Ever wanted to debug the secure kernel but couldn't figure out how? Me too. It's awful. But I eventually got it working and managed to do some cool stuff, so I documented my solutions here in case it helps anyone else: windows-internals.com/secure-kernel-…

#ESETresearch has discovered a zero day exploit abusing #CVE-2025-24983 vulnerability in Windows Kernel to elevate privileges (#LPE). First seen in the wild in March 2023, the exploit was deployed through #PipeMagic backdoor on the compromised machines. 1/4

CimFS: Crashing in memory, Finding SYSTEM! chiefpie dug into Microsoft CimFS, found a sneaky 0-day, and guess what? The fix by Microsoft was just locking the door 🔐on unprivileged users. 😂 Dive into the adventure with us: starlabs.sg/blog/2025/03-c…

Think HVCI and kCET mean the end of kernel code execution? I wrote a blogpost exploring an alternative way to execute a kernel payload! :) blog.slowerzs.net/posts/keyjumpe…

The new blog post on supervisor shadow stack restrictions / supervisor shadow-stack control tandasat.github.io/blog/2025/04/0…

One Bug to Rule Them All: Stably Exploiting a Preauth RCE Vulnerability on Windows Server 2025 by zhiniang peng @ver0759 Zishan Lin i.blackhat.com/Asia-25/Asia-2…

🚀 We released a demo video for the CVE-2025-26666 Windows Media RCE Vulnerability, patched by Microsoft in Apr 2025. Watch the video and subscribe to our private vulnerability PoC and detailed report service at Patchpoint.io. youtu.be/tss6bYCIMkQ

If you update WinDbg today (1.2504.15001.0), you might notice another icon in the View tab of the ribbon, one called "Parallel Stacks". While incredibly useful in its own right, this isn't just a parallel stacks view. It's the introduction of graph visualization for extensions!

Just dropped a blog post on NtQuerySystemInformation changes that killed an old kASLR bypass. Added some internals research too, pre & post 24H2. Check it out! r0keb.github.io/posts/kASLR-In…

A cool project on an undocumented feature in the Windows kernel. I partially researched it some time ago, but unfortunately, it seems that it's locked for Microsoft usage only. My reversing notes: gist.github.com/Kristal-g/eec0…

Our latest deep dive explores research on Windows Kernel Streaming. Check out Angelboy’s (Angelboy) write-up for key insights and analysis. Read more here: devco.re/blog/2025/05/1… #VulnerabilityResearch #Cybersecurity #WindowsKernel #OffensiveCon

Many are asking why Microsoft's announcement of MCP for Windows OS is significant. Windows OS is now AI-agent accessible. Take a look at this ex. AI-OS. Replace LLM System Call Interface with Microsoft's new Windows OS MCP. The world's most used OS is now AI agent accessible.

Good morning! Just published a blog post diving into Windows Kernel Pool internals: basics, memory allocation functions, internal structures, and how Segment Heap, LFH, and VS work. r0keb.github.io/posts/Windows-…

[Research] CVE-2025-24985: Windows Fast FAT Driver RCE Vulnerability hackyboiz.github.io/2025/07/17/ogu… The vulnerability was caused by the ability to control five variables within the VHD file that determine the number of clusters.

Out Of Control: How KCFG and KCET Redefine Control Flow Integrity in the Windows Kernel by Connor McGarr i.blackhat.com/BH-USA-25/Pres…

Same stuff different week. I did an analysis on ampa.sys driver and write PoC exploiting the driver. You can find the analysis and PoC here, zeifan.my/Ampa-Driver-An…

I am out from the exploitation world since 8 years ago now, but exploits.forsale/pwn2own-2024/ is a very nice reading. Well done emma ! Kudos!

Technical deep-dive into CVE-2025-53149, a heap-based buffer overflow in the Windows Kernel Streaming WOW Thunk Service driver (ksthunk.sys). crowdfense.com/cve-2025-53149…

On Windows 11 24H2, process & thread kernel objects can still be retrieved via a driver with physical memory R/W: extract CR3, get kernel VA/PA, locate nt!PsActiveProcessHead via an exported routine, then walk the list to grab each process’s kernel object. #driverexploitation

EZ heads: modsHead = GetProcAddress(ntosk, "PsLoadedModuleList") EZ #yolo (just call ntoskrnl func from ➂): dump = malloc(2*256_KB) try: KeCapturePersistentThreadState( pContext=dump, pThread=dump, //whatev pvDump=dump) except: pass modsHead, procsHead = dump[0x20:...]