internals
-
Writing an x64 Inline Hook by Hand (Without Reaching for MinHook)
How x64 inline hooks actually work, when to use a 5-byte relative jump versus a 14-byte absolute trampoline, why displaced instructions break when you copy them naively, …
-
Process Injection Without the Obvious Thread: Early Bird APC and Beyond
Why CreateRemoteThread+LoadLibraryA is immediately detectable, how Early Bird APC avoids the worst of the telemetry, and the injection techniques that push further into …
-
[Hypervisor Part 2] Hijacking Hyper-V's VM-Exit Handler from Inside the Guest
How EPTraitor detours Hyper-V’s VM-exit handler, the CPUID-based hypercall ABI including the bitfield bug that burned me, and how we resolve arbitrary process CR3 …
-
[Hypervisor Part 1] What a Hypervisor Actually Does (And Why Your Ring-0 Code Should Care)
A ground-up explanation of what hypervisors do at the CPU level, how Windows runs under Hyper-V by default, what a VM-exit is and when it happens, and why this matters …