Using glibc-all-in-one combined with patchelf or the LD_PRELOAD environment variable for fast glibc version switching.

This article analyzes Linux memory allocation and deallocation from the GLIBC source code. Understanding the relevant data structures and memory management mechanisms is fundamental to heap exploitation.

Running into errors when installing pwntools on Mac — a common issue and its fix.

A summary of commonly used GDB commands.

Win7 scheduled tasks didn’t have schtasks but used the legacy at command, represented as files. Starting from Win8, the schtasks.exe command appeared — the modern scheduled task service.

Previously in Deep Dive into Windows Scheduled Tasks and Malicious Hiding Techniques, I described the general meaning of some fields in the registry but didn’t research the specific content structures, especially the binary Triggers, Actions, and other fields.

By referencing public materials and the GhostTask project, I roughly outlined the differences in Triggers and Actions structures between Win8.1 and Win10, which may be useful later.

I recently saw a tweet from @AndrewOliveau. Just reading the description “arbitrary file deletions to SYSTEM” felt magical — an arbitrary file deletion vulnerability that can be turned into local privilege escalation. After reading through it with questions in mind, I found that the general approach leverages Windows’ MSI installation rollback mechanism. Seeing “Config.Msi” felt very familiar, because two or three years ago I had deeply studied this and even crafted a custom MSI package to test it — it was awesome, but I didn’t take notes and forgot about it after having fun, so now this topic has resurfaced. However, this isn’t the main focus of the article; rather, it’s about “how to turn a fixed ordinary user file deletion into an arbitrary file deletion vulnerability.”

Cryptominers, ransomware, and certain rogue software frequently leverage scheduled tasks and WMI to periodically execute fileless backdoors or hijack browser homepages. How do you investigate these using PowerShell?

Hell’s Gate is a direct syscall technique on Windows that can bypass most EDR hooks at the Ring3 layer. Some quick notes on the topic.

Injecting a filter-based memory shell in Resin to intercept and exfiltrate interface response data.

Overly permissive ACLs on multiple system files, including the SAM file, allow built-in regular user groups to access SAM under certain circumstances, leading to local privilege escalation.