@oxfemale.bsky.social
PPLControlShells (the ppexec console tool) is a native Windows PP/PPL experimentation and control utility (x64)designed to help researchers understand, test, and demonstrate how Protected Process (PP) and Protected Process Light (PPL) behave on modern Windows (10/11
core-jmp.org/?p=229
core-jmp.org/?p=229
PPLControlShells — Protected Process / PPL Control shells Tool
PPLControlShells (the ppexec console tool) is a native Windows PP/PPL experimentation and control utility (x64)designed to help researchers understand, test, and demonstrate how Protected Process (PP) and Protected Process Light (PPL) behave on modern Windows (10/11 + compatible Server builds).
core-jmp.org
February 9, 2026 at 3:15 PM
PPLControlShells (the ppexec console tool) is a native Windows PP/PPL experimentation and control utility (x64)designed to help researchers understand, test, and demonstrate how Protected Process (PP) and Protected Process Light (PPL) behave on modern Windows (10/11
core-jmp.org/?p=229
core-jmp.org/?p=229
A PoC/demo demonstrating code injection via COM (using the IRundown::DoCallback() mechanism) to execute a payload in the context of a selected process, including lsass.exe (or any other PID).
core-jmp.org/?p=225
core-jmp.org/?p=225
Process Injection via Component Object Model (COM) IRundown::DoCallback() for run cmd.exe from lsass.exe or other pids
A PoC/demo demonstrating code injection via COM (using the IRundown::DoCallback() mechanism) to execute a payload in the context of a selected process, including lsass.exe (or any other PID).
core-jmp.org
February 6, 2026 at 6:58 PM
A PoC/demo demonstrating code injection via COM (using the IRundown::DoCallback() mechanism) to execute a payload in the context of a selected process, including lsass.exe (or any other PID).
core-jmp.org/?p=225
core-jmp.org/?p=225
Original text by cirosec.de
TL;DR
In this blog post, we’ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. #bypass #edt #microsoft #shellcode #Warbird #windows
core-jmp.org/?p=221
TL;DR
In this blog post, we’ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. #bypass #edt #microsoft #shellcode #Warbird #windows
core-jmp.org/?p=221
Abusing Microsoft Warbird for Shellcode Execution
The article demonstrates an EDR bypass by using an undocumented Warbird interface to stealthily load shellcode.
core-jmp.org
February 4, 2026 at 3:30 PM
Original text by cirosec.de
TL;DR
In this blog post, we’ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. #bypass #edt #microsoft #shellcode #Warbird #windows
core-jmp.org/?p=221
TL;DR
In this blog post, we’ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. #bypass #edt #microsoft #shellcode #Warbird #windows
core-jmp.org/?p=221
Original text by BOHOPS
INTRODUCTION
Process Injection is a popular technique used by Red Teams and threat actors for defense evasion, privilege escalation, and other interesting use cases. #code #injection #noalloc #process #windows
core-jmp.org/?p=205
INTRODUCTION
Process Injection is a popular technique used by Red Teams and threat actors for defense evasion, privilege escalation, and other interesting use cases. #code #injection #noalloc #process #windows
core-jmp.org/?p=205
NO ALLOC, NO PROBLEM: LEVERAGING PROGRAM ENTRY POINTS FOR PROCESS INJECTION
Remote process injection and looking for a few under-the-radar techniques that were either not documented well and/or contained minimalist core requirements for functionality.
core-jmp.org
February 3, 2026 at 1:17 PM
Original text by BOHOPS
INTRODUCTION
Process Injection is a popular technique used by Red Teams and threat actors for defense evasion, privilege escalation, and other interesting use cases. #code #injection #noalloc #process #windows
core-jmp.org/?p=205
INTRODUCTION
Process Injection is a popular technique used by Red Teams and threat actors for defense evasion, privilege escalation, and other interesting use cases. #code #injection #noalloc #process #windows
core-jmp.org/?p=205
Original text by Zero Salarium
I. OVERVIEW
Endpoint Detection and Response (EDR) always provides strong protection for its executable file locations. #byovd #bypass #drivers #EDR #windows
core-jmp.org/?p=191
I. OVERVIEW
Endpoint Detection and Response (EDR) always provides strong protection for its executable file locations. #byovd #bypass #drivers #EDR #windows
core-jmp.org/?p=191
Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
the technique of exploiting the Bind Filter driver (bindflt.sys) to redirect folders containing the executable files of EDRs to a location that I completely control.
