Analysis and Internals
2005-05-30 - Making WMI Queries In C2014-12-03 - Hooking COM Objects - Intercepting Calls to COM Interfaces
2015-08-10 - Windows 10HH Symbolic Link Mitigations
2016-02-10 - The Definitive Guide on Win32 to NT Path Conversion
2017-10-03 - Windows 10 Parallel Loading Breakdown
2017-10-06 - An Introduction to Standard and Isolation Minifilters
2017-10-15 - Understanding API Set Resolution
2018-08-07 - Windows Exploitation Tricks Exploiting Arbitrary Object Directory Creation for Local Elevation of Pri
2018-08-19 - NTFS Alternate Streams What, When, and How To
2018-09-09 - Finding Interactive User COM Objects using PowerShell
2019-08-23 - How the Antimalware Scan Interface AMSI helps you defend against malware
2019-11-11 - Antimalware Scan Interface AMSI
2020-04-01 - Updating the Undocumented ESTROBJ and STROBJ Structures for Windows 10 x64
2020-04-24 - Windows DLL Hijacking Hopefully Clarified
2020-05-17 - APC Series User APC API
2020-06-03 - APC Series User APC Internals
2020-06-28 - APC Series KiUserApcDispatcher and Wow64
2020-07-10 - Fs Minifilter Hooking Part 1
2020-07-11 - Superfetch - Unknown Spy
2020-09-26 - Deep dive into user-mode Asynchronous Procedure Calls in Windows
2020-09-26 - Demystifying the SVCHOSTEXE Process and Its Command Line Options
2020-10-11 - From a C project through assembly to shellcode
2020-11-09 - WOW64Hooks WOW64 Subsystem Internals and Hooking Techniques
2021-01-12 - tagSOleTlsData and the COM concurrency model for the current thread
2022-01-04 - Exploring Token Members Part 1
2022-01-09 - Understanding Windows Structured Exception Handling Part 1 – The Basics
2022-01-12 - Red Canary - Antimalware Scan Interface (AMSI)
2022-01-16 - Notes on Windows MS-CXH and MS-CXH-FULL handlers
2022-01-16 - Understanding Windows Structured Exception Handling Part 2 – Digging Deeper
2022-01-22 - Understanding Windows Structured Exception Handling Part 3 – Under The Hood
2022-01-23 - Understanding Windows Structured Exception Handling Part 4 – Pseudo __try and __except
2022-02-16 - Exploring Token Members Part 2
2022-03-14 - Reversing Common Obfuscation Techniques
2022-05-05 - Studying Next Generation Malware - NightHawks Attempt At Obfuscate and Sleep
2022-06-08 - Inside Get-AuthenticodeSignature
2022-07-05 - WMI Internals Part 1 - Understanding the Basics
2022-07-26 - Understanding DISM - Servicing Stack Interaction
2022-08-02 - Inside Windows Defender System Guard Runtime Monitor
2022-08-05 - Exploring the Windows Search Application Cache
2022-09-05 - Inside the Windows Cache Manager
2022-09-16 - Dissecting Windows Section Objects
2022-09-28 - MS Help 2 Primer
2022-10-13 - Random Number Generation using IOCTL
2023-02-01 - Weird things I learned while writing an x86 emulator
2023-02-06 - Diving Deeper Into Pre-created Computer Accounts
2023-03-16 - Minimal Executables
Data Theft
2011-06-29 - Implementing keyloggers in Windows2021-03-10 - Exfiltrating Data from Outlook Demonstration
2021-03-25 - Demonstrating Keylogging Using NtUserGetRawInputDataKeylogger
2021-06-20 - Demonstrating How to Dump Chrome Passwords
2022-04-19 - Dumping passwords using KRShowKeyMgr
2022-05-01 - GetRawInputData Keylogger Demonstration
2022-06-21 - WebView2 Cookie Stealer Demonstration
2022-10-22 - WAM BAM - Recovering Web Tokens From Office
Evasion - Anti-debugging
2011-05-04 - The Ultimate Anti-Debugging Reference2020-01-02 - Exploiting Flaws in Windbg
2020-07-03 - How to obfuscate strings using CPlusPlus constexpr Or how to do it correctly at compile time
2020-08-05 - Checkpoint Research - Anti-Debug - Assembly instructions
2020-08-05 - Checkpoint Research - Anti-Debug - Debug Flags
