Ghost in the PPL – LSASS Memory Dump
Original text by Clément Labro
The article explores techniques for extracting memory from the LSASS (Local Security Authority Subsystem Service) process when it runs as a Protected Process Light (PPL). Modern versions of Windows use PPL to protect sensitive processes such as LSASS from tampering or credential dumping by user-mode tools.
The research initially aimed…
https://core-jmp.org/2026/03/ghost-in-the-ppl-lsass-memory-dump/
Original text by Clément Labro
The article explores techniques for extracting memory from the LSASS (Local Security Authority Subsystem Service) process when it runs as a Protected Process Light (PPL). Modern versions of Windows use PPL to protect sensitive processes such as LSASS from tampering or credential dumping by user-mode tools.
The research initially aimed…
https://core-jmp.org/2026/03/ghost-in-the-ppl-lsass-memory-dump/
🔥15👍7
Decrypting and Abusing Predefined BIOCs in Palo Alto Cortex XDR
Original text by Manuel
Summary
The Windows Cortex XDR agent uses CLIPS rules for behavioral detections. These rules are shipped encrypted in content updates. We decrypted these rules and discovered numerous hardcoded exceptions including global whitelists that can be abused to bypass those rules. For example, if a process’s command-line arguments contain :Windowsccmcache, it is…
https://core-jmp.org/2026/03/decrypting-and-abusing-predefined-biocs-in-palo-alto-cortex-xdr/
Original text by Manuel
Summary
The Windows Cortex XDR agent uses CLIPS rules for behavioral detections. These rules are shipped encrypted in content updates. We decrypted these rules and discovered numerous hardcoded exceptions including global whitelists that can be abused to bypass those rules. For example, if a process’s command-line arguments contain :Windowsccmcache, it is…
https://core-jmp.org/2026/03/decrypting-and-abusing-predefined-biocs-in-palo-alto-cortex-xdr/
👍9
Reverse Engineering the Tapo C260 and Tapo Discovery Protocol v2
Original text by Spaceraccoon
The article describes the reverse-engineering process of the TP-Link Tapo C260 smart camera and the analysis of its proprietary Tapo Discovery Protocol v2 (TDPv2). The research was conducted during the SPIRITCYBER IoT hardware hacking contest and focused on understanding the device firmware and network attack surface. The author begins with a…
https://core-jmp.org/2026/03/reverse-engineering-the-tapo-c260-and-tapo-discovery-protocol-v2/
Original text by Spaceraccoon
The article describes the reverse-engineering process of the TP-Link Tapo C260 smart camera and the analysis of its proprietary Tapo Discovery Protocol v2 (TDPv2). The research was conducted during the SPIRITCYBER IoT hardware hacking contest and focused on understanding the device firmware and network attack surface. The author begins with a…
https://core-jmp.org/2026/03/reverse-engineering-the-tapo-c260-and-tapo-discovery-protocol-v2/
👍6
LOLExfil: Stealthy Data Exfiltration Using Living-Off-the-Land Techniques
LOLExfil, a concept and toolset for performing data exfiltration using “Living-Off-the-Land” (LOL) techniques that rely on legitimate system utilities, trusted services, and built-in operating-system functionality rather than custom malware. The research explores how attackers can abuse standard tools already present in enterprise environments—such as scripting engines, networking utilities, cloud APIs, and legitimate web services—to covertly…
https://core-jmp.org/2026/03/lolexfil-stealthy-data-exfiltration-using-living-off-the-land-techniques/
LOLExfil, a concept and toolset for performing data exfiltration using “Living-Off-the-Land” (LOL) techniques that rely on legitimate system utilities, trusted services, and built-in operating-system functionality rather than custom malware. The research explores how attackers can abuse standard tools already present in enterprise environments—such as scripting engines, networking utilities, cloud APIs, and legitimate web services—to covertly…
https://core-jmp.org/2026/03/lolexfil-stealthy-data-exfiltration-using-living-off-the-land-techniques/
🔥11
Peeling Back the Socket Layer: Reverse Engineering Windows AFD.sys
Original text by Mateusz Lewczak
Part 1: Investigating Undocumented Interfaces
The four-part research series explores the reverse engineering of the Windows AFD.sys (Ancillary Function Driver) to understand how networking operations work beneath the Winsock API. AFD.sys is a kernel driver that acts as a bridge between user-mode socket APIs and the lower networking stack, translating…
https://core-jmp.org/2026/03/peeling-back-the-socket-layer-reverse-engineering-windows-afd-sys/
Original text by Mateusz Lewczak
Part 1: Investigating Undocumented Interfaces
The four-part research series explores the reverse engineering of the Windows AFD.sys (Ancillary Function Driver) to understand how networking operations work beneath the Winsock API. AFD.sys is a kernel driver that acts as a bridge between user-mode socket APIs and the lower networking stack, translating…
https://core-jmp.org/2026/03/peeling-back-the-socket-layer-reverse-engineering-windows-afd-sys/
👍8
EDR Internals for macOS and Linux
Original text by Kyle Avery
The article analyzes how Endpoint Detection and Response (EDR) systems operate internally on macOS and Linux, focusing on the telemetry sources and monitoring mechanisms these agents rely on. The research notes that most public discussions about EDR internals focus on Windows, while macOS and Linux implementations remain less documented despite…
https://core-jmp.org/2026/03/edr-internals-for-macos-and-linux/
Original text by Kyle Avery
The article analyzes how Endpoint Detection and Response (EDR) systems operate internally on macOS and Linux, focusing on the telemetry sources and monitoring mechanisms these agents rely on. The research notes that most public discussions about EDR internals focus on Windows, while macOS and Linux implementations remain less documented despite…
https://core-jmp.org/2026/03/edr-internals-for-macos-and-linux/
👍11
This media is not supported in your browser
VIEW IN TELEGRAM
macOS cmd-obfuscation
*
В ArgFuscator добавили более чем 60 нативных бинарей macOS готовых к обфускации.
