core-jmp

Overcoming Space Restrictions with Egghunters in Windows Exploit Development — Savant Web Server 3.1, Syscall & SEH Egghunters, Heap Staging

June 12, 2026

by oxfemale buffer overflow Exploit Development shellcode Vulnerability Analysis windows

When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400+ bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path + HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler.

Building a DIY EDR from Scratch: Windows Kernel Callbacks, User-Mode Hooks, and Shellcode Injection Detection

May 13, 2026

by oxfemale Bypassing EDR Injection kernel shellcode windows

A hands-on guide to building a basic Windows EDR with a kernel driver, callbacks, static analysis, DLL injection, and hooks to detect remote shellcode injection.

Patchless AMSI Bypass via Page Guard Exceptions

May 5, 2026

by oxfemale AMSI Bypassing EDR powershell RedTeam shellcode winapi windows

The article shows a patchless AMSI bypass using Page Guard exceptions and VEH to intercept AmsiScanBuffer, force an early clean return, and avoid direct code patching.

Evading Antivirus: Bypassing Windows Defender with Tenebris-Gate

May 4, 2026

by oxfemale .NET Antivirus Bypassing EDR powershell RedTeam shellcode winapi windows

The article presents Tenebris-Gate as a layered Windows Defender evasion framework using shellcode encryption, API hashing, anti-debugging, sandbox delays, syscall tricks, and careful memory handling.

Internal NTDLL Functions for Shellcode Execution

May 4, 2026

by oxfemale EDR shellcode winapi windows

The article tests a shellcode execution trick using a private NTDLL function as an indirect call gadget, but notes it may offer limited stealth and can still be detected by mature EDRs.

From MessageBox to Rootkit: A Practical Journey Through Windows Malware Internals

April 27, 2026

by oxfemale APC Driver Hooking Injection IOCTL IRP kernel PEB shellcode winapi winapi windows

The article walks through Windows malware development from dynamic API resolution and PEB walking to injection, APC execution, driver basics, DKOM process hiding, and kernel callback abuse.

Abusing WinML for In-Memory Staging and EDR Evasion

April 14, 2026

by oxfemale Bypassing cpp Machine Learning shellcode windows WML

The research shows how attackers can embed payloads inside ONNX ML models and load them via Windows WinML APIs, staging malware entirely in memory while blending into legitimate machine-learning application behavior.

Tutorial: Adaptix C2 with ShellcodePack and MacroPack

April 9, 2026

by oxfemale EDR Malware shellcode

This tutorial shows how to weaponize Adaptix C2 agents using ShellcodePack and MacroPack, converting payloads into shellcode and packaging them in evasive loaders to improve stealth and bypass EDR during red-team operations.

Inside the Payload: Manual Shellcode Analysis with Ghidra

March 31, 2026

by oxfemale Debug Ghidra Malware Reverse Engineering shellcode winapi winapi windows

The article demonstrates how to analyze Windows shellcode in Ghidra by identifying API-hashing routines, resolving hidden Windows API calls, and extracting C2 infrastructure without relying on automated emulation tools.

Malware and cryptography 44 – encrypt/decrypt payload via Discrete Fourier Transform. Simple C example.

March 10, 2026

by oxfemale cpp Cryptography Encryption Malware powershell powershell shellcode windows

Demonstration how malware can encrypt and decrypt payloads using the Discrete Fourier Transform (DFT). It provides a simple C example showing how mathematical transforms can hide shellcode and help evade static signature-based detection.