CVE-2018-8611 is a race-condition LPE in the Windows Kernel Transaction Manager (KTM), originally caught in the wild by Kaspersky’s AEP in October 2018 and patched in December 2018. This first instalment lays the KTM foundation — transaction managers, resource managers, transactions, enlistments — that the rest of the series builds on.
CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk.
A walkthrough of a classic-but-still-effective Active Directory attack: how write access to an SMB share — plus a single .lnk file — lets an attacker capture Net-NTLMv2 hashes from every user who simply browses the folder, with no clicks, no payload execution, and almost no EDR signal.
When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400+ bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path + HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler.
CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2.
GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM+PIN, reagentc /disable, recovery-partition integrity).
A defender-side surface map of Windows kernel/user-mode covert channels — mailslots and ALPC, firmware-table providers and WNF, dispatch tables and writable .data pointers, KernelCallbackTable, MDL-backed mailboxes, GPU/DXGK primitives, page-guard signals, EPT/MMIO, DMA cards, and visual capture. Covers the six-plane channel grammar, PatchGuard exposure classes, and a production detection program with baselines, cross-view validation, and false-positive control.
Walk-through of Lukas Maar’s page-level use-after-free in the Linux kernel’s QAIC (Qualcomm AI Accelerator) DRM driver: the missing VMA boundary check in qaic_gem_object_mmap leaves stale page-table entries pointing at compound-page memory the kernel has already freed; reclaim the underlying order-3 page as a pipe_buffer slab and the dangling user mapping turns into an arbitrary kernel-physical read/write primitive, which the exploit chains via init_task lookup into a clean root.
Walk-through of Xyrem’s reversing.info analysis of Valorant’s Vanguard Guarded Regions: how Vanguard hides game state behind a private “shadow” PML4 entry that’s only swapped in when one of its own whitelisted threads is on the CPU, the SwapContext hook that drives the swap, and how a cheat can rebuild the same primitive with its own kernel driver to expose hidden game memory after thread whitelisting.
Walk-through of Jack Halon’s “Utilizing Syscalls in C# — Part 2” post: building a direct-syscall NtCreateFile PoC in C# .NET 3.5, extracting the syscall stub from ntdll in WinDbg, mapping it as executable memory with VirtualProtect, invoking it through a P/Invoke delegate, and verifying via Process Monitor that the call goes straight to the kernel without touching ntdll’s NtCreateFile prologue.
