I build automated systems to find security vulnerabilities in Windows kernel drivers at scale.
Driver Binary
│
▼
┌─────────────────────────────────────────────────────┐
│ Automated Analysis Pipeline │
├─────────────────────────────────────────────────────┤
│ Decompilation → Function Matching → Semantic Diff │
│ ↓ ↓ ↓ │
│ Ghidra Hash-LCS Rule Engine │
└─────────────────────────────────────────────────────┘
│
▼
Security-Relevant Patches (ranked by exploitability)
Problem: Vendors release hundreds of driver updates yearly. Most are cosmetic. A few silently fix critical vulnerabilities without CVEs.
Solution: Automated semantic analysis that surfaces the 2% of changes that matter—use-after-free fixes, missing bounds checks, user/kernel boundary hardening.
| Project | Purpose |
|---|---|
| AutoPiff | Semantic patch diffing engine with YAML rules for detecting vulnerability fixes |
| driver_analyzer | Scalable pipeline: Karton + MWDB + Ghidra for batch driver analysis |
- Collect — Ingest driver binaries from multiple sources into MWDB
- Pair — Automatically match driver versions by product metadata
- Decompile — Headless Ghidra produces normalized C pseudocode
- Diff — Semantic rules detect security-relevant patterns in changes
- Rank — Scoring model prioritizes findings by exploitability
- Report — Actionable output for manual exploitation research
- Lifetime fixes: Null-after-free patterns (
ExFreePool→ptr = NULL) - Bounds checks: Length validation before
memcpy/RtlCopyMemory - User boundary: Added
ProbeForRead/ProbeForWritecalls - Integer overflow: Safe math helpers (
RtlULongAdd,RtlSizeTMult) - State hardening: Interlocked reference counting
Analysis: Python, Ghidra (headless), YAML rule engine
Infrastructure: Karton, MWDB Core, Redis, MinIO, Docker
Reverse Engineering: IDA Pro, Ghidra, WinDbg, x64dbg
Blog: threatunpacked.com
Turning 4-12 hours of manual patch review into 2-5 minutes of automated triage.