/vx/Papers/Windows/System Components and Abuse/

0 directories 155 files
Name Size Modified
Go up
2004-06-06 - Execution redirection thru Image File Execution Options key.txt 9.4 KiB
2005-05-30 - Making WMI Queries In C.7z 293 KiB
2015-08-12 - Stealth Techniques - Hiding Files in the Registry.pdf 351 KiB
2015-08-20 - Manually Enumerating Process Modules.pdf 222 KiB
2017-08-12 - Finding handle leaks - user mode duplicate handle in C and CSharp.zip 47 KiB
2017-08-19 - The Art of Becoming TrustedInstaller.pdf 717 KiB
2018-10-25 - Playing with the Windows Notification Facility WNF.pdf 2.1 MiB
2019-04-07 - Loading and calling VB from CPlusPlus.zip 5.3 KiB
2019-07-21 - In-memory execution of VBScript, JavaScript or JScript.txt 7.2 KiB
2019-08-17 - Weaponizing Privileged File Writes with the USO Service.7z 1.1 MiB
2019-10-11 - An alternate way to execute a binary - NtQueryInformationProcess and the AeDebugProtected key.pdf 123 KiB
2019-12-02 - Evading WinDefender ATP credential-theft a hit after a hit-and-miss start.pdf 464 KiB
2020-01-23 - Starting WERSVR from a restricted users.7z 491 KiB
2020-02-10 - WDExtract - Extracting data from Windows Defender.zip 369 KiB
2020-02-23 - A stealthier approach to spoofing process command line.pdf 278 KiB
2020-04-30 - Fax Shell - Using Fax service for system.7z 13 KiB
2020-04-30 - Faxing Your Way to SYSTEM Part Two.pdf 1.5 MiB
2020-05-03 - Fax Service Bind shell abusing Ualapi.7z 13 KiB
2020-05-10 - The Fake Entry Point Trick.txt 4.2 KiB
2020-06-10 - Cmd Hijack - A Command_Argument Confustion with Path Traversal.pdf 2.2 MiB
2020-10-12 - In-Process Execute Assembly and MailSlots.pdf 372 KiB
2020-10-17 - DllBidEntryPoint Abuse.pdf 68 KiB
2020-12-02 - Weaponizing Windows Sandbox To Bypass Defender.pdf 96 KiB
2020-12-24 - The worst of the two worlds - Excel meets Outlook.pdf 242 KiB
2021-04-22 - Binary Data Hiding in VB6 Executables.pdf 418 KiB
2021-05-05 - Weird Ways to Run Unmanaged Code in NET.pdf 2.6 MiB
2021-05-13 - Reshaping Shadow Volumes with IOCTLs.txt 1.5 KiB
2021-06-19 - Backstab - Demonstrating how to kill EDR protected processes.zip 53 KiB
2021-06-20 - Demonstrating How to Dump Chrome Passwords.7z 1003 KiB
2021-07-23 - Modifying MS Office security warnings.PNG 45 KiB
2021-08-03 - Reading, Writing, and Executing A File WITHOUT A File Path - yarhLoader.c 39 KiB
2021-10-09 - Trololololobin and other lolololocoasters.pdf 79 KiB
2021-10-10 - SeManageVolumePrivilege Abuse with FSCTL_SD_GLOBAL_CHANGE.zip 2.2 KiB
2021-10-28 - Malicious ZIP Demonstration.zip 15 KiB
2021-12-07 - Demonstrating USB Propagation.7z 269 KiB
2021-12-07 - Identifying Antivirus Software by enumerating Minifilter String Names.7z 152 KiB
2021-12-07 - Programmatically Modifying Boot Configurations - BCDEdit.7z 6.7 KiB
2021-12-07 - Weaponizing Windows Virtualization.7z 219 KiB
2022-01-15 - Programmatically Stopping Windows Defender.7z 158 KiB
2022-01-15 - Stealing Process Tokens POC.7z 87 KiB
2022-01-16 - Oobe Setup ErrorHandle.cmd Hijack.pdf 70 KiB
2022-01-28 - The good the bad and the stomped function.7z 720 KiB
2022-01-30 - Retrieving the current EIP in C⁄C++.pdf 96 KiB
2022-01-31 - Abusing the MS Office protocol scheme.pdf 1.9 MiB
2022-02-04 - CallRemoteAPI - Call functions in remote processes.pdf 268 KiB
2022-02-04 - CreateSvcRpc - A custom RPC client to execute programs as the SYSTEM user.pdf 345 KiB
2022-02-04 - EmbedExeLnk - Embedding an EXE inside a LNK with automatic execution.pdf 241 KiB
2022-02-04 - JmpNoCall.pdf 1.2 MiB
2022-02-06 - HijackFileHandle - Hijack a file in a remote process without code injection.pdf 230 KiB
