\", handle);<br \/>  else<br \/> \u00a0\u00a0 std::println(\"Failed opening process handle: {}\", handle);<br \/>  CloseHandle(handle);<br \/>}<\/pre><\/td><\/tr><\/tbody><\/table><p>Executing the code with a working IC should result in one successful and one failed OpenProcess call if notepad.exe is running.<\/p><p>Of course, OpenProcess was just used as an example. This can be done with every syscall.<\/p><h2>Closing words<\/h2><p>In this blog you learnt how ICs work and how they can be used to log and spoof syscalls from user mode. ICs can be utilized for much more; in the upcoming blogs you will learn how to inject shellcode into other processes and how you can hook function calls with ICs to, for example, prevent users from overwriting your own IC. In a more theoretical part of the series we will discuss other use cases of ICs and possible counter measures.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-542c6223\" data-id=\"542c6223\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c13f0aa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3c13f0aa\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-243969e1\" data-id=\"243969e1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7b54edb4 elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"7b54edb4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Further blog articles<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-7709756a\" data-id=\"7709756a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-576f1594 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"576f1594\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6d258978\" data-id=\"6d258978\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-329d2563 elementor-grid-3 elementor-grid-tablet-2 elementor-grid-mobile-1 elementor-posts--thumbnail-top elementor-card-shadow-yes elementor-posts__hover-gradient load-more-align-center elementor-widget elementor-widget-posts\" data-id=\"329d2563\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;pagination_type&quot;:&quot;load_more_on_click&quot;,&quot;cards_columns&quot;:&quot;3&quot;,&quot;cards_columns_tablet&quot;:&quot;2&quot;,&quot;cards_columns_mobile&quot;:&quot;1&quot;,&quot;cards_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:35,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;load_more_spinner&quot;:{&quot;value&quot;:&quot;fas fa-spinner&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"posts.cards\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-posts-container elementor-posts elementor-posts--skin-cards elementor-grid\" role=\"list\">\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-25513 post type-post status-publish format-standard has-post-thumbnail hentry category-red-teaming category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-300x200.jpg\" class=\"attachment-medium size-medium wp-image-18585\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-2048x1365.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Red Teaming<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Call\u00adbacks \u2013 Part 4\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>February 10, 2026 &#8211; In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Call\u00adbacks \u2013 Part 4\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-25507 post type-post status-publish format-standard has-post-thumbnail hentry category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-injections\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"199\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-300x199.jpg\" class=\"attachment-medium size-medium wp-image-18526\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-300x199.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-1024x678.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-768x509.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-1536x1018.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/kaffeebart-KrPulSdUetk-unsplash-2048x1357.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Reverse Engineering<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-injections\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Call\u00adbacks \u2013 Part 3\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>January 28, 2026 &#8211; In this third part of the blog series, you will learn how to inject shellcode into processes with ICs as an execution mechanism without creating any new threads for your payload and without installing a vectored exception handler.<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-injections\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Call\u00adbacks \u2013 Part 3\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24504 post type-post status-publish format-standard has-post-thumbnail hentry category-command-and-control tag-command-control tag-compromise tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-3\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"169\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-300x169.jpg\" class=\"attachment-medium size-medium wp-image-18536\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-300x169.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-1024x576.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-768x432.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-1536x864.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-qn6LgQnxXAI-unsplash-2048x1152.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Command-and-Control<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-3\/\" >\n\t\t\t\tBeacon Object Files for Mythic &#8211; Part 3\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>December 4, 2025 &#8211; This is the third post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this final post, we will provide insights into the development of our BOF loader as implemented in our Mythic beacon. We will demonstrate how we used the experimental Mythic Forge to circumvent the dependency on Aggressor Script \u2013 a challenge that other C2 frameworks were unable to resolve this easily.<br \/>\n<br \/>\nAuthor: Leon Schmidt<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-3\/\" aria-label=\"Read more about Beacon Object Files for Mythic &#8211; Part 3\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24479 post type-post status-publish format-standard has-post-thumbnail hentry category-command-and-control tag-command-control tag-compromise tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-2\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"169\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-300x169.jpg\" class=\"attachment-medium size-medium wp-image-18538\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-300x169.