На видео EDR, пытающийся предотвратить дамп учеток.
*
В ArgFuscator добавили более чем 60 нативных бинарей macOS готовых к обфускации.
На видео EDR, пытающийся предотвратить дамп учеток.
🔥16👍4
WSL, COM Hooking, & RTTI
Original text by Jonathan Johnson
The article explores a technique for hooking COM methods inside Windows Subsystem for Linux (WSL) by leveraging C++ Runtime Type Information (RTTI). The research begins with the author’s attempt to instrument and log activity within WSL components that interact with Windows through COM interfaces. Instead of relying on traditional API-level…
https://core-jmp.org/2026/03/wsl-com-hooking-rtti/
Original text by Jonathan Johnson
The article explores a technique for hooking COM methods inside Windows Subsystem for Linux (WSL) by leveraging C++ Runtime Type Information (RTTI). The research begins with the author’s attempt to instrument and log activity within WSL components that interact with Windows through COM interfaces. Instead of relying on traditional API-level…
https://core-jmp.org/2026/03/wsl-com-hooking-rtti/
🔥7
Windows 0day (BSOD)
*
Won’t Fix: Kernel DoS in clfs.sys via NULL FastMutex Dereference
Original text by Baptiste Crépin
The article analyzes a Windows kernel vulnerability involving a NULL pointer dereference in the CLFS (Common Log File System) driver caused by misuse of a FAST_MUTEX structure. The research explains how Windows kernel synchronization primitives such as fast mutexes are used to enforce mutual exclusion in driver code. A fast…
https://core-jmp.org/2026/03/wont-fix-kernel-dos-in-clfs-sys-via-null-fastmutex-dereference/
*
Won’t Fix: Kernel DoS in clfs.sys via NULL FastMutex Dereference
Original text by Baptiste Crépin
The article analyzes a Windows kernel vulnerability involving a NULL pointer dereference in the CLFS (Common Log File System) driver caused by misuse of a FAST_MUTEX structure. The research explains how Windows kernel synchronization primitives such as fast mutexes are used to enforce mutual exclusion in driver code. A fast…
https://core-jmp.org/2026/03/wont-fix-kernel-dos-in-clfs-sys-via-null-fastmutex-dereference/
👍7🔥5
0x00 – Introduction to Windows Kernel Exploitation
Original text by wetw0rk
The article serves as the introductory part of a tutorial series on Windows kernel exploitation and focuses on preparing researchers for practical vulnerability research in the Windows kernel. The author explains the fundamental concepts required before attempting kernel exploitation, including the differences between user-mode and kernel-mode execution, privilege levels, and why…
https://core-jmp.org/2026/03/0x00-introduction-to-windows-kernel-exploitation/
Original text by wetw0rk
The article serves as the introductory part of a tutorial series on Windows kernel exploitation and focuses on preparing researchers for practical vulnerability research in the Windows kernel. The author explains the fundamental concepts required before attempting kernel exploitation, including the differences between user-mode and kernel-mode execution, privilege levels, and why…
https://core-jmp.org/2026/03/0x00-introduction-to-windows-kernel-exploitation/
🔥12😱3
A Deep Dive into the GetProcessHandleFromHwnd API
Original text by James Forshaw
The article provides a deep technical analysis of the Windows API GetProcessHandleFromHwnd, examining its historical evolution and the security implications of its implementation. The API is intended to return a handle to the process that owns a specified window handle (HWND), simplifying interactions with GUI processes. The research begins by…
https://core-jmp.org/2026/03/a-deep-dive-into-the-getprocesshandlefromhwnd-api/
Original text by James Forshaw
The article provides a deep technical analysis of the Windows API GetProcessHandleFromHwnd, examining its historical evolution and the security implications of its implementation. The API is intended to return a handle to the process that owns a specified window handle (HWND), simplifying interactions with GUI processes. The research begins by…
https://core-jmp.org/2026/03/a-deep-dive-into-the-getprocesshandlefromhwnd-api/
