Writing
All writing
Research findings and the trial and error behind them — shared openly, nothing held back.
RogueProvision: Windows Privilege Escalation in the Provisioning Engine — the SYSTEM Task That Applies Unsigned Packages
A SYSTEM service silently applies unsigned configuration packages from a folder — no signature, no consent, no interaction. Microsoft's docs promise otherwise. The honest catch: on a normal PC it's admin→SYSTEM, and a symbol's name fooled the analysis into believing otherwise.
Rebuilding a Security Researcher's Mind in an AI — to Invent Attacks, Not Just Find Them
AI-driven zero-day finding is spreading fast. This is a report on the harder part: building an AI that autonomously reverse-engineers undocumented Windows internals to invent attack techniques nobody has named — borrowing discovery methods from outside security, doubting its own conclusions, and running unattended for hours without fooling itself.
Same Workflow, New Target: AI-Assisted Discovery of CVE-2026-29004 in BusyBox
How the same AI analysis workflow that found a zero-day in strongSwan discovered a 9-year-old heap buffer overflow in BusyBox's DHCPv6 client — plus a full walkthrough of the proof-of-concept development process.
Inside NOFILTER-NFEXEC: A Deep Dive into WFP Implementation and BOF OPSEC Engineering
A detailed walkthrough of implementing the DEF CON 31 NoFilter WFP technique as an OPSEC-hardened Havoc C2 BOF, including indirect syscalls, return address spoofing, patchless AMSI/ETW bypass, and lessons learned from Havoc BOF development.
Finding a 15-Year-Old Zero-Day in strongSwan with AI-Assisted Code Analysis
How I discovered CVE-2026-25075 — a vulnerability that had been quietly sitting in strongSwan's codebase since 2011 — using a structured, multi-pass AI analysis workflow.