Recently, I’ve been working on a task at work which required debugging a malicious Windows driver. To be able to do so, I had to set up a kernel-debugging environment — attach a debugger on my host to a target machine’s kernel. This took a lot of time, many Google searches and probably some headache for my team leader, but I finally made this beautiful screen appear:

kd.exe attached to the target machine’s kernel

I am not writing this blog post to provide readers with an answer to how to setup KDNET. This has already been (very well) done by Microsoft. I wish to clarify why every…

How to group entire MongoDB documents based on a certain field

This post serves as a note-to-self; it details a technical problem I had and which took me forever to overcome, or so it felt. Frustration level was high and Twitter is my witness.

Once solved, I couldn’t let the solution be forgotten and so I decided to carve it in stone, AKA write it in a blog post.

The Query I Needed

As part of my work in Guardicore Labs, I needed to query a Mongo database. I wanted to do the following:

  1. fetch documents that match certain criteria;
  2. group them together based on another field.

I didn’t want to sum numbers, calculate…

What For?

If you’ve ever written, read or reversed a Windows application you probably know that many Windows API functions have both an ANSI version (SomeFunctionA) as well as a Unicode version (SomeFunctionW).

Not too long ago, I read that many Windows “A” functions end up calling their corresponding “W” versions, after converting the function’s textual parameters from ANSI to Unicode. Namely, CopyFileA ends up calling CopyFileW, CreateNamedPipeA calls CreateNamedPipeW, etc.

I turned curious and wanted to see this process under the hood. I decided to dive into it and ended up (as I usually do — ) writing about it. …

I have never managed to memorize all of x86 Assembly’s string instructions — so I wrote a cheat sheet for myself. Then I thought other people may find it useful too, and so this cheat sheet is now a blog post.

This is what you’ll find here:

  1. The logic behind x86 string instructions.
  2. All the information from (1) squeezed into a table.
  3. A real-life example.

Let’s go.

Note: in order to understand this post, basic knowledge in x86 Assembly is required. I do not explain what registers are, how a string is represented in memory, etc.

The Logic

The Prefix + Instruction Combo

First, let’s make the…

Two months ago, my dear friend Carine-Belle sent me a tweet by Women In Tech Fund. The organization was giving five tickets to REcon — an annual reverse engineering conference held in Montreal — to five women whom they would find most suitable.

I decided to give it a shot and apply. So I sent the fund an email telling them about how I had started reverse engineering and why I thought this conference and I would make a good match.

About a month later I received a very exciting email. I was going to REcon.

This blog-post is…


Two weeks from today, the first Low Level & Security Celebration will take place. This event is organized by Baot and its goal is to attract more women into the low level and security fields.

I was given the amazing yet terrifying task of teaching the Reverse Engineering workshop. When I started planning the workshop’s last session — I had no idea what to do. I was looking for an interesting challenge that I could use in my workshop.

A dear friend of mine, Aviad Carmel, is a super-skilled reverser and my reverse engineering mentor. …

In short: How to install and setup a network camera that is reachable from outside your private network.


I was never the one to handle connections, cables and routers, until I decided to start watching my two cats while at work (hopefully my boss isn’t reading this).

The two monsters, Xor and Malloc

My boyfriend insisted that I did the whole setup and configuration by myself, which resulted in me leaving behind my hardwareophobia. In this post I intend to write on how I made the cameras start capturing video and enabled remote access to the video with an easy-to-remember domain name.

A Minimal Setup

There are many vendors…

Ophir Harpaz

@ophirharpaz on Twitter. Security researcher at Guardicore. Reverse engineering enthusiast. Author of

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store