Calling all experts in Windows internals and low-level systems architecture! 'The Root of DllMain Problems' (or 'DllMain Rules Rewritten') is now in preparation for its final publication! Feedback and sign-offs from the community are greatly appreciated. github.com/ElliotKillick/…

Introducing a new Windows vulnerability class: False File Immutability. 👉 Bonus: a kernel exploit to load unsigned drivers. elastic.co/security-labs/…

In my new blog for Check Point Research I propose a new injection technique, using the Thread Name API - check it out! 💙

At #VB2024 Daniel Jary will dig into techniques used to maliciously load Shared Objects & describe ways to detect them. He'll present a tool that identifies SO injection, shellcode injection, process hollowing &entry point manipulation of running processes virusbulletin.com/conference/vb2…

My talk from earlier in the year Black Hat #BlackHatAsia just got posted. Immoral Fiber: Unlocking & Discovering New Offensive Capabilities of Fibers youtu.be/LdrqX5Nhe94?fe…

Watch the blog for part 2! secret.club/2023/12/24/ris…

obfus.h is the powerfull compile-time obfuscator for C (win32/64). Supports virtualization, anti-debugging, control flow obfuscation and other code mutation techniques to prevent disassembly or decompilation. #CodeSecurity #Obfuscation #infosec github.com/DosX-dev/obfus…

Excited to share my latest blog post: "Breaking Control Flow Flattening: A Deep Technical Analysis" I showcase usage of formal proofs and graph theory to automate CFF deobfuscation, among other things ! Might make it a talk...? 👀 zerotistic.blog/posts/cff-remo…

[BLOG] This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs. rastamouse.me/udrl-sleepmask…

Virus Bulletin (VB) just released my talk & white paper on Shared Object injection & detection on Linux. Pleasure to be invited & attend. Great conference guys! Virus Bulletin #VB #VirusBulletin #Linux virusbulletin.com/conference/vb2… youtube.com/watch?v=x6pHvr…

Windows Sockets: From Registered I/O to SYSTEM Privileges by Luca Ginex blog.exodusintel.com/2024/12/02/

I created a hypervisor-based emulator for Windows x64 binaries. This project uses Windows Hypervisor Platform to build a virtualized user-mode environment, allowing syscalls and memory accesses to be logged or intercepted. elastic.co/security-labs/… Project: github.com/x86matthew/Win…

ReSym: Harnessing LLMs to Recover Variable and Data Structure Symbols from Stripped Binaries cs.purdue.edu/homes/lintan/p…

Bypass AMSI in 2025, my newest blog post is published 🥳! A review on what changed over the last years and what's still efficient today. en.r-tec.net/r-tec-blog-byp…

🚀 New Blog & PoC: Abusing IDispatch for COM Object Access & PPL Injection Leveraging STDFONT via IDispatch to inject into PPL processes & access LSASS. Inspired by James Forshaw's research! 🔍 Blog: mohamed-fakroud.gitbook.io/red-teamings-d… 💻 Code: github.com/T3nb3w/ComDotN…

Thread Execution Hijacking is one of the well-known methods that can be used to run implanted code. In this blog we introduce a new injection method, that is based on this classic technique, but much stealthier - Waiting Thread Hijacking. Read More : research.checkpoint.com/2025/waiting-t…

Hypervisors for Memory Introspection and Reverse Engineering by memN0ps secret.club/2025/06/02/hyp…

Here's our new blog on hiding your implant in VTL1, where even an EDR's kernel sensor can't see it.🧑‍🦯 Post includes full operational details. Plus our OST offering has been updated with a Cobalt Strike sleep mask exploiting secure enclaves. Full read ➡️ outflank.nl/blog/2025/06/1…

PatchGuard internals (KPP, Kernel Patch Protection) r0keb.github.io/posts/PatchGua… Credits ö #infosec

Tickling VMProtect with LLVM: Part 1 secret.club/2021/09/08/vmp…