@cr3ghost profile picture
cr3ghost @cr3ghost

A university student passionate about reverse engineering, windows internals, (de)obfuscation, anti-cheats, malware, exploit development, detection engineering

Joined May 2026
  • Tweets 82
  • Following 303
  • Followers 1,319
13 Photos and videos
Pinned Tweet
cr3ghost
@cr3ghost
Jun 10
Probably the best free Windows usermode exploit development training in the world. 41 tutorials. 17 years. Stack overflows. SEH exploits. Shellcoding. Egg hunting. ROP chains. Heap spraying. Unicode exploits. Bypassing DEP, ASLR, SafeSEH, SEHOP, stack cookies. Integer overflows. Memory corruption root cause analysis. Win32 and WoW64. Metasploit integration. WinDbg automation. mona.py v1 through v3. Updated in 2026 for Windows 10 and 11 x64 with video walkthroughs and AI-assisted crash triage. Free. No paywall. No login. corelan.be/index.php/categor… Author: @corelanc0d3r #ExploitDevelopment #ReverseEngineering #InfoSec
2
78
383
14,988
cr3ghost retweeted
cr3ghost
@cr3ghost
18h
One of the best FREE Windows exploit development and security research blogs out there. Kernel pool exploitation. PTE overwrites. HVCI and kernel CFG bypass. XFG internals. Browser type confusion. Kernel shadow stacks. Secure kernel internals. ARM64 Pointer Authentication bypass. ETW and PPL research. Covers everything from ROP fundamentals all the way to cutting edge ARM64 and VBS security research. Still actively publishing in 2026. connormcgarr.github.io/ Author: @33y0re #ExploitDevelopment #WindowsInternals #ReverseEngineering
2
81
342
13,335
FuzzySecurity covers usermode exploitation, kernel exploitation, privilege escalation, persistence, credential theft, lateral movement, UAC bypass, heap internals, ROP chains, shellcoding, RFID hacking, and malware analysis. All free. One of the few resources that takes you from basic buffer overflows all the way to kernel pool overflow and GDI bitmap abuse in a single series. fuzzysecurity.com/tutorials.… Author: @FuzzySec #ExploitDevelopment #ReverseEngineering #InfoSec
2
44
205
8,877
Your EDR is running. Detecting everything. Alerting on nothing. EDRSilencer blocks all EDR outbound traffic using Windows Filtering Platform. The agent keeps running. Detections keep firing. Nothing reaches the cloud. No alerts. No telemetry. Blind. Works against Defender, SentinelOne, CrowdStrike, Cortex XDR, Carbon Black, Elastic, Trellix, FortiEDR, ESET, TrendMicro, and more. Additional techniques covered: WFP filters, hosts file manipulation, NRPT rules, null sinkholing, firewall rules. If your SOC relies on cloud-based alerting and you are not monitoring for WFP filter creation, you have a problem. ipurple.team/2026/01/12/edr-… github.com/netero1010/EDRSil… Authors: @ipurple #DefenseEvasion #ThreatIntel #InfoSec
7
69
308
20,090
@OpenSecTraining is one of the most underrated free resources in security research. 30 courses. x86-64 assembly. Windows kernel internals. WinDbg from intro to advanced. IDA. Ghidra. Binary Ninja. UEFI firmware. Windows kernel exploitation. Fuzzing. Symbolic analysis. Reverse engineering C binaries. TPM internals. Structured learning paths for malware analysis, firmware security, vulnerability research, exploit development, and Windows security. All free. No paywall. No login wall. Just world-class training. YouTube: youtube.com/@OpenSecurityTra… Courses: p.ost2.fyi/ Learning Paths: opensecuritytraining.info/Le… Authors include @XenoKovah @Intel80x86 and many more. #ReverseEngineering #MalwareAnalysis #InfoSec

OpenSecurityTraining2

OpenSecurityTraining.info was started in 2011. It was relaunched as OpenSecurityTraining2 at https://ost2.fyi in 2021. OpenSecurityTraining is now also officially a 501(c)(3) charitable non-profit in...

