Wednesday, July 15, 2026

How Windows Programs Evade Detection and Protect Themselves


 

The Hidden Truth

How Windows Programs Evade Detection and Protect Themselves

An in-depth look at process hiding techniques, anti-cheat systems, and the tools that reveal them

 

When you open Task Manager on your Windows computer, you expect to see everything running on your system. But what you see isn't always the full picture. Software has evolved numerous sophisticated techniques to operate in the shadows of your operating system, ranging from legitimate background services to rootkit-level stealth and commercial anti-cheat systems. Understanding these mechanisms is essential for anyone concerned with system security, performance, or game integrity.

The Many Faces of Process Hiding

The concept of a program being “hidden” from Task Manager means different things to different people. For casual users, it might simply mean running without a visible window. For security professionals, it implies active concealment from system monitoring tools. The reality spans a spectrum from mundane background processes to advanced kernel-level techniques.

The Most Common Scenario: They Aren't Actually Hidden

The majority of programs that users think are hidden are simply running without a graphical interface. System tray applications, update services, printer software, and antivirus components all fall into this category. These programs appear perfectly visible in Task Manager if you know where to look—they typically reside under Background processes, Windows processes, or Services rather than under the Apps section. This isn't concealment; it's a different type of user interface.

Windows Services: The Hidden Launchers

When an executable runs as a Windows Service, it's started by the Service Control Manager rather than by a user action. This creates a layer of indirection that can confuse users trying to identify running programs. SQL Server, TeamViewer Service, and various NVIDIA drivers all operate this way. In many cases, Task Manager shows the service name rather than the executable you might be expecting, leading to the mistaken impression that something is hidden.

Process Spawning and Rapid Exit

Some applications use a launcher that disappears almost instantly. This is common with game launchers, update installers, and certain utility programs. The launcher performs its initialization work, spawns the real application, and then terminates. By the time a user checks Task Manager, the launcher is gone, leaving only the main program running.

DLL Injection: Running Inside Another Process

A more subtle approach involves loading code into another process. Instead of creating its own process, a software component can inject a DLL into explorer.exe, a game executable, or any other running process. The code executes inside that process context, and no separate process appears in Task Manager. Legitimate software including shell extensions and accessibility tools sometimes use this technique, but it's also favored by malware for its stealth properties.

Advanced Concealment: From Kernel Rootkits to Process Hooks

When ordinary process hiding isn't enough, more sophisticated techniques come into play. These methods operate at the kernel level or actively manipulate system tools.

Kernel Drivers and Rootkits

A kernel driver operates at the highest privilege level available in Windows. With this power, a driver can manipulate process lists, intercept kernel functions, and hide processes from user-mode tools like Task Manager. This is the domain of rootkits—software designed to conceal its presence from the operating system and security tools. However, modern Windows versions have significantly hardened the kernel against such manipulation. Features including PatchGuard, Driver Signature Enforcement, Virtualization-Based Security, and Hypervisor-Protected Code Integrity have made traditional rootkit techniques far more difficult than they were on Windows XP.

Direct Kernel Object Manipulation

Older rootkits employed a technique called Direct Kernel Object Manipulation, or DKOM. They would remove a process from the kernel's active process list while leaving it running in memory. The process continued executing, but Task Manager and similar tools had no way to find it because they relied on enumerating that list. The hidden process simply vanished from the system's visible inventory. While effective, this technique is largely prevented on modern 64-bit Windows systems due to enhanced kernel protections.

Hooking Task Manager

Instead of hiding the process in the kernel, some malicious software targets Task Manager directly. It intercepts the system calls Task Manager makes when enumerating processes and filters out specific entries. When Task Manager asks for all processes, the malware simply refuses to include itself in the response. Other monitoring tools may still detect the process, but Task Manager becomes unreliable.

Running Inside System Hosts

Several Windows host processes serve as containers for code from various sources. Svchost.exe, rundll32.exe, and dllhost.exe all host code that doesn't need its own process. A program running inside these hosts appears in Task Manager as one of these familiar names, making it difficult to identify the actual software executing.