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-1024x576.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-768x432.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-1536x864.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-2048x1152.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Command-and-Control<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-2\/\" >\n\t\t\t\tBeacon Object Files for Mythic &#8211; Part 2\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 27, 2025 &#8211; This is the second post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this second post, we will present some concrete BOF implementations to show how they are used in the wild and how powerful they can be.<br \/>\n<br \/>\nAuthor: Leon Schmidt<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-2\/\" aria-label=\"Read more about Beacon Object Files for Mythic &#8211; Part 2\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24367 post type-post status-publish format-standard has-post-thumbnail hentry category-command-and-control tag-command-control tag-compromise tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-1\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-300x300.jpg\" class=\"attachment-medium size-medium wp-image-18569\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-300x300.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-1024x1024.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-150x150.jpg 150w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-768x768.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-1536x1536.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/olli-kilpi-_m9ubHS7PVU-unsplash-2048x2048.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Command-and-Control<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-1\/\" >\n\t\t\t\tBeacon Object Files for Mythic &#8211; Part 1\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 19, 2025 &#8211; This is the first post in a series of blog posts on how we implemented support for Beacon Object Files into our own command and control (C2) beacon using the Mythic framework. In this first post, we will take a look at what Beacon Object Files are, how they work and why they are valuable to us.<br \/>\n<br \/>\nAuthor: Leon Schmidt<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/beacon-object-files-for-mythic-part-1\/\" aria-label=\"Read more about Beacon Object Files for Mythic &#8211; Part 1\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24234 post type-post status-publish format-standard has-post-thumbnail hentry category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-hooks\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"200\" height=\"300\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-200x300.jpg\" class=\"attachment-medium size-medium wp-image-18581\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-200x300.jpg 200w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-683x1024.jpg 683w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-768x1152.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-1024x1536.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-1365x2048.jpg 1365w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/krzysztof-hepner-ymx8g15pxD4-unsplash-scaled.jpg 1707w\" sizes=\"(max-width: 200px) 100vw, 200px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Reverse Engineering<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-hooks\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Callbacks \u2013 Part 2\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 12, 2025 &#8211; In this blog post you will learn how to do patchless hooking using ICs without registering or executing any user mode exception handlers.<br \/>\n<br \/> <br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-hooks\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Callbacks \u2013 Part 2\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-24165 post type-post status-publish format-standard has-post-thumbnail hentry category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"169\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-300x169.jpg\" class=\"attachment-medium size-medium wp-image-18579\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-300x169.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-1024x576.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-768x432.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-1536x864.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-2048x1152.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Reverse Engineering<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Callbacks &#8211; Part 1\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>November 5, 2025 &#8211; This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs).<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Callbacks &#8211; Part 1\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-21505 post type-post status-publish format-standard has-post-thumbnail hentry category-red-teaming-en tag-compromise\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/the-key-to-compromise-part-2\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/01\/anonym_cirosec_Mitarbeiter-300x300.png\" class=\"attachment-medium size-medium wp-image-21417\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2025\/01\/anonym_cirosec_Mitarbeiter-300x300.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/01\/anonym_cirosec_Mitarbeiter-1024x1024.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/01\/anonym_cirosec_Mitarbeiter-150x150.png 150w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/01\/anonym_cirosec_Mitarbeiter-768x768.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2025\/01\/anonym_cirosec_Mitarbeiter.png 1080w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Red Teaming<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/the-key-to-compromise-part-2\/\" >\n\t\t\t\tThe Key to COMpromise &#8211; Part 2\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>January 29, 2025 &#8211; In this post, we will delve into how we exploited trust in AVG Internet Security (CVE-2024-6510) to gain elevated privileges.<br \/>\nBut before that, the next section will detail how we overcame an allow-listing mechanism that initially disrupted our COM hijacking attempts.