32 Photos and videos
Multiple vulnerabilities in the Realtek card reader driver. The vulns allow a non-privileged user to write to virtual kernel memory and gain access to physical memory via the DMA controller. Dell, Lenovo and other OEMs affected. The first part of the post: zwclose.github.io/2024/10/14…
2
101
234
27,358
ZwClose retweeted
Apr 21
Just shipped a WinDbg x64 extension that turns live disassembly into verified pseudocode via LLM — chunked multi-pass analysis, in-process HTTP, mock fallback, and a verification pass that cross-checks LLM output against original analysis facts.
github.com/kernullist/windbg…
3
87
383
27,026
When it comes to Windows kernel networking, ChatGPT becomes pretty hallucinatious. Once I spent an hour looking for a non-existent !wfp extension, which GPT recommended to me, and now it's suggesting !afd.
By the way, these extensions would be very useful if they existed.
1
5
568
ZwClose retweeted
27 Dec 2025
Check out the KUSER_SHARED_DATA docs that were submitted to NtDoc by @sixtyvividtails, and are probably the most comprehensive source of information about this struct known to humanity.
ntdoc.m417z.com/kuser_shared…
Also featured on @pagedout_zine, issue #7, page 33, check it out!
1
24
89
12,860
Older WDKs are back! With each update Microsoft dropped pieces like code samples, so I hoarded a few WDKs, and even planned to search far corners of the web to get more. This is not needed anymore: MS just published a collection of legacy WDKs: learn.microsoft.com/en-us/wi…
1
6
151
ZwClose retweeted
24 Nov 2025
This blogpost is interesting - has Windows internals, my own novel solution to a problem red teamers have had for a while, EDR bypasses, debugging and much more.
Spoofing command lines on Windows and solving the problem of length limitations:
github.com/yo-yo-yo-jbo/comm…
2
47
160
14,144
ZwClose retweeted
10 Nov 2025
I wanted to understand what information is available in .pdb files, so I made a tool for it 🔎🪲
Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA:
github.com/diversenok/DiaSym…
ALT A screenshot of DiaSymbolView inspecting combase.pdb
3
57
187
15,162
I may be late to the party, but I didn't know about deepwiki.org/, which looks really cool!
161
TIL that DMA remapping is not specific to the driver I was working on, but is part of Windows' protection against DMA attacks: learn.microsoft.com/en-us/wi…
3
179
ZwClose retweeted
8 Sep 2025
Today I am releasing a new blog post on VSM "secure calls" the SkBridge project to manually issue them!!
This blog talks about how VTL 0 requests the services of VTL 1 and outlines common secure call patterns!!!
Blog: connormcgarr.github.io/secur…
SkBridge: github.com/connormcgarr/SkBr…
3
98
258
35,559
Took a look at this driver too. Damn, MS does nasty things there. They log a lot. They walk stack frames. They lower IRQL!
15 Jul 2025
New blog post: UCPD.sys – UserChoice Protection Driver Part 2: kolbi.cz/blog/2025/07/15/ucp…
2
10
1,292
Glad to be mentioned and recommend following the people on the list. Thank you, @therealdreg
17 Dec 2024
If you like Windows internals x86_64 follow: @sixtyvividtails @ivanrouzanov @C5pider @mrexodia @yarden_shafir @chompie1337 @timmisiak @Intel80x86 @_winterknife_ @horsicq @d_olex @UlfFrisk @aall86 @zodiacon @standa_t @0vercl0k @PetrBenes @zwclose @rwfpl @TheEnergyStory
1
1
584
Kernel Address Sanitizer for Windows drivers is now available, this should make life even more difficult for vulnerability developers. The feature is off by default so far.
8 Nov 2024
KASAN is now available for your own Windows Drivers: learn.microsoft.com/en-us/wi…
7
1,414
Turns out that Dell (and possibly other OEMs) didn’t bother to update their driver packages with the fix for the vulnerabilities in RtsPer.sys. @stuartwalker1 found a link to manual download of the fixed driver from the Microsoft Catalog.
21 Oct 2024
If anyone else has the same issue, you can download the driver manually here catalog.update.microsoft.com… and install using the device manager update driver function
1
1
573
ZwClose retweeted
17 Oct 2024
I implemented a PoC for CVE-2024-30090, which @scwuaptx discovered. The PoC uses an arbitrary increment primitive on nt!SeDebugPrivilege to escalate privileges to SYSTEM.
github.com/Dor00tkit/CVE-202…
#CVE-2024-30090 #PoC #LPE
3
68
182
21,859
Graph view for source code, nice.
10 Sep 2024
Version 0.0.4 adds initial support for C.
Check the demo or download the extension tmr232.github.io/function-gr…
2
499
ZwClose retweeted
20 Jul 2024
This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n
241
3,027
15,287
3,276,099