v x

Invisible Text. Fuck you.

Home Code Archive ICS SCADA Papers Linux Papers Malware Defense Papers Other Papers Russian Papers The Old New Thing Papers Windows Papers Malware Collections

Analysis and Internals

2005-05-30 - Making WMI Queries In C
2011-01-25 - No Loitering - Exploiting Lingering Vulnerabilities in Default COM Objects
2014-12-03 - Hooking COM Objects - Intercepting Calls to COM Interfaces
2015-08-10 - Windows 10HH Symbolic Link Mitigations
2016-02-10 - The Definitive Guide on Win32 to NT Path Conversion
2017-10-03 - Windows 10 Parallel Loading Breakdown
2017-10-06 - An Introduction to Standard and Isolation Minifilters
2017-10-15 - Understanding API Set Resolution
2018-08-07 - Windows Exploitation Tricks Exploiting Arbitrary Object Directory Creation for Local Elevation of Pri
2018-08-19 - NTFS Alternate Streams What, When, and How To
2018-09-09 - Finding Interactive User COM Objects using PowerShell
2019-08-23 - How the Antimalware Scan Interface AMSI helps you defend against malware
2019-11-11 - Antimalware Scan Interface AMSI
2020-02-23 - A stealthier approach to spoofing process command line
2020-04-01 - Updating the Undocumented ESTROBJ and STROBJ Structures for Windows 10 x64
2020-04-24 - Windows DLL Hijacking Hopefully Clarified
2020-05-17 - APC Series User APC API
2020-06-03 - APC Series User APC Internals
2020-06-28 - APC Series KiUserApcDispatcher and Wow64
2020-07-10 - Fs Minifilter Hooking Part 1
2020-07-11 - Superfetch - Unknown Spy
2020-09-26 - Deep dive into user-mode Asynchronous Procedure Calls in Windows
2020-09-26 - Demystifying the SVCHOSTEXE Process and Its Command Line Options
2020-10-11 - From a C project through assembly to shellcode
2020-11-09 - WOW64Hooks WOW64 Subsystem Internals and Hooking Techniques
2021-01-12 - tagSOleTlsData and the COM concurrency model for the current thread
2022-01-04 - Exploring Token Members Part 1
2022-01-09 - Understanding Windows Structured Exception Handling Part 1 – The Basics
2022-01-12 - Red Canary - Antimalware Scan Interface (AMSI)
2022-01-16 - Notes on Windows MS-CXH and MS-CXH-FULL handlers
2022-01-16 - Understanding Windows Structured Exception Handling Part 2 – Digging Deeper
2022-01-22 - Understanding Windows Structured Exception Handling Part 3 – Under The Hood
2022-01-23 - Understanding Windows Structured Exception Handling Part 4 – Pseudo __try and __except
2022-02-16 - Exploring Token Members Part 2
2022-03-14 - Reversing Common Obfuscation Techniques
2022-05-05 - Studying Next Generation Malware - NightHawks Attempt At Obfuscate and Sleep
2022-06-08 - Inside Get-AuthenticodeSignature
2022-07-05 - WMI Internals Part 1 - Understanding the Basics
2022-07-26 - Understanding DISM - Servicing Stack Interaction
2022-08-02 - Inside Windows Defender System Guard Runtime Monitor
2022-08-05 - Exploring the Windows Search Application Cache
2022-09-05 - Inside the Windows Cache Manager
2022-09-16 - Dissecting Windows Section Objects
2022-09-28 - MS Help 2 Primer
2022-10-13 - Random Number Generation using IOCTL
2022-12-18 - Diving into Intel Killer bloatware part 1
2023-02-01 - Weird things I learned while writing an x86 emulator
2023-02-06 - Diving Deeper Into Pre-created Computer Accounts
2023-03-16 - Minimal Executables
2023-04-18 - Diving into Intel Killer bloatware part 2

