CVE-2018-8611 is a race-condition LPE in the Windows Kernel Transaction Manager (KTM), originally caught in the wild by Kaspersky’s AEP in October 2018 and patched in December 2018. This first instalment lays the KTM foundation — transaction managers, resource managers, transactions, enlistments — that the rest of the series builds on.
cocomelonc’s tabby is a tiny teaching framework for writing position-independent Windows x64 shellcode in C, with indirect NT syscalls and no IAT, no CRT, no PE header — the whole toolchain runs on Linux via mingw-w64, nasm, a custom linker script, and objcopy. The whole thing is ~500 lines of C plus ~80 of NASM and produces a flat shellcode.bin ready to inject.
CuSafe is a GPU memory sanitizer for off-the-shelf NVIDIA hardware. It combines pointer tagging with in-band buffer bounds via an LLVM 21 transform pass, ships in a 2 964–line implementation, catches every spatial and temporal bug in the authors’ 33-program test suite, and incurs an average 13% slowdown on 44 GPU workloads — including LLaMA2-7B and LLaMA3-8B inference — against compute-sanitizer’s 15× baseline.
CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk.
A walkthrough of a classic-but-still-effective Active Directory attack: how write access to an SMB share — plus a single .lnk file — lets an attacker capture Net-NTLMv2 hashes from every user who simply browses the folder, with no clicks, no payload execution, and almost no EDR signal.
Praetorian’s Centurion is a virtualized loader built around a custom x86-64-inspired ISA and freestanding C runtime, where the PE loader, TLS stack and HTTP client all live behind the interpretation layer. The result — a TLS bind shell running inside a custom VM, shipped in roughly a week of LLM-assisted development.
When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400+ bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path + HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler.
CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2.
GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM+PIN, reagentc /disable, recovery-partition integrity).
A defender-side surface map of Windows kernel/user-mode covert channels — mailslots and ALPC, firmware-table providers and WNF, dispatch tables and writable .data pointers, KernelCallbackTable, MDL-backed mailboxes, GPU/DXGK primitives, page-guard signals, EPT/MMIO, DMA cards, and visual capture. Covers the six-plane channel grammar, PatchGuard exposure classes, and a production detection program with baselines, cross-view validation, and false-positive control.