<br \/>\n<br \/>\nAuthor: Alain R\u00f6del and Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/the-key-to-compromise-part-2\/\" aria-label=\"Read more about The Key to COMpromise &#8211; Part 2\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-21239 post type-post status-publish format-standard has-post-thumbnail hentry category-red-teaming category-red-teaming-en tag-compromise\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/the-key-to-compromise\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg\" class=\"attachment-medium size-medium wp-image-18542\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-2048x1365.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Red Teaming<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/the-key-to-compromise\/\" >\n\t\t\t\tThe Key to COMpromise &#8211; Part 1\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>January 15, 2025 &#8211; In this series of blog posts, we cover how we could exploit five reputable security products to gain SYSTEM privileges with COM hijacking. If you&#8217;ve never heard of this, no worries. We introduce all relevant background information, describe our approach to reverse engineering the products&#8217; internals, and explain how we finally exploited the vulnerabilities. We hope to shed some light on this undervalued attack surface.<br \/>\n<br \/>\nAuthor: Alain R\u00f6del and Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/the-key-to-compromise\/\" aria-label=\"Read more about The Key to COMpromise &#8211; Part 1\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<\/div>\n\t\t\t\t\t<span class=\"e-load-more-spinner\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-spinner\"><\/i>\t\t\t<\/span>\n\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-6820ea6f e-con-full e-flex e-con e-parent\" data-id=\"6820ea6f\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1c0c1fa elementor-widget elementor-widget-template\" data-id=\"1c0c1fa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<div data-elementor-type=\"section\" data-elementor-id=\"6023\" class=\"elementor elementor-6023 elementor-2968 elementor-2968\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3920b242 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3920b242\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-61cde52c\" data-id=\"61cde52c\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7eba007 elementor-widget elementor-widget-spacer\" data-id=\"7eba007\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7346d88 elementor-widget elementor-widget-heading\" data-id=\"7346d88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Do you want to protect your systems? Feel free to get in touch with us.<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b0432b elementor-widget elementor-widget-spacer\" data-id=\"1b0432b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-5cdf3c58 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5cdf3c58\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-40c99187\" data-id=\"40c99187\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4a1d7b6a elementor-align-right elementor-widget elementor-widget-button\" data-id=\"4a1d7b6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send Enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-3b9d9ea6\" data-id=\"3b9d9ea6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7e7c4d9b elementor-widget elementor-widget-button\" data-id=\"7e7c4d9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/contact-us\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact Details<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7019a1b4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7019a1b4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4f503c7\" data-id=\"4f503c7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8473ac0 elementor-widget elementor-widget-template\" data-id=\"8473ac0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<footer data-elementor-type=\"footer\" data-elementor-id=\"6025\" class=\"elementor elementor-6025 elementor-945 elementor-945\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e44cc2 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"1e44cc2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e9b41ce\" data-id=\"e9b41ce\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-51c0c74 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51c0c74\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-8ac5cc6\" data-id=\"8ac5cc6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-af371ae elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"af371ae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" class=\"attachment-full size-full wp-image-5868\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/>\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85f2a11 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"85f2a11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Competent IT security consulting, pentests, incident response and training<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5731ee0 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"5731ee0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>cirosec GmbH<br \/>Ferdinand-Braun-Stra\u00dfe 4<br \/>74074 Heilbronn, Germany<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-c7c447f\" data-id=\"c7c447f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4826023 elementor-widget elementor-widget-heading\" data-id=\"4826023\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Quicklinks<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f26d479 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"f26d479\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\" tabindex=\"-1\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\" tabindex=\"-1\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\" tabindex=\"-1\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-29e8304\" data-id=\"29e8304\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14232af elementor-widget elementor-widget-heading\" data-id=\"14232af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Social Media<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c23ea92 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"c23ea92\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\" tabindex=\"-1\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\" tabindex=\"-1\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\" tabindex=\"-1\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-871a164\" data-id=\"871a164\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a46aa52 elementor-widget elementor-widget-heading\" data-id=\"a46aa52\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Legal<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50e6031 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"50e6031\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\" tabindex=\"-1\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\" tabindex=\"-1\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/footer>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>November 5, 2025 &#8211; This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs).<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n","protected":false},"author":43,"featured_media":18579,"comment_status":"closed","ping_status":"open","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"footnotes":""},"categories":[57,56],"tags":[68,66],"class_list":["post-24165","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-reverse-engineering","category-windows","tag-redteaming","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Windows Instrumen\u00adtation Callbacks - Part 1 - cirosec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows Instrumen\u00adtation Callbacks - Part 1 - cirosec\" \/>\n<meta property=\"og:description\" content=\"November 5, 2025 - This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs). Author: Lino Facco\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/\" \/>\n<meta property=\"og:site_name\" content=\"cirosec\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-05T07:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-03T10:35:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1440\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ne@cirosec.de\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ne@cirosec.de\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/\"},\"author\":{\"name\":\"ne@cirosec.de\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/a502baf6d9f9698b9b9236805b52fe73\"},\"headline\":\"Windows Instrumen\u00adtation Callbacks &#8211; Part 1\",\"datePublished\":\"2025-11-05T07:00:00+00:00\",\"dateModified\":\"2026-03-03T10:35:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/\"},\"wordCount\":3303,\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg\",\"keywords\":[\"redteaming\",\"Windows\"],\"articleSection\":[\"Reverse Engineering\",\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/\",\"name\":\"Windows Instrumen\u00adtation Callbacks - Part 1 - cirosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg\",\"datePublished\":\"2025-11-05T07:00:00+00:00\",\"dateModified\":\"2026-03-03T10:35:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg\",\"width\":2560,\"height\":1440},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/windows-instrumentation-callbacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/cirosec.de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows Instrumen\u00adtation Callbacks &#8211; Part 1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"name\":\"cirosec\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cirosec.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\",\"name\":\"cirosec\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"width\":626,\"height\":188,\"caption\":\"cirosec\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/a502baf6d9f9698b9b9236805b52fe73\",\"name\":\"ne@cirosec.de\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/author\\\/necirosec-de\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows Instrumen\u00adtation Callbacks - Part 1 - cirosec","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/","og_locale":"en_US","og_type":"article","og_title":"Windows Instrumen\u00adtation Callbacks - Part 1 - cirosec","og_description":"November 5, 2025 - This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs). Author: Lino Facco","og_url":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/","og_site_name":"cirosec","article_published_time":"2025-11-05T07:00:00+00:00","article_modified_time":"2026-03-03T10:35:27+00:00","og_image":[{"width":2560,"height":1440,"url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg","type":"image\/jpeg"}],"author":"ne@cirosec.de","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ne@cirosec.de","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/#article","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/"},"author":{"name":"ne@cirosec.de","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/a502baf6d9f9698b9b9236805b52fe73"},"headline":"Windows Instrumen\u00adtation Callbacks &#8211; Part 1","datePublished":"2025-11-05T07:00:00+00:00","dateModified":"2026-03-03T10:35:27+00:00","mainEntityOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/"},"wordCount":3303,"publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg","keywords":["redteaming","Windows"],"articleSection":["Reverse Engineering","Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/","url":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/","name":"Windows Instrumen\u00adtation Callbacks - Part 1 - cirosec","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/#primaryimage"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg","datePublished":"2025-11-05T07:00:00+00:00","dateModified":"2026-03-03T10:35:27+00:00","breadcrumb":{"@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/#primaryimage","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/thom-milkovic-kYlYwQze5vI-unsplash-scaled.jpg","width":2560,"height":1440},{"@type":"BreadcrumbList","@id":"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/cirosec.de\/"},{"@type":"ListItem","position":2,"name":"Windows Instrumen\u00adtation Callbacks &#8211; Part 1"}]},{"@type":"WebSite","@id":"https:\/\/cirosec.de\/en\/#website","url":"https:\/\/cirosec.de\/en\/","name":"cirosec","description":"","publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cirosec.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cirosec.de\/en\/#organization","name":"cirosec","url":"https:\/\/cirosec.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","width":626,"height":188,"caption":"cirosec"},"image":{"@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/a502baf6d9f9698b9b9236805b52fe73","name":"ne@cirosec.de","url":"https:\/\/cirosec.de\/en\/news\/author\/necirosec-de\/"}]}},"_links":{"self":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/24165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/comments?post=24165"}],"version-history":[{"count":3,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/24165\/revisions"}],"predecessor-version":[{"id":26085,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/24165\/revisions\/26085"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media\/18579"}],"wp:attachment":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media?parent=24165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/categories?post=24165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/tags?post=24165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}