core-jmp

EarlyBird APC Injection: A Deep Technical Analysis

February 13, 2026

by oxfemale APC Bypassing EDR Injection shellcode winapi windows

The EarlyBird APC technique creates a trusted process in a suspended state, allocates memory for shellcode, and writes the payload. It then queues the shellcode as an Asynchronous Procedure Call (APC) to the suspended thread. Resuming the thread forces immediate, stealthy execution of the malicious code.

PPLControlShells — Protected Process / PPL Control shells Tool

February 9, 2026

by oxfemale AV BYOVD cpp EDR kernel Privilege Protection windows

PPLControlShells (the ppexec console tool) is a native Windows PP/PPL experimentation and control utility (x64)designed to help researchers understand, test, and demonstrate how Protected Process (PP) and Protected Process Light (PPL) behave on modern Windows (10/11 + compatible Server builds).

Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter

February 3, 2026

by oxfemale BYOVD Bypassing EDR kernel Protection windows

the technique of exploiting the Bind Filter driver (bindflt.sys) to redirect folders containing the executable files of EDRs to a location that I completely control.

AV EDR Killer Project

February 2, 2026

by oxfemale AV BYOVD cpp EDR PPL windows

av-edr-kill is a BYOVD (Bring Your Own Vulnerable Driver) proof-of-concept whose goal is to terminate security-product processes (AV/EDR), including Protected Process Light (PPL) targets, by abusing a legitimately signed third-party kernel driver.

core-jmp

Posts tagged: EDR

EarlyBird APC Injection: A Deep Technical Analysis

PPLControlShells — Protected Process / PPL Control shells Tool

Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter

AV EDR Killer Project

Recent Posts

Recent Comments

Archives

Categories