👍5
Vulnerabilities in Broadcom VMware Aria Operations: Privilege Escalation (CVE-2025-41245 / CVE-2026-22721)
Original text by Lorin Lehawany
The article analyzes two security vulnerabilities discovered in Broadcom VMware Aria Operations, focusing on how weaknesses in privilege handling and credential management can lead to privilege escalation within virtualized infrastructure environments. The research examines CVE-2025-41245 and CVE-2026-22721, demonstrating how attackers with limited privileges can escalate their access and gain control…
https://core-jmp.org/2026/03/vulnerabilities-in-broadcom-vmware-aria-operations-privilege-escalation-cve-2025-41245-cve-2026-22721/
Original text by Lorin Lehawany
The article analyzes two security vulnerabilities discovered in Broadcom VMware Aria Operations, focusing on how weaknesses in privilege handling and credential management can lead to privilege escalation within virtualized infrastructure environments. The research examines CVE-2025-41245 and CVE-2026-22721, demonstrating how attackers with limited privileges can escalate their access and gain control…
https://core-jmp.org/2026/03/vulnerabilities-in-broadcom-vmware-aria-operations-privilege-escalation-cve-2025-41245-cve-2026-22721/
👍6
NT AFD.SYS HTTP Downloader: From First Syscall to bypass the majority of usermode EDR hooks
Text and code by Eleven Red Pandas https://github.com/oxfemale · https://x.com/bytecodevm
The article explores a low-level networking technique on Windows that bypasses the traditional Winsock API layer by communicating directly with the kernel networking driver AFD (Ancillary Function Driver) through Native API calls such as NtCreateFile and NtDeviceIoControlFile. Instead of using standard functions from ws2_32.dll, the…
https://core-jmp.org/2026/03/nt-afd-sys-http-downloader-from-first-syscall-to-bypass-the-majority-of-usermode-edr-hooks/
Text and code by Eleven Red Pandas https://github.com/oxfemale · https://x.com/bytecodevm
The article explores a low-level networking technique on Windows that bypasses the traditional Winsock API layer by communicating directly with the kernel networking driver AFD (Ancillary Function Driver) through Native API calls such as NtCreateFile and NtDeviceIoControlFile. Instead of using standard functions from ws2_32.dll, the…
https://core-jmp.org/2026/03/nt-afd-sys-http-downloader-from-first-syscall-to-bypass-the-majority-of-usermode-edr-hooks/
😱8👍4🔥1
ODR: Internals of Microsoft’s New Native MCP Registration
Original text by originhq
The article analyzes Microsoft’s new ODR mechanism related to MCP registration and explains how it integrates with the emerging Model Context Protocol (MCP) ecosystem. MCP is an open protocol designed to standardize how AI agents and applications interact with external tools, data sources, and services. Instead of building custom integrations for…
https://core-jmp.org/2026/03/odr-internals-of-microsofts-new-native-mcp-registration/
Original text by originhq
The article analyzes Microsoft’s new ODR mechanism related to MCP registration and explains how it integrates with the emerging Model Context Protocol (MCP) ecosystem. MCP is an open protocol designed to standardize how AI agents and applications interact with external tools, data sources, and services. Instead of building custom integrations for…
https://core-jmp.org/2026/03/odr-internals-of-microsofts-new-native-mcp-registration/
👍9
Ну во первых это красиво !
*
snap-confine + systemd-tmpfiles = root (CVE-2026-3888)
*
Дырка появляется когда два дурака (
НО то ладно, дальше больше.
Нужно проломленным локальным юзером прождать 10 ДНЕЙ (на Ubuntu 24.04.х ) и 30 ДНЕЙ (на Ubuntu 24.10.х) пока
*
snap-confine + systemd-tmpfiles = root (CVE-2026-3888)
*
Дырка появляется когда два дурака (
snap-confine и systemd-tmpfiles) жмут руки.НО то ладно, дальше больше.
Нужно проломленным локальным юзером прождать 10 ДНЕЙ (на Ubuntu 24.04.х ) и 30 ДНЕЙ (на Ubuntu 24.10.х) пока
systemd-tmpfiles удалит нужный подкаталог в /tmp, а потом ещё выиграть гонку в момент пересборки sandbox.🔥21👍10