Evasion - Process Creation and Shellcode Execution

2016-01-12 - Creating Processes By Using Undocumented COM APIs
2019-10-11 - An alternate way to execute a binary - NtQueryInformationProcess and the AeDebugProtected key
2020-05-27 - Shellcode - Recycling Compression Algorithms for the Z80, 8088, 6502, 8086 and 68K Architectures
2021-03-01 - Shellcode Execution via CopyFile2
2021-03-01 - Shellcode Execution via CreateTimerQueueTimer
2021-03-01 - Shellcode Execution via CreateTimerQueueTimer_Tech
2021-03-01 - Shellcode Execution via EnumChildWindows
2021-03-01 - Shellcode Execution via EnumResourceTypesW
2021-03-01 - Shellcode Execution via EnumWindows
2021-03-02 - Shellcode Execution via EnumDisplayMonitors
2021-03-02 - Shellcode Execution via EnumPropsEx
2021-03-03 - Shellcode Execution via EnumDesktopWindows
2021-03-05 - Shellcode Execution via EnumPageFilesW
2021-03-07 - Shellcode Execution via CopyFileEx
2021-03-07 - Shellcode Execution via EnumWindowStationsW
2021-03-07 - Shellcode Execution via SymEnumProcesses
2021-03-08 - Shellcode Execution via EnumerateLoadedModules
2021-03-08 - Shellcode Execution via ImageGetDigestStream
2021-03-11 - Shellcode Execution via VerifierEnumerateResource
2021-03-12 - Shellcode Execution via CertEnumSystemStore
2021-03-14 - Shellcode Execution via CertEnumSystemStoreLocation
2021-03-19 - Shellcode Execution via CreateThreadPoolWait
2021-03-19 - Shellcode Execution via EnumDesktopW
2021-03-19 - Shellcode Execution via EnumDirTreeW
2021-03-21 - Shellcode Execution via SysEnumSourceFiles
2021-03-27 - Shellcode Execution via FiberContextEdit
2021-03-27 - Shellcode Execution via InitOnceExecuteOnce
2021-03-27 - Shellcode Execution via SymFindFileInPath
2021-03-28 - Shellcode Execution via EnumPropsW
2021-03-28 - Shellcode Execution via FlsAlloc
2021-03-28 - Shellcode Execution via RtlUserFiberStart
2021-03-30 - Shellcode Execution via LdrEnumerateLoadedModules
2021-03-30 - Shellcode Execution via LdrpCallInitRoutine
2021-03-31 - Shellcode Execution via EnumLanguageGroupLocalesW
2021-04-01 - Shellcode Execution via SetTimer
2021-04-04 - Shellcode Execution via SetupCommitFileQueueW
2021-04-08 - Shellcode Execution via EnumUILanguagesW
2021-04-09 - Shellcode Execution via EnumSystemLocales
2021-04-11 - Shellcode Execution via EnumPwrSchemes
2021-04-12 - Shellcode Execution via EnumResourceTypesExW
2021-04-15 - Shellcode Execution via ImmEnumInputContext
2021-04-28 - Shellcode Execution via EnumFontsW
2021-04-30 - Shellcode Execution via EnumFontFamiliesW
2021-05-01 - Shellcode Execution via EnumFontFamiliesExW
2021-05-03 - Shellcode Execution via EnumObjects
2021-05-05 - Weird Ways to Run Unmanaged Code in NET
2021-05-06 - Shellcode Execution via CryptEnumOIDInfo
2021-05-07 - Shellcode Execution via EnumTimeFormatsEx
2021-06-12 - Shellcode Execution via EnumICMProfiles
2021-10-23 - Shellcode Execution via EnumCalendarInfoEx
2021-11-26 - Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
2021-12-05 - Shellcode Execution via EnumThreadWindows
2022-01-12 - Playing Around COM Objects Part 1 - DllGetClassObject and ShellExecute IDispatch for Process creation
2022-01-28 - The good the bad and the stomped function
2022-05-10 - Making NtCreateUserProcess Work
2022-07-13 - Bluffy the AV Slayer
2022-07-19 - Creating Processes Using System Calls
2022-09-05 - Shellcode Execution via CDefFolderMenu_Create2
2022-09-05 - Shellcode Execution via CopyFileTransacted
2022-09-05 - Shellcode Execution via DSA_EnumCallback
2022-09-05 - Shellcode Execution via EncryptedFileRaw
2022-09-05 - Shellcode Execution via EvtSubscribe_CVEEventWrite
2022-09-05 - Shellcode Execution via MFAddPeriodicCallback
2022-09-05 - Shellcode Execution via MagSetWindowTransform