2020-08-05 - Checkpoint Research - Anti-Debug - Direct debugger interaction
2020-08-05 - Checkpoint Research - Anti-Debug - Exceptions
2020-08-05 - Checkpoint Research - Anti-Debug - Misc
2020-08-05 - Checkpoint Research - Anti-Debug - Object Handles
2020-08-05 - Checkpoint Research - Anti-Debug - Process Memory
2020-08-05 - Checkpoint Research - Anti-Debug - Timing
2021-03-18 - Anti Debugging Protection Techniques with Examples
2021-03-24 - Excel Macro Anti-Analysis Techniques
2022-01-26 - Using SecureString to protect Malware
Evasion - EDR and AV specific
2010-01-12 - Exercising the Firewall using Cplusplus2018-06-18 - Exploring PowerShell AMSI and Logging Evasion
2019-06-03 - How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code
2020-02-03 - Bypass EDRs memory protection - an introduction to hooking
2020-02-10 - WDExtract - Extracting data from Windows Defender
2021-06-19 - Backstab - Demonstrating how to kill EDR protected processes
2021-08-23 - Another AMSI-Bypass paper
2021-10-23 - From AMSI to Reflection 0x0
2021-11-15 - Design issues of modern EDRs bypassing ETW-based solutions
2022-04-18 - A blueprint for evading industry leading endpoint protection in 2022
2022-06-22 - Extracting Whitelisted Paths from Windows Defender ASR Rules
2022-09-27 - Constrained Language Mode Bypass When __PSLockDownPolicy Is Used
Evasion - Other
2012-03-21 - Using UPX as a Security Packer2018-12-12 - VBA RunPE - Breaking Out of Highly Constrained Desktop Environments
2019-12-02 - Evading WinDefender ATP credential-theft a hit after a hit-and-miss start
2020-05-18 - How to use Trend Micro's Rootkit Remover to Install a Rootkit
2020-12-31 - Antivirus Artifacts III
2021-04-22 - Binary Data Hiding in VB6 Executables
2021-05-01 - Symantec Endpoint Protection Meets COM - Using Symantec.SSHelper As A LOLBIN
2021-05-12 - Breaking the WDAPT Rules with COM
2021-08-05 - Evil Model - Hiding Malware
2021-10-09 - Trololololobin and other lolololocoasters
2022-01-15 - Stealing Process Tokens POC
2022-01-23 - Reload Executable Files to Achieve Efficient Inline-Hook
2022-02-07 - Invisible Sandbox Evasion - Check Point Research
2022-02-16 - wlrmdr.exe LOLBIN
2022-03-24 - Manipulating LastWriteTime without leaving traces in the NTFS USN Journal
2022-04-02 - Unmanaged Code Execution with .NET Dynamic PInvoke
2022-04-18 - Token Manipulation in Rust Demonation
2022-04-18 - UACMe
2022-06-17 - Sleep Obfuscation - Ekko
2022-08-01 - DLL Hijacking Windows Defender NisSrv
2022-08-01 - DeathSleep - Demonstrating sleep obfuscation
Evasion - Process Creation and Shellcode Execution
2016-01-12 - Creating Processes By Using Undocumented COM APIs2019-10-11 - An alternate way to execute a binary - NtQueryInformationProcess and the AeDebugProtected key
2020-05-27 - Shellcode - Recycling Compression Algorithms for the Z80, 8088, 6502, 8086 and 68K Architectures
2021-03-01 - Shellcode Execution via CopyFile2
2021-03-01 - Shellcode Execution via CreateTimerQueueTimer
2021-03-01 - Shellcode Execution via CreateTimerQueueTimer_Tech
2021-03-01 - Shellcode Execution via EnumChildWindows
2021-03-01 - Shellcode Execution via EnumResourceTypesW
2021-03-01 - Shellcode Execution via EnumWindows
2021-03-02 - Shellcode Execution via EnumDisplayMonitors
2021-03-02 - Shellcode Execution via EnumPropsEx
2021-03-03 - Shellcode Execution via EnumDesktopWindows
2021-03-05 - Shellcode Execution via EnumPageFilesW
2021-03-07 - Shellcode Execution via CopyFileEx
2021-03-07 - Shellcode Execution via EnumWindowStationsW
2021-03-07 - Shellcode Execution via SymEnumProcesses
2021-03-08 - Shellcode Execution via EnumerateLoadedModules
