EDR Internals for macOS and Linux
Original text by Kyle Avery
The article analyzes how Endpoint Detection and Response (EDR) systems operate internally on macOS and Linux, focusing on the telemetry sources and monitoring mechanisms these agents rely on. The research notes that most public discussions about EDR internals focus on Windows, while macOS and Linux implementations remain less documented despite…
https://core-jmp.org/2026/03/edr-internals-for-macos-and-linux/
Original text by Kyle Avery
The article analyzes how Endpoint Detection and Response (EDR) systems operate internally on macOS and Linux, focusing on the telemetry sources and monitoring mechanisms these agents rely on. The research notes that most public discussions about EDR internals focus on Windows, while macOS and Linux implementations remain less documented despite…
https://core-jmp.org/2026/03/edr-internals-for-macos-and-linux/
👍11
This media is not supported in your browser
VIEW IN TELEGRAM
macOS cmd-obfuscation
*
В ArgFuscator добавили более чем 60 нативных бинарей macOS готовых к обфускации.
На видео EDR, пытающийся предотвратить дамп учеток.
*
В ArgFuscator добавили более чем 60 нативных бинарей macOS готовых к обфускации.
На видео EDR, пытающийся предотвратить дамп учеток.
🔥16👍4
WSL, COM Hooking, & RTTI
Original text by Jonathan Johnson
The article explores a technique for hooking COM methods inside Windows Subsystem for Linux (WSL) by leveraging C++ Runtime Type Information (RTTI). The research begins with the author’s attempt to instrument and log activity within WSL components that interact with Windows through COM interfaces. Instead of relying on traditional API-level…
https://core-jmp.org/2026/03/wsl-com-hooking-rtti/
Original text by Jonathan Johnson
The article explores a technique for hooking COM methods inside Windows Subsystem for Linux (WSL) by leveraging C++ Runtime Type Information (RTTI). The research begins with the author’s attempt to instrument and log activity within WSL components that interact with Windows through COM interfaces. Instead of relying on traditional API-level…
https://core-jmp.org/2026/03/wsl-com-hooking-rtti/
🔥7
Windows 0day (BSOD)
*
Won’t Fix: Kernel DoS in clfs.sys via NULL FastMutex Dereference
Original text by Baptiste Crépin
The article analyzes a Windows kernel vulnerability involving a NULL pointer dereference in the CLFS (Common Log File System) driver caused by misuse of a FAST_MUTEX structure. The research explains how Windows kernel synchronization primitives such as fast mutexes are used to enforce mutual exclusion in driver code. A fast…
https://core-jmp.org/2026/03/wont-fix-kernel-dos-in-clfs-sys-via-null-fastmutex-dereference/
*
Won’t Fix: Kernel DoS in clfs.sys via NULL FastMutex Dereference
Original text by Baptiste Crépin
The article analyzes a Windows kernel vulnerability involving a NULL pointer dereference in the CLFS (Common Log File System) driver caused by misuse of a FAST_MUTEX structure. The research explains how Windows kernel synchronization primitives such as fast mutexes are used to enforce mutual exclusion in driver code. A fast…
https://core-jmp.org/2026/03/wont-fix-kernel-dos-in-clfs-sys-via-null-fastmutex-dereference/
👍7🔥5
0x00 – Introduction to Windows Kernel Exploitation
Original text by wetw0rk
The article serves as the introductory part of a tutorial series on Windows kernel exploitation and focuses on preparing researchers for practical vulnerability research in the Windows kernel. The author explains the fundamental concepts required before attempting kernel exploitation, including the differences between user-mode and kernel-mode execution, privilege levels, and why…
https://core-jmp.org/2026/03/0x00-introduction-to-windows-kernel-exploitation/
Original text by wetw0rk
The article serves as the introductory part of a tutorial series on Windows kernel exploitation and focuses on preparing researchers for practical vulnerability research in the Windows kernel. The author explains the fundamental concepts required before attempting kernel exploitation, including the differences between user-mode and kernel-mode execution, privilege levels, and why…
https://core-jmp.org/2026/03/0x00-introduction-to-windows-kernel-exploitation/
🔥12😱3
A Deep Dive into the GetProcessHandleFromHwnd API
Original text by James Forshaw
The article provides a deep technical analysis of the Windows API GetProcessHandleFromHwnd, examining its historical evolution and the security implications of its implementation. The API is intended to return a handle to the process that owns a specified window handle (HWND), simplifying interactions with GUI processes. The research begins by…