core-jmp.org
February 3, 2026 at 12:57 PM
Github https://github.com/oxfemale/av-edr-kill
What the project is
av-edr-kill is a BYOVD (Bring Your Own Vulnerable Driver) proof-of-concept whose goal is to terminate security-product processes (AV/EDR), including Protected Process Light (PPL) #AV #EDR #kill #killer #poc
core-jmp.org/?p=188
What the project is
av-edr-kill is a BYOVD (Bring Your Own Vulnerable Driver) proof-of-concept whose goal is to terminate security-product processes (AV/EDR), including Protected Process Light (PPL) #AV #EDR #kill #killer #poc
core-jmp.org/?p=188
AV EDR Killer Project
av-edr-kill is a BYOVD (Bring Your Own Vulnerable Driver) proof-of-concept whose goal is to terminate security-product processes (AV/EDR), including Protected Process Light (PPL) targets, by abusing a legitimately signed third-party kernel driver.
core-jmp.org
February 2, 2026 at 4:55 PM
was_plugins
wasm_plugins GitHub https://github.com/oxfemale/wasm_pluginsAbout the project wasm_plugins
- The packer creates a .mylib container that includes an encrypted WASM module, metadata (AAD), a GCM nonce, and a signature. #cpp #crypt #library #loader #plugins #wasm
core-jmp.org/?p=184
wasm_plugins GitHub https://github.com/oxfemale/wasm_pluginsAbout the project wasm_plugins
- The packer creates a .mylib container that includes an encrypted WASM module, metadata (AAD), a GCM nonce, and a signature. #cpp #crypt #library #loader #plugins #wasm
core-jmp.org/?p=184
Securely Embedding WASM Plugins in Your Project
libraries for packaging, verifying, decrypting, and executing WebAssembly plugins packaged in a custom container format .mylib (version 2).
core-jmp.org
February 2, 2026 at 4:23 PM
Original text by R.B.C (g3tsyst3m)
Hello again everyone! Hope the start to the new year is treating you well. I am excited to share a new blog post with you! #asm #cpp #debug #gadgets #ROP #shellcode #windows
core-jmp.org/?p=159
Hello again everyone! Hope the start to the new year is treating you well. I am excited to share a new blog post with you! #asm #cpp #debug #gadgets #ROP #shellcode #windows
core-jmp.org/?p=159
Mastering Living off the Process in Offensive Security
No need for overusing WriteProcessMemory, VirtualAlloc, injecting a DLL, etc. This way, everything you need to manipulate the remote process is self-contained and already available to the process.
core-jmp.org
February 2, 2026 at 2:42 PM
Original text by R.B.C (g3tsyst3m)
Hello again everyone! Hope the start to the new year is treating you well. I am excited to share a new blog post with you! #asm #cpp #debug #gadgets #ROP #shellcode #windows
core-jmp.org/?p=159
Hello again everyone! Hope the start to the new year is treating you well. I am excited to share a new blog post with you! #asm #cpp #debug #gadgets #ROP #shellcode #windows
core-jmp.org/?p=159
Original text by Dang Duong Minh Nhat
Hello everyone, today I’m sharing another red team technique—process injection—and how to leverage it against Protected Process Light (PPL). Let’s explore it in the blog post below. #dll #injection #PPL #ProcessInjection #redteam #windows
core-jmp.org/?p=136
Hello everyone, today I’m sharing another red team technique—process injection—and how to leverage it against Protected Process Light (PPL). Let’s explore it in the blog post below. #dll #injection #PPL #ProcessInjection #redteam #windows
core-jmp.org/?p=136
Exploring Protected Process Light and Exploits
Red team technique—process injection—and how to leverage it against Protected Process Light (PPL)
core-jmp.org
February 2, 2026 at 1:45 PM
Original text by Dang Duong Minh Nhat
Hello everyone, today I’m sharing another red team technique—process injection—and how to leverage it against Protected Process Light (PPL). Let’s explore it in the blog post below. #dll #injection #PPL #ProcessInjection #redteam #windows
core-jmp.org/?p=136
Hello everyone, today I’m sharing another red team technique—process injection—and how to leverage it against Protected Process Light (PPL). Let’s explore it in the blog post below. #dll #injection #PPL #ProcessInjection #redteam #windows
core-jmp.org/?p=136
Original text by MDSec Research + by Dylan (@batsec).