2021-03-08 - Shellcode Execution via ImageGetDigestStream
2021-03-11 - Shellcode Execution via VerifierEnumerateResource
2021-03-12 - Shellcode Execution via CertEnumSystemStore
2021-03-14 - Shellcode Execution via CertEnumSystemStoreLocation
2021-03-19 - Shellcode Execution via CreateThreadPoolWait
2021-03-19 - Shellcode Execution via EnumDesktopW
2021-03-19 - Shellcode Execution via EnumDirTreeW
2021-03-21 - Shellcode Execution via SysEnumSourceFiles
2021-03-27 - Shellcode Execution via FiberContextEdit
2021-03-27 - Shellcode Execution via InitOnceExecuteOnce
2021-03-27 - Shellcode Execution via SymFindFileInPath
2021-03-28 - Shellcode Execution via EnumPropsW
2021-03-28 - Shellcode Execution via FlsAlloc
2021-03-28 - Shellcode Execution via RtlUserFiberStart
2021-03-30 - Shellcode Execution via LdrEnumerateLoadedModules
2021-03-30 - Shellcode Execution via LdrpCallInitRoutine
2021-03-31 - Shellcode Execution via EnumLanguageGroupLocalesW
2021-04-01 - Shellcode Execution via SetTimer
2021-04-04 - Shellcode Execution via SetupCommitFileQueueW
2021-04-08 - Shellcode Execution via EnumUILanguagesW
2021-04-09 - Shellcode Execution via EnumSystemLocales
2021-04-11 - Shellcode Execution via EnumPwrSchemes
2021-04-12 - Shellcode Execution via EnumResourceTypesExW
2021-04-15 - Shellcode Execution via ImmEnumInputContext
2021-04-28 - Shellcode Execution via EnumFontsW
2021-04-30 - Shellcode Execution via EnumFontFamiliesW
2021-05-01 - Shellcode Execution via EnumFontFamiliesExW
2021-05-03 - Shellcode Execution via EnumObjects
2021-05-05 - Weird Ways to Run Unmanaged Code in NET
2021-05-06 - Shellcode Execution via CryptEnumOIDInfo
2021-05-07 - Shellcode Execution via EnumTimeFormatsEx
2021-06-12 - Shellcode Execution via EnumICMProfiles
2021-10-23 - Shellcode Execution via EnumCalendarInfoEx
2021-11-26 - Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
2021-12-05 - Shellcode Execution via EnumThreadWindows
2022-01-12 - Playing Around COM Objects Part 1 - DllGetClassObject and ShellExecute IDispatch for Process creation
2022-01-28 - The good the bad and the stomped function
2022-05-10 - Making NtCreateUserProcess Work
2022-07-13 - Bluffy the AV Slayer
2022-07-19 - Creating Processes Using System Calls
2022-09-05 - Shellcode Execution via CDefFolderMenu_Create2
2022-09-05 - Shellcode Execution via CopyFileTransacted
2022-09-05 - Shellcode Execution via DSA_EnumCallback
2022-09-05 - Shellcode Execution via EncryptedFileRaw
2022-09-05 - Shellcode Execution via EvtSubscribe_CVEEventWrite
2022-09-05 - Shellcode Execution via MFAddPeriodicCallback
2022-09-05 - Shellcode Execution via MagSetWindowTransform
2022-09-05 - Shellcode Execution via MessageBoxIndirect
2022-09-05 - Shellcode Execution via NotifyIpInterfaceChange
2022-09-05 - Shellcode Execution via NotifyTeredoPortChange
2022-09-05 - Shellcode Execution via NotifyUnicastIpAddressChange
2022-09-05 - Shellcode Execution via PerfStartProviderEx
2022-09-05 - Shellcode Execution via RegisterWaitForSingleObject
2022-09-05 - Shellcode Execution via SHCreateThreadWithHandle
2022-09-05 - Shellcode Execution via SetWaitableTimer
2022-09-05 - Shellcode Execution via StackWalk
2022-09-05 - Shellcode Execution via SymRegisterCallback
2022-09-05 - Shellcode Execution via TaskDialogIndirect
2022-09-05 - Shellcode Execution via WinHttpSetStatus
2022-09-10 - Shellcode Execution via InternetSetStatusCallback
2022-09-11 - Shellcode Execution via CreateThreadPoolTimer
2022-09-11 - Shellcode Execution via CreateThreadPoolWork
2022-09-11 - Shellcode Execution via GetOpenFileName
2022-09-11 - Shellcode Execution via GetSaveFileName
