evasion
-
Process Injection Without the Obvious Thread: Early Bird APC and Beyond
Why CreateRemoteThread+LoadLibraryA is immediately detectable, how Early Bird APC avoids the worst of the telemetry, and the injection techniques that push further into …
-
[Hypervisor Part 3] Making Your Kernel Hook Invisible with EPT Shadow Pages
EPT shadow page hooks split a physical page into two views — one seen by reads (original bytes), one executed (hooked bytes). Integrity scanners see clean code. The CPU …
-
[Hypervisor Part 2] Hijacking Hyper-V's VM-Exit Handler from Inside the Guest
How EPTraitor detours Hyper-V’s VM-exit handler, the CPUID-based hypercall ABI including the bitfield bug that burned me, and how we resolve arbitrary process CR3 …