🔪Open-sourcing 💀StringReaper BOF! I've had great success in engagements carving credentials out of remote process memory with this BOF

RT @FuzzySec: I wrote post about Reinforcement Learning (RL) using TensorFlow (in NodeJS). I go though building a little terminal game and…

@_JohnHammond Congrats John!

RT @_EthicalChaos_: Mine and @_dirkjan's @defcon talk, Abusing Windows Hello Without a Severed Hand went live yesterday. We discuss both p…

RT @Teach2Breach: Implemented the 1st variant of pool party remote process injection in rust today, again using Cursor AI. Recorded a video…

RT @_logangoins: Introducing Stifle! A super simple .NET tool I spun up these past few days for abusing explicit strong certificate mapping…

@0xsthlb @eversinc33 Yeah it’d be good to dodge those ones with call stack spoofing /indirect syscalls. Good point

@eversinc33 Perfect cause that is the part I don’t know how to do 😅

@eversinc33 Awesome, thanks for sharing @eversinc33 !! Gonna check it out

RT @eversinc33: @0xBoku Here you go:

@ShitSecure @eversinc33 @0xsthlb @modexpblog I’m not sure which ones are actively detected for indirect syscalls to backed memory. Usually the detections I’ve seen are for return addresses to unbacked memory. But there’d be telemetry if they are capable of getting call stacks from kernel side

RT @eversinc33: Yesterday I finally finished part II of my anti rootkit evasion series, where I showcase some detections for driver "stompi…

@eversinc33 @0xsthlb Doing an https web request like that would be willlddd! I think I’ve seen something like that in one of @x86matthew projects, saw it, was impressed and thought there’s no way I could do that 😂

@0xsthlb @eversinc33 I think what you’d do is allocate some memory, write the file (web response) to it, parse ntdll in memory to carve out what you want like the syscall stub, then find that same spot in ntdll memory, change mem permissions, overwrite, change mem permissions back.

3/ For a modern unhooking tool, I agree with @eversinc33. I’d call the initial winapis directly, doing a web request to with normal webapis is not going to get detected. If executing from unbacked memory id do call stack spoofing. If from backed memory, like a DLL, id just call them directly.

RT @eversinc33: .@0xBoku recent unhooking bof reminded of this fun trick on how to unhook any windows DLL without opening a handle to an on…

@_rybaz I feel that, I’m the same. I got strong dwarf legs and aragatang arms, makes upper body a challenge, you will get 200+ for sure, persistence is key