2022-09-12 - Shellcode Execution via FindText
2022-09-12 - Shellcode Execution via OleUIBusy
2022-09-12 - Shellcode Execution via PrintDlg
2022-09-12 - Shellcode Execution via ReplaceText
2022-09-13 - Shellcode Execution via PageSetupDlg
2022-09-15 - Shellcode Execution via ChooseFont
2022-09-15 - Shellcode Execution via TrySubmitThreadpoolCallback
2022-09-18 - Shellcode Execution via ChooseColor
2022-09-18 - Shellcode Execution via LineDDA
2022-09-18 - Shellcode Execution via NotifyRouteChange2
2022-09-18 - Shellcode Execution via RegisterWaitChainCOMCallback
2022-09-18 - Shellcode Execution via acmDriverEnum
2022-09-18 - Shellcode Execution via acmFilterChoose
2022-09-19 - Shellcode Execution via PdhBrowseCounters
2022-09-20 - Shellcode Execution via CertFindChainInStore
2022-09-20 - Shellcode Execution via ClusWorkerCreate
2022-09-20 - Shellcode Execution via PowerRegisterForEffectivePowerModeNotifications
2022-09-21 - Shellcode Execution via MI_Session_Close
2022-09-21 - Shellcode Execution via MI_Session_Invoke
2022-09-21 - Shellcode Execution via NotifyNetworkConnectivityHintChange
2022-09-21 - Shellcode Execution via WinBioCaptureSampleWithCallback
2022-09-21 - Shellcode Execution via WinBioEnrollCaptureWithCallback
2022-09-21 - Shellcode Execution via WinBioVerifyWithCallback
2022-09-21 - Shellcode Execution via WindowsInspectString
2022-09-23 - Shellcode Execution via FCICreate
2022-10-15 - Shellcode Execution via EnumCalendarInfo
2022-12-18 - Shellcode Execution via GrayString
2022-12-18 - Shellcode Execution via SHBrowseForFolder
2022-12-19 - Shellcode Execution via DirectDrawEnumerateExA
2022-12-19 - Shellcode Execution via SetupIterateCabinet
2022-12-20 - Shellcode Execution via DnsStartMulticastQuery
2022-12-20 - Shellcode Execution via WriteEncryptedFileRaw
2023-01-20 - Shellcode Execution via RoInspectCapturedStackBackTrace
2023-01-20 - Shellcode Execution via RoInspectThreadErrorInfo
2023-01-21 - Shellcode Execution via NPAddConnection3
2023-01-21 - Shellcode Execution via WscRegisterForChanges
2023-01-28 - Shellcode Execution via DrawState
2023-01-28 - Shellcode Execution via WriteEncryptedFileRaw
2023-01-28 - Shellcode Execution via acmFormatTagEnum
2023-01-29 - Indirect Syscall is Dead Long Live Custom Call Stacks
2023-01-29 - Shellcode Execution via BindImageEx
2023-01-29 - Shellcode Execution via CertCreateContext
2023-01-29 - Shellcode Execution via CertEnumPhysicalStore
2023-01-29 - Shellcode Execution via DdeInitialize
2023-01-29 - Shellcode Execution via DnsServiceBrowse
2023-01-29 - Shellcode Execution via SetupInstallFile
2023-01-29 - Shellcode Execution via waveOutOpen
2023-01-30 - Shellcode Execution via MiniDumpWriteDump
2023-02-14 - Adopting Position Independent Shellcodes from Object Files in Memory for Threadless Injection
Evasion - Systems Call and Memory Evasion
2020-05-10 - The Fake Entry Point Trick2020-12-31 - Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
2021-01-09 - Heresys Gate Kernel ZwNTDLL Scraping and Work Out Ring 0 to Ring 3 via Worker Factories
2021-01-10 - Offensive Windows IPC Internals 1 Named Pipes
2021-02-12 - Offensive Windows IPC Internals 2 RPC
2021-03-28 - Executing a PE File in Memory
2021-12-07 - Dynamically Retrieving SYSCALLs - Hells Gate
2021-12-07 - Identifying Antivirus Software by enumerating Minifilter String Names
2022-02-04 - AppLocker bypass by hash caching misuse
2022-02-04 - JmpNoCall
2022-04-03 - NtdllPipe - Using cmd.exe to retrieve a clean version of ntdll.dll
2022-04-09 - Demonstrating API Hooking in Rust
2022-04-11 - Demonstrating Copying Data To A GPU - GpuMemoryAbuse
