Calling all experts in Windows internals and low-level systems architecture! 'The Root of DllMain Problems' (or 'DllMain Rules Rewritten') is now in preparation for its final publication! Feedback and sign-offs from the community are greatly appreciated.

To all my infosec friends, if your blog doesn't yet have an email newsletter for your subscribers. well now you can have one set up in no time at virtually no cost - all open source. You're welcome.

Generate videos in just a few seconds. Try Grok Imagine, free for a limited time.

Today, I'm releasing a new project that automates sending email newsletter notifications for new content on your blog: rss2newsletter! In just 300 lines of code, it easily replaces any overpriced and bloated proprietary solution that charges you per-contact. See link in bio 🔗.

Today, I'm releasing a new project that automates sending email newsletter notifications for new content on your blog: rss2newsletter! In 300 lines of code, it easily replaces any overpriced and bloated proprietary solution that charges you per-contact.

I just released a new tool for searching Microsoft Developer Blogs in bulk and fully local. Really helpful for finding information on that one Windows internals component.

I think I have a problem with going down rabbit holes.

A comprehensive analysis of all the internal Windows 10 loader states? Done - Have a look at that and a high-level analysis of how a library load works under the parallel loader.

Reverse engineering the Windows 10 parallel loader is challenging but interesting work. I recently fully reversed the pivotal LdrpDrainWorkQueue function and I'm just now working on LdrpLoadDllInternal plus others.

DllMain Rules Rewritten are Microsoft's infamous DllMain Rules - rewritten. After countless spent hours researching and reverse engineering the new and old Windows loaders, they are now complete.

I just spent the last few months of my life reverse engineering the Windows 10 parallel loader and figuring out how it does concurrency. Updates have now been published!.

Thrilled to unveil the "Windows vs Linux Loader Architecture" project! The FIRST side-by-side comparison ever done unraveling the similarities and differences of this core component between operating systems. Check out the new repo!.

What is Loader Lock? 🤔 Going BEYOND undocumented, we delve into the heart of the modern Windows loader investigating some internals for the first time and demystifying Loader Lock. 🔒 Check out the research article.

The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator.

Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain. 🔍 Link in bio 🔗

Creating Windows hacking labs has gotten a lot easier with this new tool I've developed: It's a reverse engineering of Microsoft's hidden downloading API - fully automated to always grab the most up-to-date Windows ISO so you never have to do it again! 🚀

🚀 Want to level up your Windows reverse engineering skills fast? Check out this newly published #lolbin RE methodology post! Uncover undiscovered lolbins in Windows right now! Link in bio 🔗

Hey I'm back but now with a new #informationsecurity blog (, never before seen zero day exploits, and lots of new offensive security techniques & tools for you (also more new lolbins)! Expect all this and more in what's to come next.

Need to go under the radar downloading #mimikatz (and other suspect payloads)? Then newly discovered #lolbin "C:\Windows\System32\Cmdl32.exe" (signed by MS) is for you. It's like a new certutil.exe but absolutely unheard of by any antivirus software!

RT @Oddvarmoe: Update to LOLBAS today. Merged a lot of PRs. Thanks! New:.Aspnet_Compiler.exe,Certoc.exe,Cmdl32.exe….

I found out "C:\Windows\System32\WorkFolders.exe" (signed by MS) can be used to run arbitrary executables in the current working directory with the name control.exe. It's like a new rundll32.exe #lolbin but for EXEs!