core-jmp

GreatXML: Bypassing BitLocker on Windows 11 via a Recovery-Partition unattend.xml

June 11, 2026

by oxfemale BitLocker Bypassing Defender exploitation Recovery mode

GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM+PIN, reagentc /disable, recovery-partition integrity).

eventvwr.exe UAC bypass via mscfile registry hijack methodology diagram

Eventvwr.exe UAC Bypass via mscfile: Anatomy of a Classic HKCU Registry Hijack

May 31, 2026

by oxfemale Bypassing Exploit Development Privilege Escalation windows

A walkthrough of the well-documented Windows UAC bypass that uses “eventvwr.exe”’s auto-elevate manifest plus a writable HKCU registry handler for the “mscfile” shell verb. Writing a single REG_SZ value under “HKCUSoftwareClassesmscfileshellopencommand and launching “eventvwr.exe” via “ShellExecuteEx” with the “runas” verb causes Windows to silently spawn the attacker’s payload at High integrity — no consent prompt. S12 reproduces the technique in a small C++ tool, demonstrates near-universal AV evasion on Kleenscan, and discusses the detection footprint.

Normal Callback call stack showing callback address visible in inspector

Callback Hell: Abusing Callbacks, Tail Calls, and Proxy Frames to Obfuscate the Stack

May 24, 2026

by oxfemale Bypassing EDR EDR Evasion Exploit Development RedTeam Reverse Engineering

A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.

Building a DIY EDR from Scratch: Windows Kernel Callbacks, User-Mode Hooks, and Shellcode Injection Detection

May 13, 2026

by oxfemale Bypassing EDR Injection kernel shellcode windows

A hands-on guide to building a basic Windows EDR with a kernel driver, callbacks, static analysis, DLL injection, and hooks to detect remote shellcode injection.

Patchless AMSI Bypass via Page Guard Exceptions

May 5, 2026

by oxfemale AMSI Bypassing EDR powershell RedTeam shellcode winapi windows

The article shows a patchless AMSI bypass using Page Guard exceptions and VEH to intercept AmsiScanBuffer, force an early clean return, and avoid direct code patching.

Silencing the EDR Silencers

May 5, 2026

by oxfemale Bypassing EDR Firewall RedTeam winapi windows

The article shows how attackers silence EDRs with firewall/WFP rules that block cloud communication, and how defenders can prevent or rapidly remove those rules via registry callbacks and APIs.

Evading Antivirus: Bypassing Windows Defender with Tenebris-Gate

May 4, 2026

by oxfemale .NET Antivirus Bypassing EDR powershell RedTeam shellcode winapi windows

The article presents Tenebris-Gate as a layered Windows Defender evasion framework using shellcode encryption, API hashing, anti-debugging, sandbox delays, syscall tricks, and careful memory handling.

gdrv3.sys – Reverse Engineering a Signed Kernel Driver with 13 Hardware Access Primitives

May 4, 2026

by oxfemale BYOVD Bypassing EDR IOCTL IRP kernel PPL windows

Reversing a legitimately signed Windows kernel driver to map 13 IOCTLs exposing physical memory access, MSR read/write, kernel memcpy, and more, and why this is the foundation of every BYOVD attack.

Patchless AMSI Bypass via Page Guard Exceptions

April 29, 2026

by oxfemale AMSI Bypassing windows

The article shows a patchless AMSI bypass using Page Guard exceptions and VEH to intercept AmsiScanBuffer, force an early clean return, and avoid direct code patching.

Abusing WinML for In-Memory Staging and EDR Evasion

April 14, 2026

by oxfemale Bypassing cpp Machine Learning shellcode windows WML

The research shows how attackers can embed payloads inside ONNX ML models and load them via Windows WinML APIs, staging malware entirely in memory while blending into legitimate machine-learning application behavior.

core-jmp

Posts in category: Bypassing

GreatXML: Bypassing BitLocker on Windows 11 via a Recovery-Partition unattend.xml

Eventvwr.exe UAC Bypass via mscfile: Anatomy of a Classic HKCU Registry Hijack

Callback Hell: Abusing Callbacks, Tail Calls, and Proxy Frames to Obfuscate the Stack

Building a DIY EDR from Scratch: Windows Kernel Callbacks, User-Mode Hooks, and Shellcode Injection Detection

Patchless AMSI Bypass via Page Guard Exceptions

Silencing the EDR Silencers

Evading Antivirus: Bypassing Windows Defender with Tenebris-Gate

gdrv3.sys – Reverse Engineering a Signed Kernel Driver with 13 Hardware Access Primitives

Patchless AMSI Bypass via Page Guard Exceptions

Abusing WinML for In-Memory Staging and EDR Evasion

Recent Posts

Archives

Categories