As I mentioned in the previous post, I’m writing this series while preparing for Offensive Security Exploitation Expert (OSEE). In this post, we will use HackSys Extreme Vulnerable Driver (HEVD) which you can download from Github. Yes, HEVD is open source and its symbols are available, so at first that sounds like it defeats the […]
You load a Windows driver into Ghidra, wait for analysis to finish, and then stare at what looks like nonsense: unnamed functions, broken types, generic variables, and no obvious sign of where the real driver logic begins. If you do not have private symbols (.pdb files), this is normal. In this post, we will see […]
I’ve just started looking at the NTLM privilege escalation patch from September 2025. I’m documenting my progress as I go, so these are my initial notes and not a polished blog post! From the advisory, found this KB5065426 article for Windows 11 Version 24H2 (x64) and downloaded the download the file information for cumulative update […]
I spent some time over the Christmas break least year learning the basics of Windows Internals and thought it was a good opportunity to use my naive reverse engineering skills to find answers to my own questions. This is not a blog but rather my own notes on Windows Internals. I’ll keep updating them and […]
In the previous blog post, we analysed the MOVEit Transfer patch that mitigates a SQL injection vulnerability (CVE-2023-34362) and figured out the entire call flow to reach the vulnerable method, SetAllSessionVarsFromHeaders(). It looks like this: /moveitisapi/moveitisapi.dll?action=m2 –> Machine2.aspx –> DoTransaction() –> SetAllSessionVarsFromHeaders(). What we did was just figured out the entry point and we still need to […]
Although, the MOVEit Transfer N-Day exploit party is over, I recently started my Patch Diffing journey, so I was looking for another target to practice my skills and survive the painful journey of patch diffing / exploit development. The analysis of unauthenticated SQL injection vulnerability in MOVEit Transfer (CVE-2023-34362) appeared to be challenging yet rewarding […]