@_winterknife_ profile picture
winterknife 🌻 @_winterknife_

low-level developer with a focus on 𝙸𝚗𝚝𝚎𝚕 𝚡𝟾𝟼 ISA devices running 𝚆𝚒𝚗𝚍𝚘𝚠𝚜 | R&D @BHinfoSecurity | infosec.exchange/@winterknif…

Joined June 2017
  • Tweets 1,002
  • Following 5,077
  • Followers 5,198
41 Photos and videos
Pinned Tweet
winterknife 🌻@_winterknife_
14 Nov 2025
Releasing SILVERPICK, a Windows shellcode development framework using C/C . github.com/winterknife/SILVE…

GitHub - winterknife/SILVERPICK: Windows User-Mode Shellcode Development Framework (WUMSDF)

Windows User-Mode Shellcode Development Framework (WUMSDF) - winterknife/SILVERPICK

github.com
3
53
239
17,682
winterknife 🌻 retweeted
Dataflow Forensics
@df_forensics
Jun 9
Apple open-sourced Darwin's #XZone allocator in libmalloc-792 late last year. #DFF Co-Founder & CTO Jonathan Levin (@Morpheus______) breaks it all down, expanded from his book Disarming Code: type isolation, the xzm_malloc() path, and walking the heap with memento(j). df-f.com/blog/darwin-libsyst… #DFFenders Blog

Darwin: libsystem_malloc .dylib and XZone

Darwin’s new allocator, XZone, is now part of libmalloc and in open source. In this post, we are providing an analysis of XZone that is an expanded version of an excerpt from Jonathan Levin’s book...

df-f.com
28
132
7,755
winterknife 🌻 retweeted
clayton@netadr_t
Jun 12
after a three year hiatus, I decided to finally start posting again‼️ in which I look at "ND3WY.sys", also known as SleepySheriff - a malicious NDIS driver used by Equation Group starting in the early 2000s. straitbizarre.com/blog/disse…

Dissecting nd3wy.sys, a/k/a SleepySheriff

Sketching out an incomplete fossil from the malware bones.

straitbizarre.com
1
28
79
7,136
winterknife 🌻 retweeted
Cobalt Strike@_CobaltStrike
Jun 10
Cobalt Strike 4.13 is live! Say "Hello World" to our Beacon Interpreter for native C scripting - plus an LLVM Beacon, smoother docking UX, sharper payload management and more. Read about all the new features in the release blog! cobaltstrike.com/blog/cobalt…
3
35
94
11,156
Updated my project to bypass write protection via PFN remapping, including a demo against KDP (one of the few techniques that still work against VBS features). Note that Intel VT-rp HLAT (vPro Enterprise chipsets only) will prevent this class of attack. github.com/winterknife/EVENS…
winterknife 🌻@_winterknife_
May 23
Updated my project to bypass write protection via PTE manipulation. HVCI / KDP will prevent this technique by marking the code / data page as read-only in the SLAT entry. Do note that the Dirty bit is clear in the PxE despite the page being written to. github.com/winterknife/EVENS…
2
16
99
6,225
Even without HLAT, HyperGuard runs checks at random intervals and will detect the swap, unless it is restored afterward.
2
694
winterknife 🌻 retweeted
guyru@guyru_
Jun 4
We're mostly an IDA shop at @CellebriteLabs, but I decided to play around with Ghidra. My main motivation was to experiment with agentic reverse engineering techniques. The result is an agent skill for Ghidra, which we are releasing publicly: github.com/cellebrite-labs/g… >>

GitHub - cellebrite-labs/ghidra-rpc: A Ghidra agentic reverse engineering skill.

