cocomelonc’s tabby is a tiny teaching framework for writing position-independent Windows x64 shellcode in C, with indirect NT syscalls and no IAT, no CRT, no PE header — the whole toolchain runs on Linux via mingw-w64, nasm, a custom linker script, and objcopy. The whole thing is ~500 lines of C plus ~80 of NASM and produces a flat shellcode.bin ready to inject.
Praetorian’s Centurion is a virtualized loader built around a custom x86-64-inspired ISA and freestanding C runtime, where the PE loader, TLS stack and HTTP client all live behind the interpretation layer. The result — a TLS bind shell running inside a custom VM, shipped in roughly a week of LLM-assisted development.
BusyWork is a Rust library that swaps every sleep() call for a randomized cocktail of real work across seven categories — compute, memory, filesystem, registry, Win32 API, network and crypto — so EDR and anti-cheat sensors see a CPU- and I/O-active thread instead of the periodic sleep/wake cadence they hunt for. No timing primitives in the binary, ~5 jittered tasks out of 76 per call, ±30% parameter randomization, function-pointer dispatch.
The 2017 Windows research demo that flipped page protections so a shellcode region was non-executable at scan time and executable only during brief work windows. The 2026 refresh keeps the original Win32/x86 proof of concept central, adds x64, ARM64, and ARM64EC sibling demonstrations, fixes a subtle “SetWaitableTimer” “SleepEx” APC validation error, and reframes the whole exercise as a measurement problem about temporal memory state rather than a hiding trick.
A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.
A walkthrough of “APC Tandem”, a stealth Windows process-injection technique that replaces WriteProcessMemory, CreateRemoteThread and VirtualAllocEx with a chain of less-watched primitives — thread description smuggling, paired GetThreadDescription/RtlMoveMemory APCs, and a Special User APC for execution.