youtube.com
6
34
162
5,302
Looking forward to more!
143
Azeria Labs is probably the most complete free resource for learning ARM security research that exists. ARM assembly from zero. Shellcode development. Stack overflows. ROP chains. Heap exploitation. iOS kernel heap grooming. TrustZone internals. GDB debugging. QEMU lab setup. Even an online ARM assembler. If ARM exploitation is something you want to understand, start here. azeria-labs.com/writing-arm-… azeria-labs.com/writing-arm-… Author: @Fox0x01 #ReverseEngineering #ExploitDevelopment #InfoSec
4
52
321
14,533
wiley.com/en-us/shop/general…
2
466
If you have ever wanted to learn reverse engineering but had no idea where to start, this is probably the best free series out there. Applied Reverse Engineering by @daaximus covers basic architecture, the stack, exceptions and interrupts, x64 assembly, control-flow tracing, and more still coming including hooking techniques, ROP, heuristic analysis, and C class reconstruction. Written for people who have opened a debugger a handful of times and got lost. Starts from zero and actually makes sense. revers.engineering/applied-r… #ReverseEngineering #WindowsInternals #InfoSec
2
69
433
14,654
One of the best curated lists of security research I have come across. Hundreds of blog posts, writeups, and papers covering kernel exploitation, browser exploitation, firmware security, IoT hacking, reverse engineering, malware analysis, hypervisor research, hardware hacking, and more. Organized by year from 2011 to 2025. Updated regularly. 3.3k stars. Author: @0xor0ne github.com/0xor0ne/awesome-l… #ReverseEngineering #MalwareAnalysis #InfoSec

GitHub - 0xor0ne/awesome-list: Cybersecurity oriented awesome list

Cybersecurity oriented awesome list. Contribute to 0xor0ne/awesome-list development by creating an account on GitHub.

github.com
1
27
166
8,086
3-part series on a 0-click exploit chain targeting Pixel 9, from RCE in mediacodec to kernel LPE. Part 1: projectzero.google/2026/01/p… Part 2: projectzero.google/2026/01/p… Part 3: projectzero.google/2026/01/p… Research by @natashenka and @__sethJenkins #infosec
25
134
4,872
The 'world's biggest' cheat operation made $76 million selling cheats for Overwatch and Call of Duty Mobile before Chinese police and Tencent shut it down. Tencent also owns Riot Games. The Vanguard anti-cheat team are some of the best security engineers in the industry. These are the assets seized. Lamborghinis paid for by gamers buying aimbots. Cheating is not a hobby. It is a criminal enterprise. This is why kernel anti-cheat exists. @AntiCheatPD @riotgames @PlayVALORANT bbc.com/news/technology-5657… #AntiCheat #GameSecurity #InfoSec
cr3ghost
@cr3ghost
Jun 4
UEFI bootkits are no longer theoretical. BlackLotus. HybridPetya. CosmicStrand as demonstrated by the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" by @matrosov Researchers demonstrated the same class of technique against VBS enclaves, the most isolated execution environment Windows offers. Hooked GetVariable(). Intercepted BlLdrLoadImage(). Injected into hvax64.exe before VBS initialised. Owned the VM-exit handler at ring -1. Read and wrote VTL1 enclave memory directly from the hypervisor. If your threat model stops at ring-0, it stops too early. Full PoC included. tulach.cc/using-vbs-enclaves… tulach.cc/from-firmware-to-v… Author: @tulachsam #Malware #Infosec #ReverseEngineering
7
15
134
18,305
UEFI bootkits are no longer theoretical. BlackLotus. HybridPetya. CosmicStrand as demonstrated by the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" by @matrosov Researchers demonstrated the same class of technique against VBS enclaves, the most isolated execution environment Windows offers. Hooked GetVariable(). Intercepted BlLdrLoadImage(). Injected into hvax64.exe before VBS initialised. Owned the VM-exit handler at ring -1. Read and wrote VTL1 enclave memory directly from the hypervisor. If your threat model stops at ring-0, it stops too early. Full PoC included. tulach.cc/using-vbs-enclaves… tulach.cc/from-firmware-to-v… Author: @tulachsam #Malware #Infosec #ReverseEngineering
cr3ghost
@cr3ghost
Jun 3
This is the type of malware game hackers build to bypass kernel anti-cheat. The same techniques can be used by malware authors to evade EDRs. A UEFI bootkit that injects into Microsoft's own Hyper-V at ring -1 before the OS even loads (easier than building a custom hypervisor from scratch). Four phase bootloader. Hypervisor VM-exit interception. EPT page shadowing. MSR virtualization. EFI memory map ghosting. TPM measurement spoofing. Reads like malware. Because it is. Videos and full technical breakdown in the link. Author: gsmll.github.io/hypervenom/w… #ReverseEngineering #Malware #AntiCheat
1
47
190
30,856
Most people learn security research by reading finished writeups. This one shows the actual process. The messy, organic, step-by-step reality of reversing an unknown Windows mitigation from scratch. WinDbg. IDA. Hex Rays. Guard page violations. Trap flags. Zero prior knowledge of the target. If you want to learn how to actually approach unknown Windows internals, start here. windows-internals.com/an-exe… Author: @yarden_shafir #ReverseEngineering #WindowsInternals #InfoSec
4
121
776
31,088
Credits to @aionescu for the amazing FREE content and training on the website. World-class researchers: windows-internals.com/catego…
6
6
1,522
This is the type of malware game hackers build to bypass kernel anti-cheat. The same techniques can be used by malware authors to evade EDRs. A UEFI bootkit that injects into Microsoft's own Hyper-V at ring -1 before the OS even loads (easier than building a custom hypervisor from scratch). Four phase bootloader. Hypervisor VM-exit interception. EPT page shadowing. MSR virtualization. EFI memory map ghosting. TPM measurement spoofing. Reads like malware. Because it is. Videos and full technical breakdown in the link. Author: gsmll.github.io/hypervenom/w… #ReverseEngineering #Malware #AntiCheat
cr3ghost
@cr3ghost
Jun 2
While gamers debate kernel anti-cheat, ring-1[.]io was shipping a Themida-protected UEFI bootkit that injects into Hyper-V, manipulates EPT entries, clones game page tables, and hides memory contents below the OS entirely. After partially deobfuscating their binaries and recovering critical functions, this is what was inside. Bungie and Ubisoft sued them. They found $12 million in Bitcoin and kept going. This is what kernel anti-cheat is actually fighting. back.engineering/blog/04/02/… Authors: @BackEngineerLab #AntiCheat #Malware #InfoSec
5
62
348
36,158
@BackEngineerLab published one of the first public Hyper-V hyperjacking frameworks back in 2021. Module injection and VM-exit hooking for both AMD and Intel. A lot of the techniques being discussed here trace back to that work. blog: back.engineering/blog/20/04/… GitHub: github.com/backengineering/V… Author: @_xeroxz

