Alex Ionescu & Yarden Shafir

Alex Ionescu

Alex Ionescu is the Vice President of Endpoint Engineering and Founding Chief Architect at CrowdStrike, Inc.

Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering.
He is coauthor of the last three editions of the Windows Internals series, along with Andrea Allievi, Mark Russinovich, and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as dozens of non-security bugs.

Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV.

Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions.
In the last three years, he has also contributed to patches and development in two major commercially used operating system kernels.

Yarden Shafir

Yarden Shafir started dancing at the age of 7, and later joined a rhythmic gymnastics team and competed during her teenage years. 

After her military service, she practiced pole dancing and fell in love with acrobatics.
Today she performs aerial arts for the circus, trains whenever possible, and teaches lyra and silks in Israel, while also having a rich background of Windows Internals research originally at Sentinel One, followed by her current role as a Software Engineer at CrowdStrike working on various EDR capabilities and EPP features.

BYOD (Bring Your Own Defender) - Turning Windows Defender into your own rootkit

Writing a rootkit is becoming a difficult task - with PatchGuard, HyperGuard, OS mitigations and various security products, rootkit authors must work harder than ever to avoid detection. But there is a convenient "rootkit helper" that was under our nose the whole time - Windows Defender.

With capabilities such as process and file system monitoring, user<->kernel communications and process exclusions, Windows Defender can be a rootkit's best friend. A capable attacker can use all these private data structures and methods to get all the functionality it needs -- while remaining entirely invisible to the system and monitoring services, including defender itself.

This talk will introduce some of the lesser known OS mechanisms used by defender and the ways the multiple defender drivers can be used by Windows rootkits in a "live off the land" style.