Protected Processes

Windows includes special process types called Protected Process and Protected Process Light. These are used by security components including LSASS, Windows Defender, audio services, and DRM components. While visible in Task Manager, many tools cannot inspect or terminate them due to the protection level. This isn't hiding but rather access restriction.

The Honest Truth About Complete Invisibility

Can a process be completely invisible from all system tools? For ordinary user-mode programs, the answer is no. Every user-mode process must have a kernel process object, and Windows maintains this object as long as the process is running. Achieving true invisibility requires a kernel driver, a kernel exploit, or a rootkit. These techniques are uncommon in legitimate software and increasingly difficult to implement on current Windows versions due to built-in security protections.

Better Tools for Process Investigation

When Task Manager's capabilities fall short, more powerful tools provide deeper insight into running processes.

          Process Explorer (Microsoft Sysinternals) — shows parent-child process relationships, loaded DLLs, command-line arguments, open handles, and threads. Can reveal injected code and expose hidden relationships between processes.

          Process Monitor — provides real-time logging of file system, registry, and process activity. Useful for understanding what a program is doing, not just what's running.

          Autoruns — identifies programs configured to start automatically, revealing persistence mechanisms that keep software running across reboots.

          Process Hacker / System Informer — offers capabilities similar to Process Explorer, with additional features for service management and advanced inspection.

          PE-sieve — specializes in detecting code injection by scanning for anomalies in running processes, identifying injected DLLs and modified code sections.

The Anti-Cheat and DRM Approach: Protection Over Hiding

Commercial software like anti-cheat systems and digital rights management solutions take a fundamentally different approach to process protection. Rather than trying to become invisible, they focus on being difficult to analyze, tamper with, and terminate while remaining compatible with Windows security.

Protected Process Light for Security Components

Some security-related software can run components with elevated protection levels when supported by Windows and appropriate signing. This means the process remains visible but resists inspection and termination from most user-mode programs. Windows Defender uses this mechanism for certain components, and other security software can similarly leverage this protection.

Kernel Drivers for Integrity

Many anti-cheat systems including Riot Vanguard, Easy Anti-Cheat, and BattlEye install kernel-mode drivers. These drivers monitor process creation, inspect memory, detect debuggers and code injection attempts, verify driver integrity, and communicate with user-mode services. The game process itself remains visible in Task Manager, but the kernel driver provides capabilities that ordinary applications lack.

Service and Watchdog Architectures

A common protection architecture involves a Windows Service paired with a main program and a watchdog process. If any component exits unexpectedly, the watchdog restarts it or the service launches it again. This creates software that effectively “can't be closed,” as attempting to terminate it results in automatic restart.

Code Injection as Protection

Some protection products inject DLLs into the applications they're protecting. The anti-cheat code runs inside the game's address space, and Task Manager still only shows the game executable. While this resembles malware techniques, the purpose is protection rather than concealment.

Obfuscation and Anti-Debugging

Commercial protection systems often make reverse engineering difficult through encrypted strings, packed executables, code virtualization, control flow flattening, and dynamic code generation. These techniques don't hide the process; they hide how the code works. Anti-debugging measures detect analysis tools through attached debuggers, breakpoints, timing anomalies, debug-related APIs, and sometimes virtual machine environments. Responses can include refusing to start, disabling online features, terminating the application, or reporting suspicious behavior.

Self-Integrity Checks and Handle Protection

The application may periodically verify its executable image, loaded DLLs, important code sections, and configuration data. If modifications are detected, it may shut down or report the issue. Handle protection restricts or monitors access attempts from other processes, making it difficult for ordinary programs to read or write the process's memory, suspend it, or terminate it.

Multiple Component Layers

A typical anti-cheat stack might include components at multiple levels: kernel driver at boot, Windows Service, game launcher, game executable, and an injected anti-cheat DLL. Each layer has a distinct role, making the overall system more resilient to tampering.

Server-Side Validation

Modern anti-cheat systems don't rely solely on local machine protection. They validate gameplay on servers, analyze player behavior, look for impossible actions, compare client state with expected state, and use machine learning or statistical models to detect cheating patterns. This reduces reliance on hiding or protecting local code.

