core-jmp

The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+

May 27, 2026

by oxfemale Exploit Development kernel-mode Linux Reverse Engineering Security

Deep-dive writeup on a Linux kernel use-after-free in “fs/eventpoll.c”. A 2023 optimisation traded a global “epmutex” for per-instance reference counting in epoll’s graph-walking code, but left the walkers running under “rcu_read_lock()” while “ep_free()” kept calling plain “kfree(ep)” with no RCU deferral — opening a same-CPU preemption race that yields a constrained write through a freed “struct eventpoll”. Fixed in commit “07712db80857″by switching to “kfree_rcu(ep, rcu)”. Affects Linux 6.6+ including Android (Pixel 10 tested).

Dirty Frag: A New Linux Page-Cache Privilege Escalation Class

May 8, 2026

by oxfemale kernel-mode Linux Privilege Escalation Security

Dirty Frag is a Linux kernel local privilege escalation class abusing zero-copy networking, skb fragments, and in-place crypto to corrupt page cache memory and gain root privileges.

How Kernel Anti-Cheats Work: A Deep Dive into Modern Game Protection

April 27, 2026

by oxfemale BYOVD Driver IOCTL kernel kernel-mode winapi winapi windows

The article explains how kernel anti-cheats monitor games from Ring 0 using callbacks, handle filtering, memory scans, driver checks, anti-debugging, VM detection, and hardware fingerprinting.

Signed to Kill: Reverse Engineering a 0-Day Used to Disable CrowdStrike EDR

April 6, 2026

by oxfemale BYOVD EDR Exploit Development exploitation IOCTL kernel kernel-mode PoC Reverse Engineering windows

The article analyzes a Microsoft-signed vulnerable driver used in a BYOVD attack to kill security processes. By sending crafted IOCTL requests with a target PID, attackers can terminate EDR services such as CrowdStrike Falcon.

Breaking Process Protection: Exploiting CVE-2026-0828 in ProcessMonitorDriver.sys

April 2, 2026

by oxfemale BYOVD Driver exploitation IOCTL kernel kernel-mode windows

The KillChain exploit leverages a vulnerability in ProcessMonitorDriver.sys (CVE-2026-0828) by abusing an exposed IOCTL that allows a user-mode application to terminate arbitrary processes — including protected system services — effectively bypassing standard Windows security checks.

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)

April 1, 2026

by oxfemale AI Security Research Exploit Development exploitation FreeBSD kernel-mode LLM Exploit Development RCE ROP Stack Overflow

Researchers showed that the Claude AI model could generate a working exploit for a FreeBSD kernel vulnerability (CVE-2026-4747), producing a remote root shell by building a stack overflow and ROP chain with minimal human guidance.

Bypassing Code Integrity Using BYOVD for Kernel R/W Primitives

March 27, 2026

by oxfemale BYOVD Bypassing cpp Driver IOCTL kernel kernel-mode user-mode windows

The article shows how BYOVD techniques bypass Windows Code Integrity by loading a vulnerable signed driver and exploiting its IOCTL interface to gain arbitrary kernel read/write access and manipulate protected kernel memory.

Out-of-Cancel: A New Linux Kernel Race Condition Bug Class

March 25, 2026

by oxfemale Exploit Development exploitation kernel-mode Linux Race Condition Use-After-Free

The article introduces the Out-of-Cancel vulnerability class in the Linux kernel, where workqueue cancellation APIs fail to guarantee object lifetime. This race can lead to Use-After-Free bugs, demonstrated using espintcp (CVE-2026-23239).

Ghost in LSASS: Inside the KslKatz Credential Dumping Framework

March 25, 2026

by oxfemale BYOVD Bypassing Credential Attacks kernel kernel-mode LSASS RedTeam windows

KslKatz is a Windows credential-dumping tool that reads LSASS memory using a kernel driver to bypass user-mode protections. It merges techniques from KslDump and GhostKatz to extract authentication secrets with improved stealth.

Breaking the Shield: Unpacking a VMProtected Windows Kernel Driver

March 25, 2026

by oxfemale Debug Driver kernel kernel-mode Python Reverse Engineering VMProtect WinDBG windows

A technical walkthrough showing how to unpack a VMProtected Windows kernel driver using WinDbg and dynamic analysis. The guide demonstrates restoring the hidden Import Address Table and dumping a clean driver for reverse engineering.

core-jmp

Posts in category: kernel-mode

The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+

Dirty Frag: A New Linux Page-Cache Privilege Escalation Class

How Kernel Anti-Cheats Work: A Deep Dive into Modern Game Protection

Signed to Kill: Reverse Engineering a 0-Day Used to Disable CrowdStrike EDR

Breaking Process Protection: Exploiting CVE-2026-0828 in ProcessMonitorDriver.sys

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)

Bypassing Code Integrity Using BYOVD for Kernel R/W Primitives

Out-of-Cancel: A New Linux Kernel Race Condition Bug Class

Ghost in LSASS: Inside the KslKatz Credential Dumping Framework

Breaking the Shield: Unpacking a VMProtected Windows Kernel Driver

Recent Posts

Archives

Categories