The post explores how Windows security products use kernel image load notifications to monitor when executables and DLLs are loaded by the system. #bypass #callbacks #image #kernel #library #load #windows
core-jmp.org/?p=122
The post explores how Windows security products use kernel image load notifications to monitor when executables and DLLs are loaded by the system. #bypass #callbacks #image #kernel #library #load #windows
core-jmp.org/?p=122
Bypassing Image Load Kernel Callbacks
The post explores how Windows security products use kernel image load notifications to monitor when executables and DLLs are loaded by the system. These callbacks are typically registered via kernel drivers and provide telemetry that defenders use to detect malicious activity. The article analyzes how the standard Windows loader triggers these callbacks deep within NtMapViewOfSection and explains why simply avoiding the kernel event is difficult with limited privileges.
core-jmp.org
January 30, 2026 at 3:50 PM
Original text by MDSec Research + by Dylan (@batsec).
The post explores how Windows security products use kernel image load notifications to monitor when executables and DLLs are loaded by the system. #bypass #callbacks #image #kernel #library #load #windows
core-jmp.org/?p=122
The post explores how Windows security products use kernel image load notifications to monitor when executables and DLLs are loaded by the system. #bypass #callbacks #image #kernel #library #load #windows
core-jmp.org/?p=122
Original post by S12 - 0x12Dark Development
In this article, I will demonstrate one of the classic, fundamental techniques for injecting shellcode into a remote process using APCs. I realized I hadn’t documented this method yet, so that is exactly what we will cover today.
core-jmp.org/?p=113
In this article, I will demonstrate one of the classic, fundamental techniques for injecting shellcode into a remote process using APCs. I realized I hadn’t documented this method yet, so that is exactly what we will cover today.
core-jmp.org/?p=113
Mastering APC Injection with QueueUserAPC2
In this article, I will demonstrate one of the classic, fundamental techniques for injecting shellcode into a remote process using APCs. I realized I hadn’t documented this method yet, so that is exactly what we will cover today. specifically, we will be combining QueueUserAPC2 with NtTestAlert
core-jmp.org
January 30, 2026 at 3:20 PM
Original post by S12 - 0x12Dark Development
In this article, I will demonstrate one of the classic, fundamental techniques for injecting shellcode into a remote process using APCs. I realized I hadn’t documented this method yet, so that is exactly what we will cover today.
core-jmp.org/?p=113
In this article, I will demonstrate one of the classic, fundamental techniques for injecting shellcode into a remote process using APCs. I realized I hadn’t documented this method yet, so that is exactly what we will cover today.
core-jmp.org/?p=113
Original post by S1lkyThis article describes DLL hijacking in the context of the audiodg.exe process which may load vendor-supplied APO-related DLL dependencies from system paths. #dll #escalation #hijacking #system #windows
core-jmp.org/?p=89
core-jmp.org/?p=89
DLL Hijacking in Windows Audio: A New Escalation Technique
Original post by S1lkyThis article describes DLL hijacking in the context of the audiodg.exe process which may load vendor-supplied APO-related DLL dependencies
core-jmp.org
January 30, 2026 at 2:55 PM
Original post by S1lkyThis article describes DLL hijacking in the context of the audiodg.exe process which may load vendor-supplied APO-related DLL dependencies from system paths. #dll #escalation #hijacking #system #windows
core-jmp.org/?p=89
core-jmp.org/?p=89