What Anti-Cheat Systems Do Not Do

It's important to understand what commercial protection systems generally avoid. If you open Task Manager or Process Explorer, you'll typically see the game, the launcher, and associated services. What can be less obvious are injected DLLs, kernel drivers, background services, helper processes, and inter-process communication between components. Those require more specialized tools to inspect.

Modern Windows includes protections such as PatchGuard, Driver Signature Enforcement, virtualization-based security, and kernel integrity checks that make traditional rootkit techniques risky and incompatible with legitimate software. A commercial vendor that used malware-style process hiding would likely trigger antivirus products, violate Microsoft's driver requirements, and create stability problems.

As a result, reputable anti-cheat and DRM vendors focus on protection, integrity verification, and tamper resistance rather than making their software invisible. Their goal is to remain detectable and supportable while making unauthorized modification or interference significantly more difficult.

Conclusion: Visibility and Security in Modern Windows

The techniques for hiding processes span from simple windowless operation to sophisticated kernel manipulation. While legitimate software typically chooses visibility with limited access, malicious software may attempt complete concealment. Understanding these techniques helps users and security professionals identify suspicious activity and respond appropriately.

Modern Windows has made significant progress in preventing the most invasive hiding techniques while still supporting legitimate background operation. The tools available for process investigation have similarly evolved, providing insight that Task Manager alone cannot offer. Whether you're investigating suspicious software or simply trying to understand what's running on your system, knowledge of these techniques is essential for maintaining system security and integrity.


Thursday, July 2, 2026

I Built a Tool That Turns Java JARs into Real Windows EXEs

 




If you've ever developed a Java desktop application, you've probably heard this question:

"Why isn't it just an EXE?"

For years, distributing Java applications on Windows has felt more complicated than it should.

You can hand users a JAR file and hope they have Java installed. You can bundle an entire runtime, increasing your download size by hundreds of megabytes. Or you can use a launcher that mostly disguises a JAR as an executable without really behaving like a native Windows application.

None of those approaches felt quite right to me.

So I built Wraptor.


The Problem

Java is still a fantastic platform for desktop software.

Swing is mature, JavaFX continues to improve, and Java itself remains one of the most stable programming platforms available.

But distribution has always been one of its weakest points.

When users download software for Windows, they expect to see something like this:

MyApplication.exe

Not this:

MyApplication.jar

Even if users have Java installed, many don't know what a JAR file is or how to launch it. Others have the wrong Java version installed, resulting in mysterious startup errors.

As developers, we end up spending more time explaining how to run the application than building new features.


Existing Solutions

There are already several excellent tools in this space.

Some package a complete Java runtime together with your application.

Others generate launchers that invoke your JAR.

Those approaches certainly work, but they often come with trade-offs:

  • large download sizes

  • bundled runtimes even when unnecessary

  • launchers that don't fully integrate with Windows

  • missing version information

  • limited control over Windows resources

I wanted something smaller and closer to how native Windows applications actually behave.


What Is Wraptor?

Wraptor is a desktop application that converts your Java project into a genuine Windows executable.

Instead of wrapping your application inside another archive, it starts with a lightweight native launcher written in C.

During the build process, Wraptor embeds everything your launcher needs directly into that executable.

The result is a real Windows PE executable that contains:

  • your application icon

  • version information

  • company details

  • copyright information

  • optional administrator manifest

  • configuration for launching your Java application

When users double-click it, the launcher finds a suitable Java Runtime Environment, extracts your application's JARs, and starts your program automatically.

No command line.

No confusing startup scripts.

Just an EXE.


A Native Launcher, Not Just a Wrapper

One of the goals was to make the executable behave like software users already expect.

That means the generated EXE contains proper Windows resources.

Your icon isn't simply assigned to a shortcut.

It's embedded directly into the executable.

Explorer shows real version information.

Company name.

Product version.

File description.

Everything appears exactly where Windows users expect to find it.

If your application requires administrator privileges, Wraptor can also embed a UAC manifest directly into the executable.


Smarter Java Detection

Another frustration with Java applications is version compatibility.

Sometimes users have Java 8 installed.

Sometimes Java 17.

Sometimes multiple versions.

