cocomelonc’s tabby is a tiny teaching framework for writing position-independent Windows x64 shellcode in C, with indirect NT syscalls and no IAT, no CRT, no PE header — the whole toolchain runs on Linux via mingw-w64, nasm, a custom linker script, and objcopy. The whole thing is ~500 lines of C plus ~80 of NASM and produces a flat shellcode.bin ready to inject.
Praetorian’s Centurion is a virtualized loader built around a custom x86-64-inspired ISA and freestanding C runtime, where the PE loader, TLS stack and HTTP client all live behind the interpretation layer. The result — a TLS bind shell running inside a custom VM, shipped in roughly a week of LLM-assisted development.
The 2017 Windows research demo that flipped page protections so a shellcode region was non-executable at scan time and executable only during brief work windows. The 2026 refresh keeps the original Win32/x86 proof of concept central, adds x64, ARM64, and ARM64EC sibling demonstrations, fixes a subtle “SetWaitableTimer” “SleepEx” APC validation error, and reframes the whole exercise as a measurement problem about temporal memory state rather than a hiding trick.
A long-form tutorial on Windows malware development for offensive operators. It walks from dynamic API resolution and IAT hooking through process hollowing, DLL injection (LoadLibrary, reflective, syscall-level), Early Bird APC injection with AES-encrypted shellcode (driving VirusTotal from 27/72 down to 5/72), and into a full Windows driver: IRP dispatch, kernel-mode DLL injection via image-load callbacks, DKOM process and driver hiding, token stealing from PsInitialSystemProcess, and kernel callbacks for blocking EDR. Hardcoded Windows 10 build 19041+ offsets included.