2022-04-19 - Resolving System Service Numbers using the Exception Directory
2022-04-22 - Bypassing LSA Protection in Userland
2022-04-23 - Bypassing PESieve and Moneta The easy way
2022-05-05 - A very simple and alternative PID finder
2022-05-24 - Gargoyle x64 - DeepSleep
2022-06-14 - Demonstrating inline syscalls in Cplusplus
2022-06-17 - Demonstrating Thread Stack Spoofing
2022-06-26 - Protecting the Heap - Encryption and Hooks
2022-06-30 - CallStack Spoofer Demonstration
2022-06-30 - Spoofing Call Stacks To Confuse EDRs
2022-07-05 - Vulpes - Obfuscating Memory Regions with Timers
2022-08-02 - Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service LSASS
2022-08-04 - API Resolving Obfuscation via Veh
2022-08-07 - Tampering With Windows Syscalls
2022-08-08 - Manual Implementation of BlockDLLs and ACG
2022-08-16 - Demonstrating inline function importing in Cplusplus
2022-09-26 - Sacrificing Suspended Processes
2022-10-18 - Changing memory protection using APC
2022-10-31 - Heavens Gate in CSharp
2022-10-31 - Resolving syscalls in CSharp
2022-11-22 - x64 return address spoofing
2022-12-08 - Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass
2023-02-07 - Demonstrating Unhooking NTDLL from Disk
2023-02-07 - Demonstrating Unhooking NTDLL from KnownDlls
2023-02-07 - Demonstrating Unhooking NTDLL from Remote Server
2023-02-07 - Demonstrating Unhooking NTDLL from Suspended Process
Infection
2008-12-27 - Detailed Guide to PE Infection2015-03-06 - PE Infection - Add a PE section - with code
2015-03-30 - Another detailed guide to PE infection
Initial Access Malcode
2017-07-31 - Malicious XLL Demonstration2020-12-24 - The worst of the two worlds - Excel meets Outlook
2021-10-28 - Malicious ZIP Demonstration
2021-12-09 - Create Microsoft-Signed Phishing Documents
2022-04-15 - Make phishing great again VSTO office files are the new macro nightmare
2022-05-14 - About XLL Phishing
2022-06-28 - Weaponizing and Abusing Hidden Functionalities Contained in Office Document Properties
2022-08-05 - Backdooring Office Structures Part 1 The Oldschool
2022-08-08 - Backdooring Office Structures Part 2 Payload Crumbs In Custom Parts
2023-02-07 - Home Grown Red Team - Lets Make Some OneNote Phishing Attachments
Kernel Mode
2014-02-06 - Hide process with DKOM without hard coded offsets2015-04-06 - Hiding loaded driver with DKOM
2019-11-06 - Bypassing Kernel Function Pointer Integrity Checks
2021-03-30 - KeDll Injector
2022-01-11 - Signed Kernal Drivers - Unguarded Gateway to Windows Core
2022-01-15 - Demonstrating EAT hooking from Kernel space
2022-01-15 - Modifying the EPROCESS structure
2022-05-02 - g_CiOptions in a Virtualized World
2022-07-14 - Lord Of The Ring0 - Part 1 Introduction
2022-08-04 - Lord Of The Ring0 - Part 2 A tale of routines IOCTLs and IRPs
2022-08-19 - Warbird Hook - Demonstrating shellcode injection and application hijacking
2022-10-30 - Lord Of The Ring0 - Part 3 Sailing to the land of the user and debugging the ship
2022-12-29 - Bootkitting Windows Sandbox
2023-02-09 - Transitioning from User Mode to Kernel mode - Extravagant Prick
2023-02-24 - Lord Of The Ring0 - Part 4 The call back home
Network Communications
2006-05-22 - Windows Network Services Internals2017-12-07 - Ares - Demonstrating A Python C2
2018-10-20 - Using DropBox As A C2
2021-06-18 - Knock Knock The postman is here (abusing Mailslots and PortKnocking for connectionless shells)
2021-09-30 - Azure Outlook C2
2021-10-25 - C3 - Demonstrating C2s from MatterMost - GitHub - OneDrive and more
2022-01-03 - NTSockets - Downloading a file via HTTP using the NtCreateFile
2022-04-04 - AtlasC2 - Demonstrating A C2 in CSharp
2022-04-27 - Alternate Method Of Contacting IPV4