A Ghidra agentic reverse engineering skill. Contribute to cellebrite-labs/ghidra-rpc development by creating an account on GitHub.

github.com
7
103
422
59,185
winterknife 🌻 retweeted
Michael Weber@BouncyHat
Jun 4
We think of WASM as a mechanism to run compiled code in your browser, but what if we shimmed in all the host APIs necessary to run full implants with ALL logic entirely in the WASM VM? This post walks through what that looks like. praetorian.com/blog/wasmforg… #wasm #malware #sliver

Enter the WasmForge: Compiling Sliver into WebAssembly

Expose how compiling Sliver into WebAssembly beats EDR: WasmForge produces opsec-safe binaries with zero changes to the tool source.

praetorian.com
3
24
72
8,734
winterknife 🌻 retweeted
Yarden Shafir@yarden_shafir
Jun 3
This gets even dumber. Microsoft built a VBS enclave into msedge! It protects data even from kernel drivers! That would've been the perfect place to store passwords! And they are using it to store... a bit of static configuration data.
Tom Jøran Sønstebyseter Rønning@L1v1ng0ffTh3L4N
May 4
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them.
0:13
9
32
413
40,667
winterknife 🌻 retweeted
Connor McGarr@33y0re
Jun 3
It seems like in the latest preview build(s) ETW functionality has been encapsulated in it's own DLL (ETW.dll) -e.g., ControlTrace/etc. are now exported by this DLL instead of sechost/ADVAPI32/etc. Seems to just be code re-org (for now) - but maybe the future will reveal more!
1
25
147
7,745
winterknife 🌻 retweeted
Zero Day Engineering
@zerodayalpha
Jun 2
New Zero Day Engineering research: Chrome Exploit Mitigations, by @alisaesage zerodayengineering.com/resea…
33
114
19,811
winterknife 🌻 retweeted
Exodus Intelligence
@XI_Research
Jun 2
We’re opening the Exodus research vault. Over the coming weeks, we’ll publish technical writeups highlighting vulnerability research, exploit development, and deep reverse engineering from our team. First up: Michele Campa’s Adobe Acrobat Reader Escript.api use-after-free RCE. blog.exodusintel.com/2026/06… #VulnerabilityResearch #ExploitDevelopment #ReverseEngineering #OffensiveSecurity #CyberSecurity

Adobe Acrobat Reader Escript.api Use-After-Free Remote Code Execution - Exodus Intelligence

By Michele Campa Overview In this blog post we take a look at a use-after-free vulnerability found in Adobe Acrobat Reader’s Escript.api module in February 2025. This issue was patched on April 2026...

blog.exodusintel.com
74
315
18,942
winterknife 🌻 retweeted
Or Yair@oryair1999
Jun 2
Fresh @safebreach Labs research! 🔥 CVE-2025-59199 breaks down a highly creative low-integrity Windows LPE path. Learn how Notifications, COM objects, URIs, DevTools, and Windows Apps chain together in a single exploit. Great work team! 👇 safebreach.com/blog/click-or…

Discovery & Analysis of CVE-2025-59199 | SafeBreach

Learn more about the discovery of CVE-2025-59199, a vulnerability in Windows that allowed arbitrary write and code execution from a low-integrity application.

safebreach.com
1
17
43
3,455
winterknife 🌻 retweeted
Michael Weber@BouncyHat
May 29
I'm tired of my tools getting sig'd so I built a pipeline to keep our tools alive for longer and bring some classics back. Post 1 of 3 is live now. The final post will drop our Go/C# -> WASM toolchain. It builds #Sliver, #Chisel, and some of #GhostPack. praetorian.com/blog/llm-edr-…

Adversarial Oracles: LLM-Guided EDR Signature Reduction

Stripping your binary makes EDR detection worse, not better. See how an LLM and VirusTotal automate antivirus evasion by blending in instead.

praetorian.com
1
19
67
9,798
winterknife 🌻 retweeted
dennisbabkin@dennisbabkin
Jun 1
Reverse Engineering - Resolving Confusion Over PsGetCurrentProcess, PsGetCurrentProcessId and PsGetProcessId - Using WinDbg to understand dependency between KPCR, KPRCB, K/ETHREAD, K/EPROCESS and KAPC_STATE structures. dennisbabkin.com/blog/?i=AAA…

Reverse Engineering - Resolving Confusion Over PsGetCurrentProcess, PsGetCurrentProcessId and...

