A Windows kernel research technique that uses Microsoft PDB symbols to resolve offsets dynamically, avoiding hardcoded values and manual WinDBG work across builds.
Building a DIY EDR from Scratch: Windows Kernel Callbacks, User-Mode Hooks, and Shellcode Injection Detection
A hands-on guide to building a basic Windows EDR with a kernel driver, callbacks, static analysis, DLL injection, and hooks to detect remote shellcode injection.
Process Injection Without the Usual Red Flags: Abusing Windows Primitives to Outsmart Classic EDR Telemetry
A Windows injection technique that builds remote read/write/allocation primitives with limited process rights, reducing classic RPM/WPM telemetry and noisy access flags.
Dirty Frag: A New Linux Page-Cache Privilege Escalation Class
Dirty Frag is a Linux kernel local privilege escalation class abusing zero-copy networking, skb fragments, and in-place crypto to corrupt page cache memory and gain root privileges.
Shadow SSDT Hijacking: Achieving Kernel Code Execution via Read-Write Primitives
The article shows how Shadow SSDT hijacking can turn kernel read/write primitives into transient kernel code execution by redirecting a GUI syscall path through win32k and restoring it afterward.
Patchless AMSI Bypass via Page Guard Exceptions
The article shows a patchless AMSI bypass using Page Guard exceptions and VEH to intercept AmsiScanBuffer, force an early clean return, and avoid direct code patching.
Recursively fuzzing MS-RPC structures and monitoring using ETW
The article updates MS-RPC-Fuzzer with recursive structure fuzzing, union support, ETW-based syscall monitoring, canary tracking, crash replay, and a Spooler case where SYSTEM loads a DLL.
Silencing the EDR Silencers
The article shows how attackers silence EDRs with firewall/WFP rules that block cloud communication, and how defenders can prevent or rapidly remove those rules via registry callbacks and APIs.
Evading Antivirus: Bypassing Windows Defender with Tenebris-Gate
The article presents Tenebris-Gate as a layered Windows Defender evasion framework using shellcode encryption, API hashing, anti-debugging, sandbox delays, syscall tricks, and careful memory handling.
Internal NTDLL Functions for Shellcode Execution
The article tests a shellcode execution trick using a private NTDLL function as an indirect call gadget, but notes it may offer limited stealth and can still be detected by mature EDRs.