Govind Singh

Windows OS internals —

Explored
• Researched Windows kernel/syscall architecture (Windows 11 24H2 — ~980 syscalls; Windows 10 22H2 — ~966 syscalls) and documented syscall differences across versions.

• Studied syscall semantics and lifecycle — how user-mode requests transition to kernel-mode and why syscalls are fundamental for process/kernel trust boundaries.

• Analyzed how malware leverages syscalls for stealthy operations (process/file/memory manipulation) and catalogued common syscall-based techniques used in real-world samples.

• Implemented direct syscall proof-of-concepts for core file operations: open, close, delete, read, write, create — including memory allocation and permission/modification flows.

• Built and tested syscall-based file I/O and memory primitives across x64 Windows environments to verify behavior and edge cases.

• Researched EDR/monitoring vendor approaches to syscall monitoring and detection signals (hooking, user-kernel transition anomalies, syscall argument inspection).

• Used and extended tooling during research: SysWhispers I/II/III, x64dbg, Procmon , Process Hacker — for instrumentation, reverse engineering, and runtime validation.

• Demonstrated defensive use-cases of syscall knowledge — developed syscall-driven scanners to detect hidden/obfuscated files and artifacts that evade higher-level APIs.

• Produced technical notes and reproducible examples showing syscall usage patterns and recommended telemetry points for defenders.

Next-step areas
• Deep-dive mapping of all version-delta syscalls and undocumented syscall behaviors across insider/beta builds.

• Full emulation of syscall dispatcher internals to simulate evasion/detection at scale.

• End-to-end exercises integrating direct-syscall bypass techniques with modern EDRs to evaluate real-world impact and mitigations.

Key achievements / impact
• Implemented direct-syscall file and memory primitives (proof-of-concept) to validate theoretical bypass techniques against syscall-based EDR detection.

• Identified detection telemetry gaps and proposed syscall-level instrumentation points to improve EDR coverage for hidden-file and memory-manipulation detection.

• Applied toolchain (SysWhispers I–III, x64dbg, Procmon, Process Hacker) to validate syscall implementations and produce reproducible technical artifacts.

• Supported staff members in their daily tasks, reducing workload burden and allowing for increased focus on higher-priority assignments.
• Gained valuable experience working within a specific industry, applying learned concepts directly into relevant work situations.
• Analyzed problems and worked with teams to develop solutions.
• Contributed to a positive team environment by collaborating with fellow interns on group projects and presentations.
• Participated in on-the-job training, working closely with supervisors and coworkers and asking appropriate questions.