Exploit Development21 IDT Table Hijacking under VBS/HVCI/kCET in Windows 11
A data-only technique that hijacks the x64 Interrupt Descriptor Table (IDT) to achieve kernel code execution on a fully hardened Windows 11…
Exploit Development21 A data-only technique that hijacks the x64 Interrupt Descriptor Table (IDT) to achieve kernel code execution on a fully hardened Windows 11…
Linux17 Pack2TheRoot (CVE-2026-41651) is a high-severity local privilege escalation flaw in PackageKit that lets any unprivileged user win a race condition during InstallFiles…
Exploit Development20 DirtyClone (CVE-2026-43503) is a high-severity Linux LPE in the DirtyFrag family. A dropped SKBFL_SHARED_FRAG flag during __pskb_copy_fclone() skb cloning lets in-place IPsec…
Apple Silicon18 Apple Silicon's chain of trust hands the XNU kernel an SMMU/IOMMU configuration that iBoot builds once and the OS never re-verifies. An…
Reverse Engineering14 A walkthrough of a recurring type-confusion pattern in Windows RPC servers: when an interface accepts an FC_BINDING_CONTEXT handle without checking its object…
Containers13 A deep technical walkthrough of ipv6_frag_escape, a public proof-of-concept exploit that converts a Linux kernel IPv6 fragmentation linear overflow into a reliable…
ALPC8 CVE-2020-1027 is a heap buffer overflow in the Windows CSRSS SxS assembly component. A missing bounds check on UNICODE_STRING.MaximumLength in an ALPC…
Hardware13 Quarkslab's black-box teardown of Xiaomi's undocumented MJA1 secure chip: I2C sniffing, SPI NAND flash dumping, MIPS firmware reverse engineering, full command protocol…
Debug12 This post tackles CFG and CET/Shadow Stack bypasses for sleep obfuscation. It registers ROP gadgets via NtSetInformationVirtualMemory, swaps TIB stack bounds instead…
Malware13 This post details the journey of hardening Adaptix C2's default agent DLL using Crystal Palace's Reflective DLL loader. It implements IAT hooking,…
Deep dive into Windows PE file format—headers, sections, and loader mechanics. Explains how security products (AV/EDR) detect malware via static analysis: entropy,…
RPC8 Many Windows RPC servers expose several context-handle types under one interface. When the IDL marks a handle as FC_BIND_CONTEXT (0x70) instead of…