2022-05-01 - Ipv4Fuscation Demonstration
2022-05-09 - Spawning IE on Windows 11
2022-09-28 - Demonstrating the VirusTotal C2
2022-10-01 - Manual ICMP implementation using NtDeviceIoControlFile
2022-10-09 - Windows Server LDIF File Abuse for Silently Downloading Files
2023-01-23 - Exfiltrating data using Powershell and WAV files
Persistence
2019-06-29 - Persistence with Windows Services2019-08-16 - IBM Java Control Panel for persistence
2019-08-22 - Common Language Runtime Hook for Persistence
2019-09-07 - AutoPlay Handlers for persistence
2019-09-20 - Exotic persistence - Windows Error Reporting Debugger key
2019-10-23 - SPReview Phantom DLLs
2019-10-24 - SPReview Permanent Persistence
2019-11-18 - Abusing Intel VTune Amplifier for Persistence
2020-03-18 - ShimBad the Sailor
2020-06-09 - Abusing Windows Telemetry for Persistence
2020-07-30 - Terminal Server Utilities LOLBIN and Persistence
2020-08-16 - QT Framework QT_DEBUG_PLUGINS Persistence
2020-09-16 - Silent Runners - Exploring Persistence Methods
2020-09-18 - Covert Data Persistence with Windows Registry Keys
2020-09-18 - More Windows 10 Phantom DLLs
2020-10-08 - Cryogenically Frozen Malware
2020-10-11 - Masquerading the HKCU Run Key
2020-10-17 - DllBidEntryPoint Abuse
2020-10-18 - Commandeering Context Menu Entries
2020-10-19 - SERVICE_FAILURE_ACTIONSW Exception for Persistence
2020-11-23 - A Fresh Outlook on Mail Based Persistence
2021-02-06 - Microsoft Office HTML Editor for Persistence
2021-03-05 - Persistence via Java Environment Variables
2021-10-21 - Life is Pane - Persistence via Preview Handlers
2021-11-18 - Persistence via Recycle Bin
2022-01-16 - Oobe Setup ErrorHandle.cmd Hijack
2022-01-18 - O365 HKCU WwlibDll Sideloading
2022-01-22 - WinINET InternetErrorDlgEx Registry Lookup persistence
2022-01-23 - Persistence via P2P_PEER_DIST_API LoadPeerDist
2022-07-17 - 30 second execution persistence with Winlogon
2022-09-14 - Abusing Notepad Plugins for Evasion and Persistence
2022-10-11 - Custom Keyboard Layout Persistence
2023-01-24 - Persistence via VSCode Profile Abuse
Process Injection
2004-04-06 - Remote Library Injection2014-02-03 - PE Injection Demonstration 1
2014-04-13 - PE Injection Explained Advanced memory code injection technique
2018-03-26 - Ghostwrite Demonstration
2018-06-14 - PE Injection Demonstration 2
2018-10-16 - Injecting Code into Windows Protected Processes using COM - Part 1
2018-11-01 - Process Injection Techniques and Detection using the Volatility Framework
2018-11-30 - Injecting Code into Windows Protected Processes using COM - Part 2
2019-02-25 - Notes on RtlCloneUserProcess
2019-04-26 - Hunting for Ghosts in Fileless Attacks
2019-08-08 - Demonstating Various Process Injection Techniques - Pinjecta
2019-08-08 - Process Injection Techniques - Gotta Catch Them All
2019-08-13 - The state of advanced code injections
2020-01-06 - NtCreateSection and NtMapViewOfSection for Code Injection
2020-02-10 - From Process Injection to Function Hijacking
2020-05-28 - GetEnvironmentVariable As Alternative to WriteProccessMemory in Process Injections
2020-06-06 - NINA - x64 Process Injection
2020-06-14 - Process Injection Techniques
2020-06-24 - Process Injection Techniques used by Malware
2020-07-10 - Masking Malicious Memory Artifacts Part 1 – Phantom DLL Hollowing
2020-07-16 - Weaponizing Mapping Injection With instrumentation Callback
2020-11-29 - Weaponize GhostWriting Injection Code Injection Series Part 5
2021-02-28 - PE Injection_ Executing PEs inside Remote Processes
2022-01-15 - CreateRemoteThread Process Injection
2022-01-15 - Demonstrating ATOM Bombing
2022-01-15 - Process Doppelgänging POC
