About Me

I’m a red teamer/penetration tester by craft. I got my start in AD penetration testing, did a brief stint as a red teamer, and now I do all manners of consulting work.

This is where I post the random stuff that I research. None of it is particularly good but hopefully some of it is useful. I mainly focus on Windows/Active Directory.


Hiding your syscalls This post looks at bypassing the direct syscall detections that I wrote in a previous post.

Dynamic payload compilation with mingw This post looks at creating a basic server, implant, and shellcode stager that we will compile on Linux using mingw to target Windows.

Detecting direct syscalls with Frida This post looks at detecting direct syscalls with Frida by using Frida’s code tracing engine to find syscalls from outside NTDLL.

Checking NTDLL hook integrity with Frida This post looks at installing a hook into NTDLL with Frida, bypassing that hook, detecting the unhooking in Frida by checking the hook integrity, and finally bypassing that detection.

Blocking remote memory forensics through API hooking This post walks through how kernel driver loads, often used by forensics tools for memory captures, can be blocked from loading by userland processes and kernel drivers.

Muting Prefetch This post discusses using API hooking to prevent the Windows Prefetch service from writing files to disk, which can later be used by forensic investigators.