2022-09-05 - Shellcode Execution via MessageBoxIndirect
2022-09-05 - Shellcode Execution via NotifyIpInterfaceChange
2022-09-05 - Shellcode Execution via NotifyTeredoPortChange
2022-09-05 - Shellcode Execution via NotifyUnicastIpAddressChange
2022-09-05 - Shellcode Execution via PerfStartProviderEx
2022-09-05 - Shellcode Execution via RegisterWaitForSingleObject
2022-09-05 - Shellcode Execution via SHCreateThreadWithHandle
2022-09-05 - Shellcode Execution via SetWaitableTimer
2022-09-05 - Shellcode Execution via StackWalk
2022-09-05 - Shellcode Execution via SymRegisterCallback
2022-09-05 - Shellcode Execution via TaskDialogIndirect
2022-09-05 - Shellcode Execution via WinHttpSetStatus
2022-09-10 - Shellcode Execution via InternetSetStatusCallback
2022-09-11 - Shellcode Execution via CreateThreadPoolTimer
2022-09-11 - Shellcode Execution via CreateThreadPoolWork
2022-09-11 - Shellcode Execution via GetOpenFileName
2022-09-11 - Shellcode Execution via GetSaveFileName
2022-09-12 - Shellcode Execution via FindText
2022-09-12 - Shellcode Execution via OleUIBusy
2022-09-12 - Shellcode Execution via PrintDlg
2022-09-12 - Shellcode Execution via ReplaceText
2022-09-13 - Shellcode Execution via PageSetupDlg
2022-09-15 - Shellcode Execution via ChooseFont
2022-09-15 - Shellcode Execution via TrySubmitThreadpoolCallback
2022-09-18 - Shellcode Execution via ChooseColor
2022-09-18 - Shellcode Execution via LineDDA
2022-09-18 - Shellcode Execution via NotifyRouteChange2
2022-09-18 - Shellcode Execution via RegisterWaitChainCOMCallback
2022-09-18 - Shellcode Execution via acmDriverEnum
2022-09-18 - Shellcode Execution via acmFilterChoose
2022-09-19 - Shellcode Execution via PdhBrowseCounters
2022-09-20 - Shellcode Execution via CertFindChainInStore
2022-09-20 - Shellcode Execution via ClusWorkerCreate
2022-09-20 - Shellcode Execution via PowerRegisterForEffectivePowerModeNotifications
2022-09-21 - Shellcode Execution via MI_Session_Close
2022-09-21 - Shellcode Execution via MI_Session_Invoke
2022-09-21 - Shellcode Execution via NotifyNetworkConnectivityHintChange
2022-09-21 - Shellcode Execution via WinBioCaptureSampleWithCallback
2022-09-21 - Shellcode Execution via WinBioEnrollCaptureWithCallback
2022-09-21 - Shellcode Execution via WinBioVerifyWithCallback
2022-09-21 - Shellcode Execution via WindowsInspectString
2022-09-23 - Shellcode Execution via FCICreate
2022-10-15 - Shellcode Execution via EnumCalendarInfo
2022-12-18 - Shellcode Execution via GrayString
2022-12-18 - Shellcode Execution via SHBrowseForFolder
2022-12-19 - Shellcode Execution via DirectDrawEnumerateExA
2022-12-19 - Shellcode Execution via SetupIterateCabinet
2022-12-20 - Shellcode Execution via DnsStartMulticastQuery
2022-12-20 - Shellcode Execution via WriteEncryptedFileRaw
2023-01-20 - Shellcode Execution via RoInspectCapturedStackBackTrace
2023-01-20 - Shellcode Execution via RoInspectThreadErrorInfo
2023-01-21 - Shellcode Execution via NPAddConnection3
2023-01-21 - Shellcode Execution via WscRegisterForChanges
2023-01-28 - Shellcode Execution via DrawState
2023-01-28 - Shellcode Execution via WriteEncryptedFileRaw
2023-01-28 - Shellcode Execution via acmFormatTagEnum
2023-01-29 - Indirect Syscall is Dead Long Live Custom Call Stacks
2023-01-29 - Shellcode Execution via BindImageEx
2023-01-29 - Shellcode Execution via CertCreateContext
2023-01-29 - Shellcode Execution via CertEnumPhysicalStore
2023-01-29 - Shellcode Execution via DdeInitialize
2023-01-29 - Shellcode Execution via DnsServiceBrowse
2023-01-29 - Shellcode Execution via SetupInstallFile
2023-01-29 - Shellcode Execution via waveOutOpen
2023-01-30 - Shellcode Execution via MiniDumpWriteDump
2023-02-14 - Adopting Position Independent Shellcodes from Object Files in Memory for Threadless Injection