Voyager - A Hyper-V Hacking Framework

Voyager is a Hyper-V hijacking project based upon existing Hyper-V hijacking work by cr4sh which aims to extend the usability to AMD and earlier Windows 10 versions. This project however does not...

back.engineering
2
12
1,037
While gamers debate kernel anti-cheat, ring-1[.]io was shipping a Themida-protected UEFI bootkit that injects into Hyper-V, manipulates EPT entries, clones game page tables, and hides memory contents below the OS entirely. After partially deobfuscating their binaries and recovering critical functions, this is what was inside. Bungie and Ubisoft sued them. They found $12 million in Bitcoin and kept going. This is what kernel anti-cheat is actually fighting. back.engineering/blog/04/02/… Authors: @BackEngineerLab #AntiCheat #Malware #InfoSec
cr3ghost
@cr3ghost
Jun 1
Gamers worry about kernel anti-cheats when any user-mode software (ring-3) can already read your passwords, browser history, log your keystrokes, record your camera, steal your files, and exfiltrate your data. Spyware has never needed the kernel. Kernel access is not what makes something spyware. Cheaters have been loading kernel drivers and hypervisors for years to hide from detection. A usermode anti-cheat has no way to detect something already operating below it. Loading at boot is necessary. If anti-cheat loads after a cheat driver is already in the kernel, it has already lost. Read: Why Anti-Cheat Software Utilize Kernel Drivers secret.club/2020/04/17/kerne… Author: @vm_call from @the_secret_club #AntiCheat #GameSecurity
4
38
263
51,746
Alexandre Borges has published over 700 pages of free security, malware and vulnerability research. A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085. No paywall. No course. Just research. Free as in beer. exploitreversing.com Author: @ale_sp_brazil #ReverseEngineering #MalwareAnalysis #InfoSec

Exploit Reversing

A blog about vulnerability research, exploit development and reverse engineering.

exploitreversing.com
5
174
852
39,034
Gamers worry about kernel anti-cheats when any user-mode software (ring-3) can already read your passwords, browser history, log your keystrokes, record your camera, steal your files, and exfiltrate your data. Spyware has never needed the kernel. Kernel access is not what makes something spyware. Cheaters have been loading kernel drivers and hypervisors for years to hide from detection. A usermode anti-cheat has no way to detect something already operating below it. Loading at boot is necessary. If anti-cheat loads after a cheat driver is already in the kernel, it has already lost. Read: Why Anti-Cheat Software Utilize Kernel Drivers secret.club/2020/04/17/kerne… Author: @vm_call from @the_secret_club #AntiCheat #GameSecurity

Why anti-cheat software utilize kernel drivers

You can contact me on twitter if you have any questions

secret.club
cr3ghost
@cr3ghost
May 31
Vanguard runs at boot because cheats run at boot. Riot clones the PML4 table, inserts a shadow entry into a free slot, hooks SwapContext, and swaps CR3 per-thread at context switch time. If it was spyware, researchers would have found it. They found this instead. Reverse engineering is an art. When in doubt, reverse it. #ReverseEngineering #Vanguard #InfoSec Full RE breakdown by @Xyrem256: reversing.info/posts/guarded…
7
10
100
36,553
Load more