End Result

Privilege Escalation

Priv Esc

Protected Process Light



The end of June is approaching and I would like to pay my monthly blog tax.

As far as I remember, kernel land is seldomly touched by attackers (outside of kernel exploits) and I can see why. It is dangerous, undocumented, love to crash along with the steep learning curve to be able to utilize the kernel properly. However, I see it as the next frontier for both the blue and red team to gain an advantage over the other. …

This is not new, this is not novel, and definitely not my research — but I used it recently so here is my attempt at explaining some cool WOW64 concept. I also want to take a break from reading AMD/Intel manual to write this hypervisor. I also think the term “Heaven’s Gate” is quite appropriate and is the coolest thing ever, so here we have it.


I usually add some pictures here to show how I started my journey but because it was 2 months ago on a free slack (shoutout to GuidedHacking), I don’t have the log anymore. …

Skip the background if you want to keep your sanity, it is meme.


A few months ago, I teamed up with a stranger to develop the best private cheat for a certain game. The journey was tough and full of struggles but with enough determination, I thought I could do it all. That is until I received a fat ol’ ban yesterday.

As someone who just spent 7 months on this project, I was not about to abandon my amazing code base without a fight, so let’s the reversing commence.

But, where to start? Of course it is gathering information…


On a recent internal penetration engagement, I was faced against an EDR product that I will not name. This product greatly hindered my ability to access lsass’ memory and use our own custom flavor of Mimikatz to dump clear-text credentials.

For those who recommends ProcDump

The Wrong Path

So now, as an ex-malware author — I know that there are a few things you could do as a driver to accomplish this detection and block. The first thing that comes to my mind was Obregistercallback which is commonly used by many Antivirus products. Microsoft implemented this callback due to many antivirus products performing very sketchy winapi hooks that…

As a security researcher, it comes to my attention that the ability to modify and manipulate code execution is extremely crucial. Maybe you want to decrypt a browser’s HTTPS connection, or maybe you want to write a rootkit that will hide all your evil doing — all of which would benefit greatly from the technique we all know as Hooking.

What is hooking?

“The term hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components.” — Wikipedia


Three weeks back, I received an odd project from a pentesting team, and it was to create a malware that would be used on a phishing engagement. The environment was unknown and that applied for their Endpoint Protection product as well. This was the beginning for my new internal tool dubbed the “AlexeySpecial” named after a team member who recently left.

“AlexeySpecial” 1.0 in action

AlexeySpecial since improved by leaps and bounds, leading it up from just two output, an .exe and .dll, into .hta, .html smuggling, .xlms/vba macros and more. …

Hoang Bui

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store