Evasion - Systems Call and Memory Evasion

2020-05-10 - The Fake Entry Point Trick
2020-12-31 - Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
2021-01-09 - Heresys Gate Kernel ZwNTDLL Scraping and Work Out Ring 0 to Ring 3 via Worker Factories
2021-01-10 - Offensive Windows IPC Internals 1 Named Pipes
2021-02-12 - Offensive Windows IPC Internals 2 RPC
2021-03-28 - Executing a PE File in Memory
2021-12-07 - Dynamically Retrieving SYSCALLs - Hells Gate
2021-12-07 - Identifying Antivirus Software by enumerating Minifilter String Names
2022-02-04 - AppLocker bypass by hash caching misuse
2022-02-04 - JmpNoCall
2022-04-03 - NtdllPipe - Using cmd.exe to retrieve a clean version of ntdll.dll
2022-04-09 - Demonstrating API Hooking in Rust
2022-04-11 - Demonstrating Copying Data To A GPU - GpuMemoryAbuse
2022-04-19 - Resolving System Service Numbers using the Exception Directory
2022-04-22 - Bypassing LSA Protection in Userland
2022-04-23 - Bypassing PESieve and Moneta The easy way
2022-05-05 - A very simple and alternative PID finder
2022-05-24 - Gargoyle x64 - DeepSleep
2022-06-14 - Demonstrating inline syscalls in Cplusplus
2022-06-17 - Demonstrating Thread Stack Spoofing
2022-06-26 - Protecting the Heap - Encryption and Hooks
2022-06-30 - CallStack Spoofer Demonstration
2022-06-30 - Spoofing Call Stacks To Confuse EDRs
2022-07-05 - Vulpes - Obfuscating Memory Regions with Timers
2022-08-02 - Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service LSASS
2022-08-04 - API Resolving Obfuscation via Veh
2022-08-07 - Tampering With Windows Syscalls
2022-08-08 - Manual Implementation of BlockDLLs and ACG
2022-08-16 - Demonstrating inline function importing in Cplusplus
2022-09-26 - Sacrificing Suspended Processes
2022-10-18 - Changing memory protection using APC
2022-10-31 - Heavens Gate in CSharp
2022-10-31 - Resolving syscalls in CSharp
2022-11-22 - x64 return address spoofing
2022-12-08 - Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass
2023-02-07 - Demonstrating Unhooking NTDLL from Disk
2023-02-07 - Demonstrating Unhooking NTDLL from KnownDlls
2023-02-07 - Demonstrating Unhooking NTDLL from Remote Server
2023-02-07 - Demonstrating Unhooking NTDLL from Suspended Process
2023-04-17 - An in-depth look at the Golang Windows calls

