A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.
Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.
A walkthrough of “APC Tandem”, a stealth Windows process-injection technique that replaces WriteProcessMemory, CreateRemoteThread and VirtualAllocEx with a chain of less-watched primitives — thread description smuggling, paired GetThreadDescription/RtlMoveMemory APCs, and a Special User APC for execution.
GhostTree abuses NTFS junctions to create recursive, near-endless valid paths. Recursive scanners and EDRs can hang in the maze while malware in the parent folder remains unchecked. Watch junction creation.
A hands-on guide to building a basic Windows EDR with a kernel driver, callbacks, static analysis, DLL injection, and hooks to detect remote shellcode injection.
The article shows a patchless AMSI bypass using Page Guard exceptions and VEH to intercept AmsiScanBuffer, force an early clean return, and avoid direct code patching.
The article presents Tenebris-Gate as a layered Windows Defender evasion framework using shellcode encryption, API hashing, anti-debugging, sandbox delays, syscall tricks, and careful memory handling.
The article tests a shellcode execution trick using a private NTDLL function as an indirect call gadget, but notes it may offer limited stealth and can still be detected by mature EDRs.
Reversing a legitimately signed Windows kernel driver to map 13 IOCTLs exposing physical memory access, MSR read/write, kernel memcpy, and more, and why this is the foundation of every BYOVD attack.
