About

I’ve been living, breathing, and training in operating systems and cybersecurity technology for almost two decades, and there’s nothing I love more. In part thanks to my ground-breaking research and wealth of Windows Internals knowledge, I am honored to have been recently recognized by the United States Government as an Alien of Extraordinary Ability, “demonstrating internationally recognized extraordinary abilities in the sciences through sustained national or international acclaim.”

As a developer, I started my career as one of the key lead kernel developers on the open source ReactOS project, and re-implemented from scratch, based on reverse engineering and black box testing, large parts of the Windows XP/2003 kernel (which was, at the time, current). Throughout that work, I uncovered dozens of vulnerabilities and just plain old bugs in the kernel and its many associated subsystems and drivers, both in user-mode and kernel-mode. I then moved on to work at Apple, Inc. where I was an intern and then part-time remote software engineer while completing my studies, and worked on the Core Platform team, where I helped port both iOS and iBoot, as well as related drivers, to exciting new platforms, ARM architectures, and SOCs, as well as worked on interesting and varied user-mode infrastructure such as SpringBoard, Mach RPC, and CoreAnimation. Finally, I joined CrowdStrike, Inc., as part of its launch team over five years ago, where I initially started as its Chief Architect, responsible for the overall vision and design of its endpoint security product, and have recently taken on a new role as the Vice President of EDR Strategy, to help cement its lead in the market and unparalleled visibility into operating system behaviors.

As a reverse engineer, I began tearing apart Windows long before my involvement with ReactOS. While now having joined the relics of GeoCities, Planet Source Code was a popular coding website where developers compete against one another to win the coveted “Superior Code Award”. Each of my 8 submissions gathered exclusively five-star reviews, and I had won the award three times by the time I moved on. My submissions, most dating from 2001-2003, introduced the following concepts (which have since then become extensively researched and no longer exciting) for the first time outside of secretive hacker forums or the intelligence community, especially by leveraging the relative ease of the Visual Basic language (which is now seeing a resurgence with VBA-based Word/Excel Macro attacks).

• Code Injection
• Self-Deleting Executables
• NTFS Alternate Data Streams (ADS)
• Undocumented Native API/NTDLL
• Mixing C and x86 Assembly code with Visual Basic and COM

Based, in part, on my work at the site, I began contracting for Rent-a-Coder while still in high school. I eventually became a key consultant for a number of now-defunct/resold security products, and more importantly, for the SpamFighter Outlook Express Plugin, whom I initially was the sole developer for. The company continues to successfully exist today, and was a novelty for its time, by leveraging what we now call “The Cloud” and “Machine Learning” to perform server-side adaptive Bayesian filtering and reputation lookups. My ongoing reverse engineering work and research led me to first publish at Recon in 2006 and BlackHat in 2008, followed by many more security conferences, where I have now participated in for over a decade.

Finally, as a teacher and technical writer, I first began by publishing an 125-page paper on Windows Internals on Planet Source Code, which covered key windows structures in the NT kernel, and was one of the first to leverage the use of Microsoft’s Public Symbol Files (PDB) to extract type data from the kernel. I later followed-up with an entire reverse engineering overview of the Visual Basic 6 File Format, which was used by many decompilers at the time (as well as some contracting work on the side). Finally, I eventually published a similar guide on the NTFS File Format, which greatly helped the ntfs-3g Linux Project achieve a more consistent understanding of the various data structures involved. I began giving small presentations on ReactOS and NT internals at various locations, including a presentation at Waterloo University in Canada, which eventually led to my contracting with David Solomon Expert Seminars, Inc., a real titan in the Windows Internals training world. Just as Winternals and Mark Russinovich had been acquired by Microsoft, I was contracted to “fill his shoes” (an impossible task) and began giving regular trainings at Microsoft for David, followed by a growing list of additional customers and organizations. After David’s retirement, I eventually build a complete portfolio of training and consulting courses for Windows Internals and beyond. On the writing side, I was also engaged to update the seminal Windows Internals book series, and was responsible for the 5th and 6th Edition updates as a co-author. Now working with the new co-author of the 7th Edition, I am once again involved in many parts of the update for Windows 10 and beyond.

Simply put, if you are looking for someone who both has the programming chops to help your developers make the right decisions in their projects, as well as the security and reverse-engineering knowledge to help your enterprise avoid costly mistakes by learning how to both defend and exploit others’ (both in a forensic, malware analysis, and offensive development context), you’ve come to the right place. With a solid mastery of the English and French languages, and a command of the audience’s attention through years of experience from public speaking engagements and personal coaching, there simply is no substitute.

Please visit our training offerings on the site to see if our topics are of interest, or feel free to shoot us an e-mail if you have something custom in mind.

What Clients Say About Me