2022-01-15 - Process HerpaDerping
2022-01-15 - ReflectiveDLLInjection Example
2022-01-15 - SetThreadContextInjection Example
2022-01-15 - SetWindowsHookExInjection Example
2022-01-15 - The ExtraWindowInject Process Injection Technique
2022-01-15 - UserApcInject Example
2022-02-04 - KCTHIJACK - KernelCallbackTable Hijack
2022-03-17 - Process Overwriting - yet another variant
2022-03-17 - Process-Hollowing Example
2022-04-18 - Implementing Global Injection and Hooking in Windows
2022-05-05 - Process Injection via Component Object Model (COM) IRundown-DoCallback()
2022-05-08 - Demonstrating Process Injection in Rust - Rusty Memory LoadLibrary
2022-05-16 - Demonstrating Reflective DLL Loading - KaynLdr
2022-05-27 - Nls Code Injection Through The Registry
2022-06-25 - PE Resource section for Process Injection
2022-12-23 - Ctrl Injection Collection
System Components and Abuse
2017-08-12 - Finding handle leaks - user mode duplicate handle in C and CSharp2018-03-17 - Abusing Exported Functions and Exposed DCOM Interfaces
2019-07-03 - Dumping LSASS - MiniDumpWriteDump to Disk
2019-07-03 - MiniDumpWriteDump and PssCaptureSnapshot
2019-07-07 - Dumping LSASS - MiniDumpWriteDump to Memory using MiniDump Callbacks
2019-08-17 - Weaponizing Privileged File Writes with the USO Service
2020-06-10 - Cmd Hijack - A Command_Argument Confustion with Path Traversal
2020-10-10 - A Deep Dive Into RUNDLL32EXE
2021-05-13 - Reshaping Shadow Volumes with IOCTLs
2021-08-03 - Reading, Writing, and Executing A File WITHOUT A File Path - yarhLoader
2021-10-10 - SeManageVolumePrivilege Abuse with FSCTL_SD_GLOBAL_CHANGE
2021-12-07 - Demonstrating USB Propagation
2021-12-07 - Programmatically Modifying Boot Configurations - BCDEdit
2021-12-07 - The hidden side of Seclogon part 2 - Abusing leaked handles to dump LSASS memory
2021-12-07 - Weaponizing Windows Virtualization
2022-01-15 - Programmatically Stopping Windows Defender
2022-02-09 - Hooks-On Hoot-Off Vitaminizing MiniDump
2022-02-17 - The magic behind wlrmdrexe
2022-02-25 - LogNT32 - Part 2 - Return-address hijacking implemented to improve efficiency
2022-03-26 - Digging into PssCaptureSnapshot for LSASS Dumping
2022-04-03 - FveApiDLL Abuse Demonstration
2022-04-30 - Programmatically Hiding Windows Snapshots
2022-05-31 - Crashing Windows by Abusing NtRaiseHardError
2022-06-28 - The hidden side of Seclogon part 3 - Racing for LSASS dumps
2022-08-19 - Bypassing AppLocker by abusing HashInfo
2022-08-29 - DLL Sideloading ShellChromeAPI
2022-10-07 - Short term snapshot deletion via ExecuteScheduledSPPCreation
2022-10-11 - Abusing the Windows Power Management API
2022-10-28 - Using Windows IUIAutomation for spyware and other malicious purposes
2022-11-02 - IIS Pool Credential Dumping via undocumented command line arguments
2022-12-07 - Programmatically Deleting Shadow Volumes - Xaoc
2023-02-03 - Windows Domain Controller NTDSUTIL activate instance abuse
2023-03-19 - Different ways to create a process
Other VXUG Links
Official vx-underground Twitter
Official vx-underground Threat Intelligence feed
Support vx-underground monthly
Contents
Analysis and InternalsData Theft
Evasion - Anti-debugging
Evasion - EDR and AV specific
Evasion - Other
Evasion - Process Creation and Shellcode Execution
Evasion - Systems Call and Memory Evasion
Infection
Initial Access Malcode
Kernel Mode
Network Communications
Persistence
Process Injection
System Components and Abuse
Sponsor
World's Best Penis Enhancement PillsSponsor
Execute your malware here
Sponsor
Phantom Overlay, the best COD cheat available!Want to sponsor vx-underground?
Your information could go here