Huntress reveals an unpatched Windows search: URI handler flaw that can leak Net-NTLMv2 hashes with a single link click. The bug mirrors a patched Snipping Tool CVE, but remains without CVE, fix, or clear servicing path.
Bypassing Windows Defender and AMSI: A Practical Defense Evasion Guide for Red Team Operators
A practical, layer-by-layer walkthrough of modern Windows defense evasion for red team operators: the architecture of Microsoft Defender, three generations of AMSI bypass (classic patching, hardware breakpoints, AMSI Write Raid), ETW silencing, AppLocker bypass with built-in LOLBins, and how to stitch them into a working kill chain — plus what blue teams can still detect.
Two-Shot Kernel Shellcode: Bypassing CR4 Pinning With KProbes for Linux Kernel Control-Flow Hijack to Shellcode
A walk-through of zolutal’s revival of the 2017 Project Zero “native_write_cr4” trick on a modern Linux kernel with CR Pinning enabled. The post identifies a tiny window between the CR4 write and the fixup, uses KProbes to land inside it via a control-flow hijack, and chains two arbitrary-call primitives to register a probe and trigger it — ending in user-mode-style shellcode running in ring 0.
Kernel Karnage Part 1: Patching Windows Kernel Callbacks to Disable EDR from a Driver
A walk-through of NVISO Labs’ first Kernel Karnage post: writing a small Windows kernel driver, locating the undocumented PspCreateProcessNotifyRoutine callback array through disassembly, and patching the EDR’s registered callback out of it. Covers the User/Kernel-space architecture, PatchGuard, kernel-debugger setup, the three-byte opcode bug that caused a BSOD, and a Mimikatz demo with callbacks on and off.
Eventvwr.exe UAC Bypass via mscfile: Anatomy of a Classic HKCU Registry Hijack
A walkthrough of the well-documented Windows UAC bypass that uses “eventvwr.exe”’s auto-elevate manifest plus a writable HKCU registry handler for the “mscfile” shell verb. Writing a single REG_SZ value under “HKCUSoftwareClassesmscfileshellopencommand and launching “eventvwr.exe” via “ShellExecuteEx” with the “runas” verb causes Windows to silently spawn the attacker’s payload at High integrity — no consent prompt. S12 reproduces the technique in a small C++ tool, demonstrates near-universal AV evasion on Kleenscan, and discusses the detection footprint.
Visual Studio Extensions Revisited: Building, Publishing, and Hunting Malicious VSIXs
MDSec returns to the Visual Studio extension ecosystem three years after their VS Code work. A modern “VisualStudio.Extensibility” extension that fetches and runs an arbitrary .NET assembly via reflection — built from the stock template, published on the Marketplace under the “MSAzure” publisher with no security checks — takes a renamed “Microsoft” publisher around an hour to land. The second half of the post is a five-stage triage pipeline (Acquisition → Unpacking → Decompilation → LLM Triage → Agent Investigation) over the 8,566 analysable VSIX packages currently on the Marketplace, surfacing a backdoor-shaped “vs-publisher-1477920/FVsEx” extension that exfiltrates host info to “qweq.xyz” and dispatches commands to “cmd.exe”.
Reverse Engineering for Beginners: Defeating an XOR Crackme on Windows x64
A step-by-step walkthrough of reverse-engineering a Windows x64 crackme that XORs its input against a hard-coded 10-byte key before comparing it to an embedded array. Using x64dbg, we follow the password byte into RAX, find the XOR site at “0x40171E”, recover the key (“U V W X Y Z Q R S T”) from RBP-relative stack slots, then XOR the comparison array back through that key to recover the original password — “strongpass”. Source code is reproduced verbatim from the author’s GitHub.
CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation
CVE-2026-40369 is a Windows kernel bug in “nt!ExpGetProcessInformation” that lets any unprivileged process — including one inside Chrome’s renderer sandbox — increment three DWORDs at an attacker-chosen kernel address per syscall, with no race condition, no heap spray, and 100% determinism. This deep dive walks Ori Nimron’s full exploit chain: KASLR via the prefetch side-channel, arbitrary kernel “read” via “CmpLayerVersions” type confusion (built on the Windows UTF-8 conversion path), token-privilege bitmask increment to grant SeDebugPrivilege, code injection into a SYSTEM process, and a clean restore of “CmpLayerVersionCount” at the end. Rewritten from the canonical pwn2nimron.com writeup with all original IDA decompilations and the PoC reproduced verbatim.
Gargoyle, A Decade Later: Josh Lospinoso’s Memory-Scanning Evasion Idea, Refreshed for 2026
The 2017 Windows research demo that flipped page protections so a shellcode region was non-executable at scan time and executable only during brief work windows. The 2026 refresh keeps the original Win32/x86 proof of concept central, adds x64, ARM64, and ARM64EC sibling demonstrations, fixes a subtle “SetWaitableTimer” “SleepEx” APC validation error, and reframes the whole exercise as a measurement problem about temporal memory state rather than a hiding trick.
CVE-2024-27398: Exploiting a Linux Bluetooth SCO Use-After-Free with SMEP Bypass
EscalationExploit DevelopmentexploitationkernelLinuxPoCPrivilegeReverse EngineeringVulnerability Analysis
A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.