...and now, introducing Part 6 of j00ru//vx's work on the Windows Registry: googleprojectzero.blogspot.com/2025/04/the-wi… 📖👀

Stumbled over this new AMSI bypass. It works by manipulating the COM RPC communication used by AMSI to talk to AV engines. By hooking NdrClientCall3 which handles the RPC calls we can intercept AMSI scan requests before they reach the AV engine. I wrote a simplified version that

Vibe debugging via MCP for WinDBG crash analysis: github.com/svnscha/mcp-wi… Relevant blog: svnscha.de/posts/ai-meets…

New blog post! 🚀 Learn how to leverage a Ghidra AI assisted workflow by integrating local LLMs using GhidraMCP, Ollama, and OpenWebUI. Read more here: medium.com/@clearbluejar/…

Heard of #ContextJail? It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right. The gist? Just spam NtGetContextThread(tgt).😸 Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁. Usecases: ⤵️

Wrote a blog about developing a tiny regex engine from scratch in C++. It provides an in-depth explanation and implementation of Non-Deterministic Finite Automata (NFA) and the McNaughton–Yamada–Thompson algorithm. sh4dy.com/2025/05/01/reg…

Microsoft once made t-shirts and posters of this 👇

[Windows COM 버그 헌팅, 그 여정을 공개합니다] 📔 원문보기: enki.co.kr/media-center/b… 📢 저희 엔키화이트햇은 2024년부터 2025년 최근까지 윈도우에서 권한 상승 취약점을 찾기 위한 연구를 진행하였는데요. 그 결과, StartLabs 보안 컨퍼런스에서 총 10건 이상의 Microsoft CVE를 발표했습니다.

Check out our blog post from IOActive Senior Security Consultant George Koumettou, & explore two EDR techniques that break traditional patterns: 1.) Self-Injection & 2.) Indirect DLL Path Injection. ioactive.com/breaking-patte…

My new blog post 🥳 Improving AFD Socket Visibility for Windows Forensics & Troubleshooting It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥 huntandhackett.com/blog/improving…

CONTEXT-only injection No VirtualAllocEx. No WriteProcessMemory. We show how pure register-/stack manipulation can: Load a DLL with a pointer-only LoadLibrary call Spin up a remote thread via NtCreateThread that self-allocates & self-writes inside the target Chain APC-safe

What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution? We explored process injection using nothing but thread context. Full write-up + PoCs: blog.fndsec.net/2025/05/16/the…

#OffensiveCon25 videos are now up! youtube.com/playlist?list=…

I wrote-up how I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation. Link to the blog post below 👇

Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months. This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk. Includes a detailed

Code execution inside PID 0 - Archie archie-osu.github.io/2025/04/13/pow…

Which Windows kernel subsystem has the largest size? Each of them consists of a set of functions whose names start with predefined prefixes. By writing the necessary scripts for Ghidra or IDA, we can calculate the size of each of them and find out. aibaranov.github.io/kernlsubsys/

My second blog post of the month is up. Nothing too crazy, this time I’m looking at the upcoming Windows Administrator Protection feature… How it works, what continues to work, and some reversing. Check it out (or not I’m not your mum!) specterops.io/blog/2025/06/1…

Today we released write up about vulnerability that I found and which was patched recently in NTFS.sys CVE-2025-49689. Enjoy! swarm.ptsecurity.com/buried-in-the-…