Persistence

2019-06-29 - Persistence with Windows Services
2019-08-16 - IBM Java Control Panel for persistence
2019-08-22 - Common Language Runtime Hook for Persistence
2019-09-07 - AutoPlay Handlers for persistence
2019-09-20 - Exotic persistence - Windows Error Reporting Debugger key
2019-10-23 - SPReview Phantom DLLs
2019-10-24 - SPReview Permanent Persistence
2019-11-18 - Abusing Intel VTune Amplifier for Persistence
2020-03-18 - ShimBad the Sailor
2020-06-09 - Abusing Windows Telemetry for Persistence
2020-07-30 - Terminal Server Utilities LOLBIN and Persistence
2020-08-16 - QT Framework QT_DEBUG_PLUGINS Persistence
2020-09-16 - Silent Runners - Exploring Persistence Methods
2020-09-18 - Covert Data Persistence with Windows Registry Keys
2020-09-18 - More Windows 10 Phantom DLLs
2020-10-08 - Cryogenically Frozen Malware
2020-10-11 - Masquerading the HKCU Run Key
2020-10-17 - DllBidEntryPoint Abuse
2020-10-18 - Commandeering Context Menu Entries
2020-10-19 - SERVICE_FAILURE_ACTIONSW Exception for Persistence
2020-11-23 - A Fresh Outlook on Mail Based Persistence
2021-02-06 - Microsoft Office HTML Editor for Persistence
2021-03-05 - Persistence via Java Environment Variables
2021-10-21 - Life is Pane - Persistence via Preview Handlers
2021-11-18 - Persistence via Recycle Bin
2021-12-14 - COM Hijacking for Persistence
2022-01-16 - Oobe Setup ErrorHandle.cmd Hijack
2022-01-18 - O365 HKCU WwlibDll Sideloading
2022-01-22 - WinINET InternetErrorDlgEx Registry Lookup persistence
2022-01-23 - Persistence via P2P_PEER_DIST_API LoadPeerDist
2022-07-17 - 30 second execution persistence with Winlogon
2022-09-14 - Abusing Notepad Plugins for Evasion and Persistence
2022-10-11 - Custom Keyboard Layout Persistence
2023-01-24 - Persistence via VSCode Profile Abuse

Process Injection

2004-04-06 - Remote Library Injection
2014-02-03 - PE Injection Demonstration 1
2014-04-13 - PE Injection Explained Advanced memory code injection technique
2017-09-19 - Abusing Delay Load DLLs for Remote Code Injection
2018-03-26 - Ghostwrite Demonstration
2018-06-14 - PE Injection Demonstration 2
2018-10-16 - Injecting Code into Windows Protected Processes using COM - Part 1
2018-11-01 - Process Injection Techniques and Detection using the Volatility Framework
2018-11-30 - Injecting Code into Windows Protected Processes using COM - Part 2
2019-02-25 - Notes on RtlCloneUserProcess
2019-04-08 - Early Bird Injection - APC Abuse
2019-04-26 - Hunting for Ghosts in Fileless Attacks
2019-08-08 - Demonstating Various Process Injection Techniques - Pinjecta
2019-08-08 - Process Injection Techniques - Gotta Catch Them All
2019-08-13 - The state of advanced code injections
2020-01-06 - NtCreateSection and NtMapViewOfSection for Code Injection
2020-02-10 - From Process Injection to Function Hijacking
2020-05-28 - GetEnvironmentVariable As Alternative to WriteProccessMemory in Process Injections
2020-06-06 - NINA - x64 Process Injection
2020-06-14 - Process Injection Techniques
2020-06-24 - Process Injection Techniques used by Malware
2020-07-10 - Masking Malicious Memory Artifacts Part 1 – Phantom DLL Hollowing
2020-07-16 - Weaponizing Mapping Injection With instrumentation Callback
2020-11-29 - Weaponize GhostWriting Injection Code Injection Series Part 5
2021-02-28 - PE Injection_ Executing PEs inside Remote Processes
2022-01-15 - CreateRemoteThread Process Injection
2022-01-15 - Demonstrating ATOM Bombing
2022-01-15 - Process Doppelgänging POC
2022-01-15 - Process HerpaDerping
2022-01-15 - ReflectiveDLLInjection Example
2022-01-15 - SetThreadContextInjection Example
2022-01-15 - SetWindowsHookExInjection Example
2022-01-15 - The ExtraWindowInject Process Injection Technique
2022-01-15 - UserApcInject Example
2022-02-04 - KCTHIJACK - KernelCallbackTable Hijack
2022-03-17 - Process Overwriting - yet another variant
2022-03-17 - Process-Hollowing Example
2022-04-18 - Implementing Global Injection and Hooking in Windows
2022-05-05 - Process Injection via Component Object Model (COM) IRundown-DoCallback()
2022-05-08 - Demonstrating Process Injection in Rust - Rusty Memory LoadLibrary
2022-05-16 - Demonstrating Reflective DLL Loading - KaynLdr
2022-05-27 - Nls Code Injection Through The Registry
2022-06-25 - PE Resource section for Process Injection
2022-12-23 - Ctrl Injection Collection

