A defender-side surface map of Windows kernel/user-mode covert channels — mailslots and ALPC, firmware-table providers and WNF, dispatch tables and writable .data pointers, KernelCallbackTable, MDL-backed mailboxes, GPU/DXGK primitives, page-guard signals, EPT/MMIO, DMA cards, and visual capture. Covers the six-plane channel grammar, PatchGuard exposure classes, and a production detection program with baselines, cross-view validation, and false-positive control. core-jmp.org/2026/06/covert-… #ALPC #AntiCheat #AntiCheatResearch #byovd #CovertChannels #DMA #DMACheats #EDR #EDREvasion #ETW #HVCI #HypervisorSecurity #IPC #KernelAntiCheat #KernelCallbacks #KernelDMAProtection #KernelDriver #MalwareAnalysis #PatchGuard #Rootkit #RootkitResearch #WindowsDriverExploitation #WindowsFilteringPlatform #WindowsInternals #WindowsKernel #Windowssecurity

If you want repeatable results, you need a very deep understanding of how AV and EDR works ranging from kernelcallbacks to etw to userland hooks and stack/thread telemetry. You can learn these things by reading yes, but I learn a lot more by getting my own hands dirty.