A practical, layer-by-layer walkthrough of modern Windows defense evasion for red team operators: the architecture of Microsoft Defender, three generations of AMSI bypass (classic patching, hardware breakpoints, AMSI Write Raid), ETW silencing, AppLocker bypass with built-in LOLBins, and how to stitch them into a working kill chain — plus what blue teams can still detect.
A walk-through of zolutal’s revival of the 2017 Project Zero “native_write_cr4” trick on a modern Linux kernel with CR Pinning enabled. The post identifies a tiny window between the CR4 write and the fixup, uses KProbes to land inside it via a control-flow hijack, and chains two arbitrary-call primitives to register a probe and trigger it — ending in user-mode-style shellcode running in ring 0.
A walk-through of NVISO Labs’ first Kernel Karnage post: writing a small Windows kernel driver, locating the undocumented PspCreateProcessNotifyRoutine callback array through disassembly, and patching the EDR’s registered callback out of it. Covers the User/Kernel-space architecture, PatchGuard, kernel-debugger setup, the three-byte opcode bug that caused a BSOD, and a Mimikatz demo with callbacks on and off.