https://core-jmp.org/2026/03/a-deep-dive-into-the-getprocesshandlefromhwnd-api/
Original text by James Forshaw
The article provides a deep technical analysis of the Windows API GetProcessHandleFromHwnd, examining its historical evolution and the security implications of its implementation. The API is intended to return a handle to the process that owns a specified window handle (HWND), simplifying interactions with GUI processes. The research begins by…
https://core-jmp.org/2026/03/a-deep-dive-into-the-getprocesshandlefromhwnd-api/
👍5
Vulnerabilities in Broadcom VMware Aria Operations: Privilege Escalation (CVE-2025-41245 / CVE-2026-22721)
Original text by Lorin Lehawany
The article analyzes two security vulnerabilities discovered in Broadcom VMware Aria Operations, focusing on how weaknesses in privilege handling and credential management can lead to privilege escalation within virtualized infrastructure environments. The research examines CVE-2025-41245 and CVE-2026-22721, demonstrating how attackers with limited privileges can escalate their access and gain control…
https://core-jmp.org/2026/03/vulnerabilities-in-broadcom-vmware-aria-operations-privilege-escalation-cve-2025-41245-cve-2026-22721/
Original text by Lorin Lehawany
The article analyzes two security vulnerabilities discovered in Broadcom VMware Aria Operations, focusing on how weaknesses in privilege handling and credential management can lead to privilege escalation within virtualized infrastructure environments. The research examines CVE-2025-41245 and CVE-2026-22721, demonstrating how attackers with limited privileges can escalate their access and gain control…
https://core-jmp.org/2026/03/vulnerabilities-in-broadcom-vmware-aria-operations-privilege-escalation-cve-2025-41245-cve-2026-22721/
👍6
NT AFD.SYS HTTP Downloader: From First Syscall to bypass the majority of usermode EDR hooks
Text and code by Eleven Red Pandas https://github.com/oxfemale · https://x.com/bytecodevm
The article explores a low-level networking technique on Windows that bypasses the traditional Winsock API layer by communicating directly with the kernel networking driver AFD (Ancillary Function Driver) through Native API calls such as NtCreateFile and NtDeviceIoControlFile. Instead of using standard functions from ws2_32.dll, the…
https://core-jmp.org/2026/03/nt-afd-sys-http-downloader-from-first-syscall-to-bypass-the-majority-of-usermode-edr-hooks/
Text and code by Eleven Red Pandas https://github.com/oxfemale · https://x.com/bytecodevm
The article explores a low-level networking technique on Windows that bypasses the traditional Winsock API layer by communicating directly with the kernel networking driver AFD (Ancillary Function Driver) through Native API calls such as NtCreateFile and NtDeviceIoControlFile. Instead of using standard functions from ws2_32.dll, the…
https://core-jmp.org/2026/03/nt-afd-sys-http-downloader-from-first-syscall-to-bypass-the-majority-of-usermode-edr-hooks/
😱8👍4🔥1
ODR: Internals of Microsoft’s New Native MCP Registration
Original text by originhq
The article analyzes Microsoft’s new ODR mechanism related to MCP registration and explains how it integrates with the emerging Model Context Protocol (MCP) ecosystem. MCP is an open protocol designed to standardize how AI agents and applications interact with external tools, data sources, and services. Instead of building custom integrations for…
https://core-jmp.org/2026/03/odr-internals-of-microsofts-new-native-mcp-registration/
Original text by originhq
The article analyzes Microsoft’s new ODR mechanism related to MCP registration and explains how it integrates with the emerging Model Context Protocol (MCP) ecosystem. MCP is an open protocol designed to standardize how AI agents and applications interact with external tools, data sources, and services. Instead of building custom integrations for…
https://core-jmp.org/2026/03/odr-internals-of-microsofts-new-native-mcp-registration/
👍9
Ну во первых это красиво !
*
snap-confine + systemd-tmpfiles = root (CVE-2026-3888)
*
Дырка появляется когда два дурака (
НО то ладно, дальше больше.
Нужно проломленным локальным юзером прождать 10 ДНЕЙ (на Ubuntu 24.04.х ) и 30 ДНЕЙ (на Ubuntu 24.10.х) пока
*
snap-confine + systemd-tmpfiles = root (CVE-2026-3888)
*
Дырка появляется когда два дурака (
snap-confine и systemd-tmpfiles) жмут руки.НО то ладно, дальше больше.