System Components and Abuse

2017-08-12 - Finding handle leaks - user mode duplicate handle in C and CSharp
2018-03-17 - Abusing Exported Functions and Exposed DCOM Interfaces
2019-04-07 - Loading and calling VB from CPlusPlus
2019-07-03 - Dumping LSASS - MiniDumpWriteDump to Disk
2019-07-03 - MiniDumpWriteDump and PssCaptureSnapshot
2019-07-07 - Dumping LSASS - MiniDumpWriteDump to Memory using MiniDump Callbacks
2019-07-21 - In-memory execution of VBScript, JavaScript or JScript
2019-08-17 - Weaponizing Privileged File Writes with the USO Service
2020-06-10 - Cmd Hijack - A Command_Argument Confustion with Path Traversal
2020-10-10 - A Deep Dive Into RUNDLL32EXE
2021-01-24 - LSASS Memory Dumps are Stealthier than Ever Before - Part 1
2021-02-16 - LSASS Memory Dumps are Stealthier than Ever Before - Part 2
2021-05-13 - Reshaping Shadow Volumes with IOCTLs
2021-08-03 - Reading, Writing, and Executing A File WITHOUT A File Path - yarhLoader
2021-10-10 - SeManageVolumePrivilege Abuse with FSCTL_SD_GLOBAL_CHANGE
2021-12-07 - Demonstrating USB Propagation
2021-12-07 - Programmatically Modifying Boot Configurations - BCDEdit
2021-12-07 - The hidden side of Seclogon part 2 - Abusing leaked handles to dump LSASS memory
2021-12-07 - Weaponizing Windows Virtualization
2022-01-15 - Programmatically Stopping Windows Defender
2022-02-09 - Hooks-On Hoot-Off Vitaminizing MiniDump
2022-02-17 - The magic behind wlrmdrexe
2022-02-25 - LogNT32 - Part 2 - Return-address hijacking implemented to improve efficiency
2022-03-26 - Digging into PssCaptureSnapshot for LSASS Dumping
2022-04-03 - FveApiDLL Abuse Demonstration
2022-04-30 - Programmatically Hiding Windows Snapshots
2022-05-31 - Crashing Windows by Abusing NtRaiseHardError
2022-06-28 - The hidden side of Seclogon part 3 - Racing for LSASS dumps
2022-08-19 - Bypassing AppLocker by abusing HashInfo
2022-08-29 - DLL Sideloading ShellChromeAPI
2022-10-07 - Short term snapshot deletion via ExecuteScheduledSPPCreation
2022-10-11 - Abusing the Windows Power Management API
2022-10-28 - Using Windows IUIAutomation for spyware and other malicious purposes
2022-11-02 - IIS Pool Credential Dumping via undocumented command line arguments
2022-12-07 - Programmatically Deleting Shadow Volumes - Xaoc
2023-02-03 - Windows Domain Controller NTDSUTIL activate instance abuse
2023-03-19 - Different ways to create a process
2023-05-02 - Preventing application creation by IFEO keys

Sponsor

sponsor World's Best Penis Enhancement Pills

Sponsor

sponsor Execute your malware here

Sponsor

sponsor Tutorial from zetalytics.com

Sponsor

sponsor Phantom Overlay, the best COD cheat available!

Want to sponsor vx-underground?

Your information could go here