2022-02-08 - StackScraper - Capturing sensitive data using real-time stack scanning against a remote.pdf 338 KiB
2022-02-14 - Abusing Exceptions for Code Execution Part 1.pdf 210 KiB
2022-02-16 - wlrmdr.exe LOLBIN.7z 151 KiB
2022-03-30 - EventPipe - An IPC method to transfer binary data between processes using event objects.pdf 170 KiB
2022-04-02 - CreateSvcRpc - A custom RPC client to execute programs as the SYSTEM user.pdf 164 KiB
2022-04-02 - Unmanaged Code Execution with .NET Dynamic PInvoke.pdf 851 KiB
2022-04-03 - FveApiDLL Abuse Demonstration.7z 287 KiB
2022-04-03 - NtdllPipe - Using cmd.exe to retrieve a clean version of ntdll.dll.pdf 117 KiB
2022-04-18 - Token Manipulation in Rust Demonation.zip 4.8 KiB
2022-04-18 - UACMe.zip 380 KiB
2022-04-19 - Dumping passwords using KRShowKeyMgr.PNG 179 KiB
2022-04-19 - Resolving System Service Numbers using the Exception Directory.pdf 116 KiB
2022-04-30 - Programmatically Hiding Windows Snapshots.7z 255 KiB
2022-05-05 - A very simple and alternative PID finder.pdf 212 KiB
2022-05-09 - Spawning IE on Windows 11.PNG 97 KiB
2022-05-10 - Making NtCreateUserProcess Work.pdf 388 KiB
2022-05-27 - Nls Code Injection Through The Registry.zip 71 KiB
2022-05-31 - Crashing Windows by Abusing NtRaiseHardError.PNG 168 KiB
2022-06-22 - Extracting Whitelisted Paths from Windows Defender ASR Rules.pdf 927 KiB
2022-07-13 - Bluffy the AV Slayer.pdf 806 KiB
2022-07-29 - Running Exploit As Protected Process Light From Userland.pdf 240 KiB
2022-08-04 - API Resolving Obfuscation via Veh.zip 11 KiB
2022-08-05 - Backdooring Office Structures Part 1 The Oldschool.pdf 916 KiB
2022-08-08 - Backdooring Office Structures Part 2 Payload Crumbs In Custom Parts.pdf 551 KiB
2022-08-08 - Manual Implementation of BlockDLLs and ACG.cpp 4.2 KiB
2022-08-19 - Bypassing AppLocker by abusing HashInfo.pdf 968 KiB
2022-09-27 - Constrained Language Mode Bypass When __PSLockDownPolicy Is Used.pdf 929 KiB
2022-10-07 - Short term snapshot deletion via ExecuteScheduledSPPCreation.7z 218 KiB
2022-10-11 - Abusing the Windows Power Management API.7z 155 KiB
2022-10-13 - Random Number Generation using IOCTL.txt 2.0 KiB
2022-10-18 - Changing memory protection using APC.pdf 186 KiB
2022-10-31 - Heavens Gate in CSharp.7z 12 KiB
2022-12-07 - Programmatically Deleting Shadow Volumes - Xaoc.7z 10 KiB
2022-12-23 - Simple PE Loader.7z 63 KiB
2023-02-03 - Windows Domain Controller NTDSUTIL activate instance abuse.PNG 177 KiB
2023-02-07 - Demonstrating Unhooking NTDLL from Disk.7z 5.0 KiB
2023-02-07 - Demonstrating Unhooking NTDLL from KnownDlls.7z 9.0 KiB
2023-02-07 - Demonstrating Unhooking NTDLL from Remote Server.7z 6.7 KiB
2023-02-07 - Demonstrating Unhooking NTDLL from Suspended Process.7z 5.4 KiB
2023-03-19 - Different ways to create a process.html 80 KiB
2023-05-02 - Preventing application creation by IFEO keys.png 94 KiB
2023-05-17 - VBA resolving exports in runtime without NtQueryInformationProcess or GetProcAddress.pdf 996 KiB
2023-06-05 - Abusing undocumented features to spoof PE section headers.pdf 225 KiB
2023-06-09 - Finding and exploiting process killer drivers with LOL for 3000 dollars.pdf 850 KiB
2023-07-19 - Escalating Privileges via Third-Party Windows Installers.pdf 3.3 MiB
2023-07-21 - Dumping UEFI Variables.7z 138 KiB
2023-07-23 - Malware via VHD Files, an Excellent Choice.pdf 322 KiB
2023-07-26 - WSPCoerce - PoC to allow authentication from Windows hosts using MS-WSP.zip 59 KiB
2023-07-27 - Kerberos UAC Bypass - Abusing Kerberos Tickets for UAC Bypasses.zip 3.0 MiB
2023-08-17 - Abusing Windows Filtering Platform for Privilege Escalation.pdf 4.1 MiB