Нужно проломленным локальным юзером прождать 10 ДНЕЙ (на Ubuntu 24.04.х ) и 30 ДНЕЙ (на Ubuntu 24.10.х) пока
systemd-tmpfiles удалит нужный подкаталог в /tmp, а потом ещё выиграть гонку в момент пересборки sandbox.🔥21👍10
Invisible Execution: Hiding Malware with Unwind Metadata Manipulation
Original text by klezVirus
The article introduces BYOUD (Bring Your Own Unwind Data), a novel stack-evasion technique designed to bypass modern endpoint detection and response (EDR) systems that rely on call-stack inspection to identify malicious execution. Traditional stack-spoofing techniques modify return addresses or construct synthetic stack frames to disguise the origin of a call. However,…
https://core-jmp.org/2026/03/invisible-execution-hiding-malware-with-unwind-metadata-manipulation/
Original text by klezVirus
The article introduces BYOUD (Bring Your Own Unwind Data), a novel stack-evasion technique designed to bypass modern endpoint detection and response (EDR) systems that rely on call-stack inspection to identify malicious execution. Traditional stack-spoofing techniques modify return addresses or construct synthetic stack frames to disguise the origin of a call. However,…
https://core-jmp.org/2026/03/invisible-execution-hiding-malware-with-unwind-metadata-manipulation/
👍10
Booting into Trust: Reverse Engineering macOS Secure Boot Internals
Original textby int
The article provides a deep reverse-engineering oriented analysis of the macOS secure boot chain on Apple Silicon, explaining how Apple constructs a hardware-anchored security architecture that protects the system from the moment power is applied until userland starts. The security model begins with the Boot ROM (SecureROM) embedded directly into the SoC.…
https://core-jmp.org/2026/03/booting-into-trust-reverse-engineering-macos-secure-boot-internals/
Original textby int
The article provides a deep reverse-engineering oriented analysis of the macOS secure boot chain on Apple Silicon, explaining how Apple constructs a hardware-anchored security architecture that protects the system from the moment power is applied until userland starts. The security model begins with the Boot ROM (SecureROM) embedded directly into the SoC.…
https://core-jmp.org/2026/03/booting-into-trust-reverse-engineering-macos-secure-boot-internals/
🔥7👍3
TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering
Original textby Simone Margaritelli
The article describes a security research project analyzing the firmware of the TP-Link Tapo C200 IP camera, demonstrating how modern AI-assisted reverse engineering can significantly accelerate vulnerability discovery in IoT devices. The author extracts and studies the camera firmware, using tools such as binwalk, Android app decompilation, and AI assistance to…
https://core-jmp.org/2026/03/tp-link-tapo-c200-hardcoded-keys-buffer-overflows-and-privacy-in-the-era-of-ai-assisted-reverse-engineering/
Original textby Simone Margaritelli
The article describes a security research project analyzing the firmware of the TP-Link Tapo C200 IP camera, demonstrating how modern AI-assisted reverse engineering can significantly accelerate vulnerability discovery in IoT devices. The author extracts and studies the camera firmware, using tools such as binwalk, Android app decompilation, and AI assistance to…
https://core-jmp.org/2026/03/tp-link-tapo-c200-hardcoded-keys-buffer-overflows-and-privacy-in-the-era-of-ai-assisted-reverse-engineering/
🔥13
Exploiting a PHP Object Injection in Profile Builder Pro in the era of AI
Original text by Mattia (0xbro) Brollo
The article analyzes a vulnerability in the WordPress plugin Profile Builder Pro that allows unauthenticated PHP Object Injection, demonstrating how modern AI-assisted reverse engineering and code analysis can help identify and exploit complex vulnerabilities faster. The research explains how a vulnerable AJAX endpoint in the plugin processes user-controlled input…
https://core-jmp.org/2026/03/exploiting-a-php-object-injection-in-profile-builder-pro-in-the-era-of-ai/
Original text by Mattia (0xbro) Brollo
The article analyzes a vulnerability in the WordPress plugin Profile Builder Pro that allows unauthenticated PHP Object Injection, demonstrating how modern AI-assisted reverse engineering and code analysis can help identify and exploit complex vulnerabilities faster. The research explains how a vulnerable AJAX endpoint in the plugin processes user-controlled input…
https://core-jmp.org/2026/03/exploiting-a-php-object-injection-in-profile-builder-pro-in-the-era-of-ai/
👍5
When Local AI Becomes an Attack Vector: A Deep Dive into LLM Infrastructure Security
Original text by Charles Senges
The article “Deep dive into the deployment of an on-premise low-privileged LLM server” by Synacktiv examines how organizations deploy internal Large Language Model (LLM) servers and analyzes the security implications of running such systems inside corporate infrastructure. The researchers study a real deployment where an open-source LLM is hosted on-premise…
https://core-jmp.org/2026/03/when-local-ai-becomes-an-attack-vector-a-deep-dive-into-llm-infrastructure-security/
Original text by Charles Senges
The article “Deep dive into the deployment of an on-premise low-privileged LLM server” by Synacktiv examines how organizations deploy internal Large Language Model (LLM) servers and analyzes the security implications of running such systems inside corporate infrastructure. The researchers study a real deployment where an open-source LLM is hosted on-premise…
https://core-jmp.org/2026/03/when-local-ai-becomes-an-attack-vector-a-deep-dive-into-llm-infrastructure-security/
🔥7
A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)
Original textby watchTowr Labs
The article emphasizes the historical aspect of the bug: the vulnerable code path originates from legacy Telnet implementations and remained unnoticed for over three decades, illustrating how long-standing protocol features and old code can persist in modern software. The researchers walk through the debugging process, protocol analysis, and memory-corruption behavior, showing…
https://core-jmp.org/2026/03/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746-pre-auth-rce/
Original textby watchTowr Labs
The article emphasizes the historical aspect of the bug: the vulnerable code path originates from legacy Telnet implementations and remained unnoticed for over three decades, illustrating how long-standing protocol features and old code can persist in modern software. The researchers walk through the debugging process, protocol analysis, and memory-corruption behavior, showing…
https://core-jmp.org/2026/03/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746-pre-auth-rce/
🔥6😱2👍1