PgC: Garbage collecting Patchguard away
I have released another article about Patchguard almost 5 years ago, ByePg, which was…
Speculating the entire x86-64 Instruction Set In Seconds with This One Weird Trick
As cheesy as the title sounds, I promise it cannot beat the cheesiness of…
Writing an optimizing IL compiler, for dummies, by a dummy: 0x1 Symbolic Expressions
Before I begin this series of blog posts, I would like to add a…
ByePg: Defeating Patchguard using Exception-hooking
Now I know what you are thinking, exception hooks? …in kernel-mode? Yes, it is…
Arbitrary Code Execution at Ring 0 using CVE-2018-8897
Just a few days ago, a new vulnerability allowing an unprivileged user to run #DB handler…
Making the Perfect Injector: Abusing Windows Address Sanitization and CoW
By the end of this post, I aim to make an injector unlike any other: one…
Escaping SMEP Hell: Exploiting Capcom Driver In a Safe Manner
Trapped in a SMEP disabled payload not being able to do anything reliably? You have come…
Splitting Data from Code, Forgotten x86 Feature: Segmentation
With the introduction of sTLB with Intel Nehalem, TLB splitting — once a reliable technique — became…