core-jmp

core-jmp

death of core jump

  • Home
  • About
  • Privacy Policy

HomeEDR

Posts in category: EDR

EarlyBird APC Code Injection

EarlyBird APC Injection: A Deep Technical Analysis

February 13, 2026
by oxfemale APCBypassingEDRInjectionshellcodewinapiwindows

The EarlyBird APC technique creates a trusted process in a suspended state, allocates memory for shellcode, and writes the payload. It then queues the shellcode as an Asynchronous Procedure Call (APC) to the suspended thread. Resuming the thread forces immediate, stealthy execution of the malicious code.

Read More
Protected Process / PPL Control Tool

PPLControlShells — Protected Process / PPL Control shells Tool

February 9, 2026
by oxfemale AVBYOVDcppEDRkernelPrivilegeProtectionwindows

PPLControlShells (the ppexec console tool) is a native Windows PP/PPL experimentation and control utility (x64)designed to help researchers understand, test, and demonstrate how Protected Process (PP) and Protected Process Light (PPL) behave on modern Windows (10/11 + compatible Server builds).

Read More

Process Injection via Component Object Model (COM) IRundown::DoCallback() for run cmd.exe from lsass.exe or other pids

February 6, 2026
by oxfemale AdministratorBypassingCallbackscppEDREscalationInjectionLoadershellcodewinapiwindows

A PoC/demo demonstrating code injection via COM (using the IRundown::DoCallback() mechanism) to execute a payload in the context of a selected process, including lsass.exe (or any other PID).

Read More
Abusing Microsoft Warbird for Shellcode Execution

Abusing Microsoft Warbird for Shellcode Execution

February 4, 2026
by oxfemale BypassingEDRshellcodeWarbirdwindows

The article demonstrates an EDR bypass by using an undocumented Warbird interface to stealthily load shellcode.

Read More
Снимок экрана 2026-02-03 в 13.50.46

Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter

February 3, 2026
by oxfemale BYOVDBypassingEDRkernelProtectionwindows

the technique of exploiting the Bind Filter driver (bindflt.sys) to redirect folders containing the executable files of EDRs to a location that I completely control.

Read More
av-edr-kill

AV EDR Killer Project

February 2, 2026
by oxfemale AVBYOVDcppEDRPPLwindows

av-edr-kill is a BYOVD (Bring Your Own Vulnerable Driver) proof-of-concept whose goal is to terminate security-product processes (AV/EDR), including Protected Process Light (PPL) targets, by abusing a legitimately signed third-party kernel driver.

Read More

Recent Posts

  • EarlyBird APC Injection: A Deep Technical Analysis
  • Bypassing Administrator Protection by Abusing UI Access
  • PPLControlShells — Protected Process / PPL Control shells Tool
  • Process Injection via Component Object Model (COM) IRundown::DoCallback() for run cmd.exe from lsass.exe or other pids
  • Abusing Microsoft Warbird for Shellcode Execution

Recent Comments

No comments to show.

Archives

  • February 2026
  • January 2026
  • November 2025
  • September 2025

Categories

  • Administrator
  • alloc
  • APC
  • ASM
  • Audio
  • AV
  • BYOVD
  • Bypassing
  • Callbacks
  • Containers
  • cpp
  • Crypt
  • Debug
  • EDR
  • Escalation
  • Gadgets
  • Injection
  • kernel
  • Library
  • Loader
  • Plugins
  • powershell
  • PPL
  • Privilege
  • Protection
  • ROP
  • shellcode
  • UAC
  • Uncategorized
  • Warbird
  • WASM
  • winapi
  • winapi
  • windows
Log in
© 2026 core-jmp. All rights reserved.
Shopping Basket