zer0matt’s Milan0day 2026 talk walks through a clean BYOVD chain: ThrottleStop.sys (CVE-2025-7771) gives arbitrary physical-memory R/W via MmMapIoSpace, used to inline-patch NtAddAtom into a temporary trampoline. Phase 1 redirects to PsLookupProcessByProcessId to lift the target’s EPROCESS pointer; phase 2 redirects to PsTerminateProcess to kill the AV/EDR from kernel mode. Original bytes are restored after each shot to dodge PatchGuard. PoC: github.com/zer0matt/Milan0day2026
Walkthrough of an initial-access chain that ships a signed Microsoft binary (wab.exe / Windows Address Book) and a hidden CRYPTDLG.dll proxy in the same archive, delivered via Google Drive to dodge Gmail’s blanket 7-zip block. perfect-dll-proxy / SharpDllProxy generate the forwarder, cl.exe compiles the x64 DLL, DllMain pops a MessageBox to confirm execution — and when MotW doesn’t propagate through the extract step the operator gets clean code execution under a trusted Microsoft signer.
Microsoft Defender now audits inbound remote RPC calls at OpNum-level granularity through a Windows Filtering Platform integration, surfacing telemetry in Advanced Hunting and feeding detections like Impacket-style hands-on-keyboard, suspicious remote service creation, LSA secrets theft, RPC user / session discovery, and authentication coercion — with sample KQL queries for Remote Registry abuse, remote service creation, and NetrSessionEnum-based session discovery.
A missing bounds check in binutils’ FR30 relocation handler lets a single crafted object file turn objdump -g into a one-shot exploit chain — defeating ASLR, PIE and modern heap hardening with no information leak. The Calif team’s writeup walks through wrapping a 64-bit arelent offset, swapping endianness via a 2-byte partial overwrite of an xvec pointer, borrowing i386’s partial_inplace relocation as an OOB increment, and finally pivoting to code execution through a House of Apple 2 FILE-struct hijack.
BusyWork is a Rust library that swaps every sleep() call for a randomized cocktail of real work across seven categories — compute, memory, filesystem, registry, Win32 API, network and crypto — so EDR and anti-cheat sensors see a CPU- and I/O-active thread instead of the periodic sleep/wake cadence they hunt for. No timing primitives in the binary, ~5 jittered tasks out of 76 per call, ±30% parameter randomization, function-pointer dispatch.
Cobalt Strike 4.13 ships a new BEACON_INLINE_EXECUTE Aggressor hook that lets operators rewrite Beacon Object File bytes on the fly. Combined with Rasta Mouse’s Crystal Palace toolkit, the hook becomes a clean intercept point for merging tradecraft — API instrumentation, unhooking, telemetry suppression — directly into postex BOFs at runtime, no agent or loader hacks required.
Walk-through of Lukas Maar’s page-level use-after-free in the Linux kernel’s QAIC (Qualcomm AI Accelerator) DRM driver: the missing VMA boundary check in qaic_gem_object_mmap leaves stale page-table entries pointing at compound-page memory the kernel has already freed; reclaim the underlying order-3 page as a pipe_buffer slab and the dangling user mapping turns into an arbitrary kernel-physical read/write primitive, which the exploit chains via init_task lookup into a clean root.
A BadUSB-ETH device can silently create a rogue network interface on locked PCs, capture NetNTLM hashes, expose real-time logs over Wi-Fi, and enable remote access, showing why USB whitelisting and strict physical security controls matter.
Walk-through of Xyrem’s reversing.info analysis of Valorant’s Vanguard Guarded Regions: how Vanguard hides game state behind a private “shadow” PML4 entry that’s only swapped in when one of its own whitelisted threads is on the CPU, the SwapContext hook that drives the swap, and how a cheat can rebuild the same primitive with its own kernel driver to expose hidden game memory after thread whitelisting.
Walk-through of Jack Halon’s “Utilizing Syscalls in C# — Part 2” post: building a direct-syscall NtCreateFile PoC in C# .NET 3.5, extracting the syscall stub from ntdll in WinDbg, mapping it as executable memory with VirtualProtect, invoking it through a P/Invoke delegate, and verifying via Process Monitor that the call goes straight to the kernel without touching ntdll’s NtCreateFile prologue.
