Viking

The wait is over! mona v3 is now available. Supports Python 2 & 3, 32- and 64-bit targets, WinDBG/WinDBGX. Faster, leaner, broader built for modern Windows debugging and exploit development. #mona #corelan github.com/corelan/mona3 Sharing is caring 💛

Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03) Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation: exploitreversing.com/2026/04/28/exp… Key features of this edition: [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow. [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM. [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM. [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup. This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets. I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback! I would like to thank Ilfak Guilfanov (@ilfak) and Hex-Rays SA (@HexRaysSA) for their constant and uninterrupted support, which has been vital in helping me produce this series. The following articles will continue the miniseries about iOS and Chrome, which are my areas of research. Enjoy the reading and have an excellent day. #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

I checked and it's been 2 years since my last blog post??? So anyway, here's a quick blog post about KDP pool - the latest KDP feature that will replace the secure pool in future Windows versions: windows-internals.com/goodbye-secure…

CVE-2026-33824: Remote Code Execution in Windows IKEv2 - the folks from TrendAI Research break down this wormable bug that was patched last week. The show root cause & offer detection guidance. Read the details as zerodayinitiative.com/blog/2026/4/22…

The Exploiting Reversing Series (ERS) currently features 945 pages of exploit development based on real-world targets: [+] ERS 08: exploitreversing.com/2026/03/31/exp… [+] ERS 07: exploitreversing.com/2026/03/04/exp… [+] ERS 06: exploitreversing.com/2026/02/11/exp… [+] ERS 05: exploitreversing.com/2025/03/12/exp… [+] ERS 04: exploitreversing.com/2025/02/04/exp… [+] ERS 03: exploitreversing.com/2025/01/22/exp… [+] ERS 02: exploitreversing.com/2024/01/03/exp… [+] ERS 01: exploitreversing.com/2023/04/11/exp… In the coming weeks, I will publish new articles covering exploration in areas such as Windows, Chrome, iOS/macOS, and hypervisors. Have a great day and enjoy reading. #exploit #exploitation #windows #chrome #macOS #iOS #hypervisors #vulnerabilityresearch

I just wrote about reversing and debugging a PyInstaller EXE file with Windbg. It's also my writeup for "cheat or not cheat" of @MidnightFlag CTF 2026 ! v1k1ngfr.github.io/debugging-PyIn…

In this blogpost I tried to sum up everything I know, walking you from the "I have an EDR, I'm secure" mindset to "let's build a resilient tiering model". Let me know what you think about it :)! sensepost.com/blog/2026/from…

RegPhantom a signed Windows kernel rootkit that turns the registry into a covert execution channel. Gives the ability to an unprivileged usermode to reflectively load an arbitrary PE into kernel memory, invisible to PsLoadedModuleList and standard driver enumeration tools. The implant includes several stealth techniques: - Post-execution memory wipe - XOR-encoded hook pointers in-memory obfuscation - Valid code-signing certificates - CFG obfuscation with opaque predicates - 28+ samples tracked (June–August 2025), signed with certificates from two Chinese companies. We're releasing: - Full technical writeup - Extensive deobfuscation scripts - YARA detection rule Full analysis: nextron-systems.com/2026/03/20/reg… #MalwareAnalysis #Rootkit #ThreatIntel #DFIR #Windows #KernelDriver

You don’t attend Corelan Stack to return home with a script 🗒️You attend to obtain a deeper understanding💪! Evidence-based training 🚀 Precise 🎯 Repeatable.🔁 ➡️ Check out Corelan Stack training at #BruCON0x12 Spring training (April 22-24, 2026) brucon.org/training-detai…

🔥🐉 New GOAD Lab: DRACARYS I’ve just released a new free lab environment on GOAD: DRACARYS. The challenge includes 3 VMs and the objective is simple: Start with no authentication and work your way up to Domain Admin. Have fun exploiting it! 🔥🐉 mayfly277.github.io/posts/Dracarys…

I am excited to release the seventh article in the Exploiting Reversing Series (ERS). Titled “Exploitation Techniques | CVE-2024-30085 (part 01)” this 119-page technical guide offers a comprehensive roadmap for vulnerability exploitation: exploitreversing.com/2026/03/04/exp… Key features of this edition: [+] Dual Exploit Strategies: Two distinct exploit versions using Token Stealing and I/O Ring techniques. [+] Exploit ALPC + PreviousMode Flip + Token Stealing: elevation of privilege of a regular user to SYSTEM. [+] Exploit ALPC + Pipes + I/O Ring: elevation of privilege of a regular user to SYSTEM. [+] Solid Reliability: Two complete working and stable exploits, including an improved cleanup stage. [+] Optimized Exploit Logic: Significant refinements to the codebase and technical execution for better stability and predictability. The article guides you through the two distinct techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow vulnerability. I would like to thank Ilfak Guilfanov (@ilfak on X) and Hex-Rays SA (@HexRaysSA on X) for their constant and uninterrupted support, which has helped me write these articles over time. I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback! Enjoy your reading and have an excellent day.

I am pleased to announce the publication of the sixth article in the Exploiting Reversing Series (ERS). Titled "A Deep Dive Into Exploiting a Minifilter Driver (N-day)", this 251-page article provides a comprehensive look at a past vulnerability in a mini-filter driver: exploitreversing.com/2026/02/11/exp… It guides readers through the entire investigation process—beginning with binary diffing and moving through reverse engineering, deep analysis and proof-of-concept stages into full exploit development. I hope this serves as a valuable resource for your research. If you enjoy the content, please feel free to share it or reach out with feedback. Have an excellent day!

NEW BLOG: The Great VM Escape 💕 We caught threat actors deploying a VMware ESXi exploit toolkit in the wild - potentially was a zero-day developed over a year before VMware's disclosure 👀 If anyone has thoughts on it let me know, but I needed almost a full case of beer to wrap my head around this one 🍺 Full technical breakdown 👇 huntress.com/blog/esxi-vm-e…

@RussianPanda9xx 🔥Probably one of the most interesting and comprehensive blogpost I've read on this subject. Thank you.

andrea-allievi.com/blog/new-year-… Anti-cheat evolution in Windows... New Year post while I am in vacation is ready!!! 🎉 Happy 2026!

Two blog posts just dropped - one with the details on the bloatware pwning shenanigans I was up to earlier in the year, and another on pipetap, a new Windows named pipe proxy/tool. sensepost.com/blog/2025/pwni… sensepost.com/blog/2025/pipe…

🎤 Ce vendredi 28 novembre @Defte_ , pentester chez Orange Cyberdefense, présentera sa conférence : “Channel Binding with MSSQL: A Deep Dive into TDS, NTLM & STARTTLS Madness” 📅 @GrehackConf : 28-29 novembre 2025 📍 Grenoble Programme 👉 ow.ly/C66N50XyKFk

🚀 Introducing MoxPack: A template builder for Proxmox using Packer. Generate Windows & Linux VM templates with cloud-init support and sysprep. Ideal for lab automation and infra-as-code. github.com/Orange-Cyberde…

🎙️ Investigating an in-the-wild campaign using RCE in CraftCMS Retrouvez Nicolas Bourras, notre pentester, à l'événement @BlackAlpsConf en Suisse 🇨🇭 ! 📅 jeudi 20 novembre 2025 🕞 14h10-14h40 📗 + d'infos : ow.ly/OIe950Xu1SR #CyberSecurity #Switzerland #BlackAlps25

Just uploaded my RomHack slides about attack vectors against PsSetLoadImageNotifyRoutine and drivers that rely on it. Enjoy! diversenok.github.io/slides/RomHack…