Reverse Engineering - Resolving Confusion Over PsGetCurrentProcess, PsGetCurrentProcessId and PsGetProcessId - Using WinDbg to understand dependency between KPCR, KPRCB, K/ETHREAD, K/EPROCESS and...

dennisbabkin.com
18
59
6,910
winterknife 🌻 retweeted
Calif
@calif_io
Jun 1
RedSun: Exploiting Windows Defender's Remediation Workflow for Local Privilege Escalation Just showing some appreciation for @ChaoticEclipse0's excellent work. Hopefully this won't get us banned! open.substack.com/pub/calif/…

RedSun: Exploiting Windows Defender's Remediation Workflow for Local Privilege Escalation

Just showing some appreciation for Nightmare-Eclipse's excellent work. Hopefully this won't get us banned!

blog.calif.io
1
46
164
17,444
winterknife 🌻 retweeted
eversinc33 🤍🔪⋆。˚ ⋆@eversinc33
May 31
Spent the last 2 weeks working on a devirtualizer for VMProtect 3.5 and learning Remill. Idk yet if I will blog about it, but I at least wanted to publish the code: github.com/eversinc33/MogVMP The approach is different from my last blog, as it lifts the whole x86 code of the VM

GitHub - eversinc33/MogVMP: Static devirtualizer for VMProtect 3.0-3.5. Lifts virtualized code to...

Static devirtualizer for VMProtect 3.0-3.5. Lifts virtualized code to LLVM using Remill and strips the VM layer through optimization. - eversinc33/MogVMP

github.com
17
92
406
17,877
winterknife 🌻 retweeted
scriptjunkie (Matt)
@scriptjunkie1
May 24
Gargoyle a decade later lospino.so/blog/gargoyle-a-d…

Gargoyle, a decade later | Josh Lospinoso

A reflective retrospective on Gargoyle, temporal memory state, the 2026 refresh, and what better validation teaches defenders.

lospino.so
1
11
42
6,138
Updated my project to bypass write protection via PTE manipulation. HVCI / KDP will prevent this technique by marking the code / data page as read-only in the SLAT entry. Do note that the Dirty bit is clear in the PxE despite the page being written to. github.com/winterknife/EVENS…
winterknife 🌻@_winterknife_
May 17
Made a small project to bypass write protection and write to read-only pages in kernel space. Nothing novel here, but the code is well commented for your reading pleasure. I hope you will find it useful in your no doubt questionable endeavors :) github.com/winterknife/EVENS…
2
17
127
17,111
winterknife 🌻 retweeted
secret club@the_secret_club
May 22
Striga: Lifting x86 to LLVM IR with Python by @mrexodia secret.club/2026/05/21/strig…

Striga: Lifting x86 to LLVM IR with Python

Background While discussing with eversinc33 about lifting BinaryShield to LLVM IR I decided it would be useful to write a basic lifter in Python that can lift x86_64 instructions to LLVM IR. He has...

secret.club
13
83
6,290
winterknife 🌻 retweeted
Paolo Stagno (VoidSec)@Void_Sec
May 21
I originally prepared this bug for Pwn2Own Berlin. A few days before the contest, a CVE got assigned. So, here is my technical analysis and exploitation strategy for CVE-2026-40369: a 12-byte kernel increment, exploitable both as an LPE and SBX. voidsec.com/cve-2026-40369-b…

CVE-2026-40369: Twelve Bytes to Escape the Browser Sandbox - VoidSec

Technical analysis of CVE-2026-40369, a 12-byte Windows kernel write reachable from browser sandboxes via NtQuerySystemInformation, leading to SYSTEM.

voidsec.com
1
61
207
15,993
Load more