2023-08-23 - Demonstrating how IIS decrypts AppPool credentials.7z 4.1 KiB
2023-08-28 - Uac bypass via UIPI or Windows Task Manager.txt 7.5 KiB
2023-09-14 - Bypassing UAC with SSPI Datagram Contexts.pdf 1.3 MiB
2023-09-23 - Demonstrating Projected Filesystems.7z 73 KiB
2023-10-01 - RemoteRegistry service by abusing winreg named pipe.png 19 KiB
2023-10-03 - LPE with MSI Installers.pdf 6.0 MiB
2023-11-06 - Running PEs Inline Without a Console.pdf 765 KiB
2023-12-15 - Intercepting console commands with ConDrv.7z 57 KiB
2023-12-19 - SignToolEx - code signing with leaked certs and abusing MS detours.zip 458 KiB
2023-12-24 - Arbitrary Command Execution Via Windows Kit's StandaloneRunner.pdf 386 KiB
2023-12-29 - Usermode encryption but only LOCALSYSTEM can decrypt.7z 172 KiB
2023-12-31 - Compression using undocumented RDP APIs.7z 3.1 KiB
2024-01-23 - Windows Event Log service DoS.zip 1.6 MiB
2024-02-01 - Unmanaged .NET Patching.pdf 164 KiB
2024-02-02 - GetProcAddress usage via ordinal.7z 62 KiB
2024-02-08 - Bypassing ApplyOnce limitation in GPO with key removal.7z 227 KiB
2024-02-08 - Disabling System Event Logs with IDataCollectorSet.7z 79 KiB
2024-02-08 - Executing CSharp Assemblies from C code.pdf 431 KiB
2024-02-16 - InflativeLoading.7z 1.8 MiB
2024-02-24 - iExpress LOLBINS and Diamond seds.7z 273 KiB
2024-03-03 - Explorer.exe LOLBIN and persistence.pdf 56 KiB
2024-03-08- Manipulating Token Attribute structures.7z 186 KiB
2024-03-15 - Capping process CPU usage.7z 122 KiB
2024-03-18 - Abusing SeTrustedCredmanAccessPrivilege to dump user creds.zip 10 KiB
2024-05-30 - Abusing the SeRelabelPrivilege.pdf 1.7 MiB
2024-08-04 - Abusing the search-ms URI protocol handler.pdf 4.5 MiB
2024-08-08 - Abusing Windows Hello without a severed hand.7z 2.8 MiB
2024-08-13 - Abusing AVEDR Exclusions to Evade Detections.pdf 3.5 MiB
2024-08-15 - Offline SAM Editing.pdf 301 KiB
2024-08-19 - DRMBIN - Prevent binaries from running on other machines.zip 15 KiB
2024-08-31 - Finding open file handles in PS.7z 95 KiB
2024-09-03 - Rundll32 and Phantom DLL lolbins.7z 107 KiB
2024-09-04 - Rundll32 and Phantom DLL lolbins, 32-bit version.7z 64 KiB
2024-10-04 - Notes on xWizard.exe and xWizards.dll.png 88 KiB
2024-10-22 - Offensive Groovy programming.pdf 408 KiB
2024-10-22 - Reading BitLocker numerical passwords via API.zip 81 KiB
2024-10-24 - EmbedPayloadInPng.zip 49 KiB
2024-10-27 - ExecutePeFromPngViaLNK.zip 52 KiB
2024-10-30 - EV code signing with pfx in 2024.pdf 2.2 MiB
2024-11-09 - Using VBS enclaves for anti-cheat purposes.pdf 2.3 MiB
2024-12-13 - Disabling EDRs by File Rename Junctions.zip 6.0 KiB
2024-12-20 - Weaponizing WDAC Killing the Dreams of EDR.pdf 672 KiB
2025-01-23 - Operating Inside the Interpreted - Python Malware.pdf 2.1 MiB
2025-04-03 - CreateFileMapping to replace ReadFile.7z 93 KiB
2025-04-16 - Control Flow Hijacking via Data Pointers.pdf 1.0 MiB
2025-04-17 - Notes on RtlGetUnloadEventTraceEx.png 234 KiB
2025-07-26 - Ghosting the Sensor Disrupting Defender for Identity Without Detection.pdf 2.4 MiB
2025-08-07 - Delete Shadow Copies Using The IOCTL_VOLSNAP_DELETE_SNAPSHOT IOCTL.zip 7.4 KiB
2025-08-10 - Known issues with TaskList display names.7z 310 KiB
2025-08-12 - Out-of-Bound SYSTEMTIME in Windows Explorer.png 44 KiB
2025-08-13 - LowNtReadFile proxy function.txt 3.5 KiB
2025-08-26 - Alternatives to NtAllocateMemoryEx.txt 4.1 KiB
2025-08-31 - Fetch PEB Using Verifier DLL.txt 4.1 KiB
2025-09-07 - Break The Protective Shell Of Windows Defender With The Folder Redirect Technique.pdf 441 KiB
2025-09-18 - More Fun With WMI.pdf 250 KiB
Thumbs.db 114 KiB