Cyber Security Consultant | Security Researcher
Joined December 2019
- Tweets 274
- Following 510
- Followers 1,998
- Likes 1,197
27 Photos and videos
Pinned Tweet
8 Jan 2025
And since it's an arbitrary file deletion, we can easily use it to exploit the MSI installer rollback to achieve privilege escalation :)
github.com/ZeroMemoryEx/IObi…
7 Jan 2025
Shoutout to the homies at "IObit Malware Fighter".
Their IMFForceDelete driver is so wildly vulnerable, and poorly written, you can have their driver arbitrarily delete any file on the machine with 0 privileges and literally 1 line of code
Thanks @_mmpte_software for sharing
6
78
329
32,987
Jan 21
I published a blog post explaining the features of Chaos-Rootkit and how each one works internally.
hackandhide.com/chaos-rootki…
11
43
2,597
Jan 12
I’ve released a PoC and a technical write-up for a local privilege escalation vulnerability I discovered last year and reported to Lenovo PSIRT, affecting many gaming laptop brands, including Lenovo, MSI, Thunderobot, and others.
github.com/ZeroMemoryEx/CVE-…
3
35
125
8,898
25 Mar 2025
Published a blog on my previous exploit.
I've also discovered a privilege escalation vulnerability affecting MSI, Lenovo, ASUS, Alienware, Huawei laptops, and more. The vulnerability has been confirmed, stay tuned for the write-up once it's patched!
hackandhide.com/from-dos-to-…
2
33
148
9,313
11 Oct 2024
It’s been a while since I posted any updates here, so here’s a recap. I’ve fixed errors and memory leaks, improved error handling, added file restriction and integrity bypass features, and implemented a driver swap for disk and memory for more detail,check
github.com/ZeroMemoryEx/Chao…
4
26
134
10,769
5 Jun 2023
Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes
github.com/ZeroMemoryEx/Term…
4
154
474
53,769
26 May 2023
Tired by EDRs and AVs continuously flagging your executables? This program terminates protected anti-malware processes by exploiting the GMER driver
github.com/ZeroMemoryEx/Blac…
7
166
514
150,218
In this week’s red team tip. I will show how to use @ZeroMemoryEx AMSI Killer to patch AMSI and allow Invoke-Mimikatz to run. This attack does get detected by Windows Defender, but it’s too late as memory is already patched. #hacking #redteam
youtu.be/QFp3ybRKr7Q
1
6
1,897
Anas retweeted
27 Feb 2023
Lazarus-Tactic: program based on APT38 North Korea-backed hackers tactic that used in targeting security researchers using a malicious Visual Studio project file (vcxproj) to steal their 0days.
github.com/ZeroMemoryEx/APT3…
28
66
7,806
26 Feb 2023
New AMSI lifetime bypass, it works by searching for the first byte of each instruction to prevent updates from affecting it, Check it out.
#amsi #redteam #cybersecurity
github.com/ZeroMemoryEx/Amsi…
6
180
491
59,155
Anas retweeted
8 Dec 2022
Just published new blog post tinyurl.com/4ua23wzv! How can you hook systemcalls in kernel on Windows 11 22H2, how does Avast Free Antivirus use it and how you can bypass Avast’s self-defense in 10 lines of PowerShell code right now? All answers are provided in the article
3
114
266
22 Sep 2022
it can be very annoying for analysts to wait for the malware to do its true malicious behavior,That's why i made this program that patch the Sleep function and speed up the execution ,check it out.
github.com/ZeroMemoryEx/Slee…
#malwareanalysis #cybersecurity #malwaredetection #redteam
2
27
72
Anas retweeted
17 Sep 2022
The world of Ransomware is full of surprises: LockBit allegedly paid out their first “bug bounty” to someone who highlighted decryption flaws in the LB3 ESXi variant. The flaw made it possible to bypass having to pay the ransom for a key
15
187
605
Presenting D-Generate , syscall tracing as its supposed to be!
raw.githubusercontent.com/jo…
usage:
dg cmd.exe - displays all syscalls done by process with cmd.exe as imagefile.
dg 4736 - by pid 4736
dg - just everything
example of recording:
raw.githubusercontent.com/jo…
17
237
791
Anas retweeted
9 May 2022
Arbitrary read/write -> arbitrary kernel-mode API calls with HVCI and Kernel CFG enabled :) - in this case a POC to invoke ZwOpenProcess on the System process in VTL 0. I will blog on this soon!
6
75
326
Anas retweeted
25 Apr 2022
👀 "This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)." github.com/Dec0ne/KrbRelayUp
8
107
315
Anas retweeted
19 Apr 2022
Unable to extract credentials via DPAPI or Mimikatz? Don't worry. Microsoft got your back. Just use 'rundll32 keymgr.dll, KRShowKeyMgr' to extract all the stored passwords on the host, be it a target server, FTP or chrome's HTTP creds, microsoft has you covered. #redteam
48
802
2,663