I ran into this in IDA: dlopen(.../bindiff8_ida.so): undefined symbol: root_node dlopen(.../binexport12_ida.so): undefined symbol: root_node Both plugins were present, but they were not built fo...

I wanted a clean BinDiff workflow from Binary Ninja, which means one thing first: get reliable .BinExport files out of Binja. I thought this would take 5 minutes. It did not. I hit multiple issue...

Part 2 of the Syzkaller writeup. Part 1 covered layout, install, and building a fuzzable 6.19 kernel for QEMU. Here I bolt on a deliberately broken driver, wire syzkaller to it with syzlang, run th...

What libFuzzer is libFuzzer is LLVM’s in-process, coverage-guided fuzzer. You compile your target with the fuzzer runtime (-fsanitize=fuzzer), implement a single callback LLVMFuzzerTestOneInput(co...

When you open an Android .so in a disassembler, JNI entry points show up as long, mangled symbols: Java_com_example_app_MainActivity_stringFromJNI. The real story lives in the DEX: class name, meth...

Hey everyone — apologies for the delayed post. I got caught up with a few things and couldn’t publish as planned. Thanks for your patience and continued support. Wishing you all a Happy New Year! ...

I’ve been away for a few weeks because I’ve been learning Windows Kernel Exploitation, and soon I’ll be posting my notes on it here. In this post, I’ll be sharing some tutorials on how to use the B...

In this chapter, we’ll create a reverse TCP shell - a shellcode that connects back to an attacker-controlled machine, providing remote access. This is often more effective than bind shells as it by...

In this chapter, we’ll create a bind TCP shell - a shellcode that opens a network port and binds a shell to it, allowing remote connections. This is extremely useful in penetration testing and netw...

Now in our journey of shellcoding we will try to eliminate bad chars which create nuisance and break our exploit. Common Bad Characters: 0x0A (newline) - breaks in input functions 0x0D (carr...