The research reverse-engineers Windows AFD.sys, showing how TCP sockets can be created, connected, and used by sending handcrafted IOCTL requests directly to the kernel driver—completely bypassing the Winsock networking API.
Physical Network Sniffing: Capturing Ethernet Traffic with Simple Alligator Clips
The article demonstrates how Ethernet traffic can be passively intercepted at the physical layer using simple tools like alligator clips attached to network cables. It highlights risks of exposed wiring and shows how attackers can capture unencrypted traffic.
Windows Kernel Debugging
The article explains how to set up Windows kernel debugging over a network using WinDBG and a host/target configuration. It covers enabling debug mode, connecting WinDBG to a remote VM, and using kernel debug infrastructure for low-level inspection and manipulation.
EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969)
SafeBreach Labs disclosed a critical RCE in the MS-EVEN RPC service (CVE-2025-29969) that lets low-privilege users write arbitrary files remotely on Windows 11/Server 2025, bypassing share limits. Patched May 2025.