Ido Veltzman
Ido Veltzman is a senior security researcher specialising in reverse engineering, operating system internals, vulnerability research, and exploit development. His work spans UEFI, hypervisors, kernel, and user mode, where he has developed advanced evasion, persistence, and injection techniques. Ido is known for translating deep technical research into practical offensive tradecraft, and regularly publishes papers and presents to the global cybersecurity community.
You can view my public work under my GitHub account.
Expertise
Courses
- ▸Windows Kernel: Offensive, Defensive & Reverse Engineering (Xintra)
Learn Windows kernel internals by building both offensive and defensive tooling from scratch. In this hands-on course, you will create a functional rootkit and a custom endpoint protection platform while gaining a practical understanding of kernel initialization, object management, callbacks, ETW, threads, APCs, kernel APIs, and user-to-kernel transitions. Designed for security researchers, red teamers, blue teamers, and low-level engineers, this course focuses on how and why Windows internals work, not just surface-level techniques.
Notable Publications
- ▸Lord Of The Ring0 Series
An introductory series to Windows kernel development covering callbacks, IRP hooks, kernel-to-user communication, and more.
- ▸Kernel Games: The Ballad of Offense & Defense [X33fCon 2024]
A talk in Poland about creating stealthy rootkits to help red teams remain persistent, evade EDRs, and integrate with existing C2 environments.
- ▸(Lady|)Lord Of The Ring [BSidesTLV 2023]
A talk at BSidesTLV covering the functionality of Nidhogg alongside an explanation of the Windows kernel world.
- ▸DigitalWhisper Publications
Articles in one of Israel's oldest active security zines, covering a persistence method, an injection method, and evasive communication.
Notable Projects
- ▸Nidhogg
Windows rootkit for Intel x64 with 25+ features, demonstrating rootkit techniques compatible with all Windows 10 and Windows 11 versions.
- ▸NovaHypervisor
Windows hypervisor for Intel x64: defensive host hypervisor for Windows designed to mitigate kernel-level attacks including BYOVD, compatible with VMware and Hyper-V.
- ▸Jormungandr
A kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.
- ▸Cronos
A PoC for a sleep obfuscation technique leveraging waitable timers to evade memory scanners (PE-Sieve, Moneta, etc.)
- ▸Venom
A library performing evasive communication using a stolen browser socket.
- ▸Sandman
An NTP-based backdoor for operations in hardened networks.
Get In Touch
Feel free to reach out via X (Twitter), Telegram, or email regarding any of my projects or publications. Enjoy the blog!