tabby — A Minimal Position-Independent Windows x64 Shellcode Framework, Built Entirely on Linux

tabby — A Minimal Position-Independent Windows x64 Shellcode Framework, Built Entirely on Linux

cocomelonc’s tabby is a tiny teaching framework for writing position-independent Windows x64 shellcode in C, with indirect NT syscalls and no IAT, no CRT, no PE header — the whole toolchain runs on Linux via mingw-w64, nasm, a custom linker script, and objcopy. The whole thing is ~500 lines of C plus ~80 of NASM and produces a flat shellcode.bin ready to inject.

Successful MessageBoxA popup launched by the proxy CRYPTDLG.dll when wab.exe loads it

Client-Side Container Attack: DLL Sideloading wab.exe via Email Archive Delivery

Walkthrough of an initial-access chain that ships a signed Microsoft binary (wab.exe / Windows Address Book) and a hidden CRYPTDLG.dll proxy in the same archive, delivered via Google Drive to dodge Gmail’s blanket 7-zip block. perfect-dll-proxy / SharpDllProxy generate the forwarder, cl.exe compiles the x64 DLL, DllMain pops a MessageBox to confirm execution — and when MotW doesn’t propagate through the extract step the operator gets clean code execution under a trusted Microsoft signer.

Cobalt Strike Beacon console showing dprintf output from the BOF Cocktails OpenProcessToken hook

BOF Cocktails in Cobalt Strike: Instrumenting BOFs with BEACON_INLINE_EXECUTE and Crystal Palace

Cobalt Strike 4.13 ships a new BEACON_INLINE_EXECUTE Aggressor hook that lets operators rewrite Beacon Object File bytes on the fly. Combined with Rasta Mouse’s Crystal Palace toolkit, the hook becomes a clean intercept point for merging tradecraft — API instrumentation, unhooking, telemetry suppression — directly into postex BOFs at runtime, no agent or loader hacks required.

Reverse-engineering Valorant's Vanguard Guarded Regions: PML4 Cloning, CR3 Swaps, and the SwapContext Hook PoC (Walk-through of Xyrem's Post)

Reverse-engineering Valorant’s Vanguard Guarded Regions: PML4 Cloning, CR3 Swaps, and the SwapContext Hook PoC (Walk-through of Xyrem’s Post)

Walk-through of Xyrem’s reversing.info analysis of Valorant’s Vanguard Guarded Regions: how Vanguard hides game state behind a private “shadow” PML4 entry that’s only swapped in when one of its own whitelisted threads is on the CPU, the SwapContext hook that drives the swap, and how a cheat can rebuild the same primitive with its own kernel driver to expose hidden game memory after thread whitelisting.

Red Team Tactics: Utilizing Syscalls in C# — Writing the Code (Walk-through of Jack Halon's Direct-Syscall PoC)

Red Team Tactics: Utilizing Syscalls in C# — Writing the Code (Walk-through of Jack Halon’s Direct-Syscall PoC)

Walk-through of Jack Halon’s “Utilizing Syscalls in C# — Part 2” post: building a direct-syscall NtCreateFile PoC in C# .NET 3.5, extracting the syscall stub from ntdll in WinDbg, mapping it as executable memory with VirtualProtect, invoking it through a P/Invoke delegate, and verifying via Process Monitor that the call goes straight to the kernel without touching ntdll’s NtCreateFile prologue.

Bypassing Windows Defender and AMSI: A Practical Defense Evasion Guide for Red Team Operators

Bypassing Windows Defender and AMSI: A Practical Defense Evasion Guide for Red Team Operators

A practical, layer-by-layer walkthrough of modern Windows defense evasion for red team operators: the architecture of Microsoft Defender, three generations of AMSI bypass (classic patching, hardware breakpoints, AMSI Write Raid), ETW silencing, AppLocker bypass with built-in LOLBins, and how to stitch them into a working kill chain — plus what blue teams can still detect.

HyperDbg kernel debugger architecture diagram, illustrating Windows kernel debugging used in red team driver development

Kernel Karnage Part 1: Patching Windows Kernel Callbacks to Disable EDR from a Driver

A walk-through of NVISO Labs’ first Kernel Karnage post: writing a small Windows kernel driver, locating the undocumented PspCreateProcessNotifyRoutine callback array through disassembly, and patching the EDR’s registered callback out of it. Covers the User/Kernel-space architecture, PatchGuard, kernel-debugger setup, the three-byte opcode bug that caused a BSOD, and a Mimikatz demo with callbacks on and off.

Visual Studio extension project template selection screen

Visual Studio Extensions Revisited: Building, Publishing, and Hunting Malicious VSIXs

MDSec returns to the Visual Studio extension ecosystem three years after their VS Code work. A modern “VisualStudio.Extensibility” extension that fetches and runs an arbitrary .NET assembly via reflection — built from the stock template, published on the Marketplace under the “MSAzure” publisher with no security checks — takes a renamed “Microsoft” publisher around an hour to land. The second half of the post is a five-stage triage pipeline (Acquisition → Unpacking → Decompilation → LLM Triage → Agent Investigation) over the 8,566 analysable VSIX packages currently on the Marketplace, surfacing a backdoor-shaped “vs-publisher-1477920/FVsEx” extension that exfiltrates host info to “qweq.xyz” and dispatches commands to “cmd.exe”.