core-jmp

core-jmp

death of core jump

  • Home
  • windows
  • Reverse Engineering
  • exploitation
  • shellcode
  • About
  • Privacy Policy

HomeWinsock

Posts in category: Winsock

NT AFD.SYS HTTP Downloader: From First Syscall to bypass the majority of usermode EDR hooks

NT AFD.SYS HTTP Downloader: From First Syscall to bypass the majority of usermode EDR hooks

March 18, 2026
by oxfemale BypassingcppEDRIOCTLNetworkPEBReverse EngineeringTCP/IPuser-modewinapiwinapiWinDBGwindowsWinsock

The article demonstrates how to bypass the Winsock layer by communicating directly with the Windows AFD driver using Native API calls. It explains how socket operations can be replicated via IOCTLs and how this reduces reliance on standard networking APIs.

Read More
Peeling Back the Socket Layer: Reverse Engineering Windows AFD.sys

Peeling Back the Socket Layer: Reverse Engineering Windows AFD.sys

March 16, 2026
by oxfemale cppIOCTLkernelkernel-modeNetworkReverse EngineeringTCP/IPwinapiwinapiWinDBGwindowsWinsock

The research reverse-engineers Windows AFD.sys, showing how TCP sockets can be created, connected, and used by sending handcrafted IOCTL requests directly to the kernel driver—completely bypassing the Winsock networking API.

Read More

Recent Posts

  • NT AFD.SYS HTTP Downloader: From First Syscall to bypass the majority of usermode EDR hooks
  • Vulnerabilities in Broadcom VMware Aria Operations: Privilege Escalation (CVE-2025-41245 / CVE-2026-22721)
  • A Deep Dive into the GetProcessHandleFromHwnd API
  • 0x00 – Introduction to Windows Kernel Exploitation
  • Won’t Fix: Kernel DoS in clfs.sys via NULL FastMutex Dereference

Archives

  • March 2026
  • February 2026
  • January 2026
  • November 2025
  • September 2025

Active Directory APC Binary Analysis byovd bypass callbacks cpp Detection Engineering dll EDR EDRBypass EDR Evasion EDREvasion Embedded Security Embedded Systems escalation firmware Hardware Hacking injection IoT Security kernel Kernel Debugging Kernel Drivers library Offensive Security poc Post-Exploitation PPL Privilege Escalation red team RedTeam Red Teaming Reverse Engineering ROP Security Research shellcode system Vulnerability Research winapi WinDBG windows Windows Internals Windows Kernel Windows security WindowsSecurity

Categories

  • access
  • ACE
  • ACL
  • Active Directory
  • AD CS
  • Administrator
  • alloc
  • ALPC
  • Antivirus
  • APC
  • ASM
  • ASR
  • attaks
  • Audio
  • AV
  • BitLocker
  • Bluetooth
  • Broadcom
  • BSoD
  • buffer overflow
  • BYOVD
  • Bypassing
  • Cache
  • Callbacks
  • CLFS
  • cmd
  • COM
  • Containers
  • Cortex XDR
  • cpp
  • CPU
  • Credential Attacks
  • Crypt
  • Cryptography
  • CryptoPro
  • Debug
  • Defender
  • DEP
  • DFIR
  • DMA
  • Driver
  • dump
  • EDR
  • Encryption
  • Escalation
  • ESP32
  • Evasion
  • Eventlog
  • exploitation
  • filesystem
  • firmware
  • Flash
  • Gadgets
  • GATT
  • Ghidra
  • Hardware
  • Hooking
  • impact
  • Injection
  • IOCTL
  • IoT
  • kernel
  • kernel-mode
  • Library
  • Linux
  • LNK
  • Loader
  • LOLExfil
  • LSA
  • LSASS
  • MacOS
  • Malware
  • MS-DOS
  • MS-EVEN
  • MS-LSAD
  • MS-SAMR
  • Network
  • Palo Alto
  • PBA
  • PCI
  • PEB
  • Penetration Testing
  • Plugins
  • PoC
  • powershell
  • powershell
  • PPL
  • Privilege
  • Protection
  • PXE
  • Python
  • QEMU
  • RCE
  • RedTeam
  • Registry
  • Reverse Engineering
  • root
  • ROP
  • RPC
  • RTTI
  • Rust
  • SAM
  • Secure Boot
  • Security
  • shellcode
  • Shortcut
  • STM32H5
  • TCP/IP
  • TEB
  • Telegram
  • TPM
  • UAC
  • UART
  • Uncategorized
  • user-mode
  • VMware
  • Warbird
  • WASM
  • WEB
  • winapi
  • winapi
  • WinDBG
  • windows
  • Winsock
  • WSL
Log in
    © 2026 core-jmp. All rights reserved.
    Shopping Basket