Sometimes none at all.

Wraptor lets you specify minimum and maximum supported Java versions.

When the launcher starts, it searches for a compatible runtime by checking:

  • a bundled runtime (if you provide one)

  • the Windows Registry

  • the JAVA_HOME environment variable

If it can't find a suitable version, it explains why instead of failing silently.


Keeping Things Lightweight

One thing I wanted to avoid was unnecessary bloat.

Some packaging solutions bundle an entire Java runtime regardless of whether it's needed.

That certainly has its place, but it can dramatically increase the size of even the smallest desktop application.

Wraptor doesn't force that approach.

The native launcher itself is only around 250 KB, and by default it simply locates a compatible Java installation already present on the system.

If your project needs a bundled runtime, you can still use one—but it isn't required.


Under the Hood

Wraptor is really two applications working together.

During build time, the Java GUI prepares your project.

It copies a precompiled native launcher, embeds your application's resources, patches Windows version information, inserts icons and manifests, and writes your configuration into the executable.

When the finished EXE launches, the native code takes over.

It reads its own embedded resources, extracts your application's JARs, searches for a compatible Java runtime, and launches your application with the correct classpath.

If your application crashes immediately, the launcher captures the startup output and displays it instead of disappearing without explanation.


Why I Built It

This project wasn't about replacing every Java packaging solution.

It was about building the tool I wished existed.

Something lightweight.

Something that produces executables that actually look and behave like native Windows applications.

Something that doesn't require recompiling native code every time you package a project.

And something that keeps Java deployment straightforward.


Open Source

Wraptor is completely open source.

If you're curious about how the launcher works, want to contribute, or simply want to try it with your own application, you can find the project here:

GitHub: https://github.com/stark9000/wraptor

If you find it useful, consider giving the repository a ⭐. It helps more Java developers discover the project and encourages further development.


Final Thoughts

Java desktop development is far from dead.

The ecosystem has matured, the tooling has improved, and the language remains an excellent choice for many desktop applications.

The biggest challenge has never been writing the software.

It's getting that software into users' hands in a way that feels familiar.

Wraptor is my attempt to make that experience a little better.

If you've ever wanted your Java application to launch like a native Windows program while staying lightweight, I'd love to hear what you think.

Wednesday, June 3, 2026

OFFENSIVE SECURITY / MALWARE ANALYSIS / REVERSE ENGINEERING Concept Reference List — Complete Edition


================================================================
  RECOMMENDED LEARNING PATH
================================================================
  1.  C Programming
  2.  Assembly (x86/x64)
  3.  PE Format & Windows Internals
  4.  Debugging & Dynamic Analysis
  5.  Reverse Engineering
  6.  Shellcode Engineering
  7.  Exploit Development
  8.  Malware Internals & Code Injection
  9.  EDR Evasion Concepts
  10. Kernel Mode Programming
  11. Active Directory Tradecraft
  12. Firmware / Hypervisor Research

================================================================
  SECTION A — FOUNDATIONS
================================================================

----------------------------------------------------------------
A1. PE FILE INTERNALS
----------------------------------------------------------------
- DOS Header / NT Headers
  Every PE starts with IMAGE_DOS_HEADER (MZ magic), then IMAGE_NT_HEADERS
  containing the file and optional headers

- Section Headers & Alignment
  .text (code), .data, .rdata, .rsrc — each has raw vs virtual alignment

- Import Table (IAT / INT)
  List of DLLs and functions the binary needs; resolved by the loader at startup

- Export Table
  Functions a DLL exposes to callers; has name, ordinal, and address arrays

- Relocations
  Base relocation table used when image can't load at preferred base address

- TLS Callbacks
  Thread Local Storage callbacks run BEFORE the entry point — common anti-debug
  trick since many debuggers break at EP, not TLS

- Delayed Imports
  Imports resolved lazily at first call rather than at load time

- Forwarded Exports
  An export that redirects to a function in another DLL
  (e.g., kernel32!Beep -> kernelbase!Beep)

- Resource Section (.rsrc)
  Embedded resources: icons, strings, version info, and sometimes payloads

- Manual Mapping
  Parsing and loading a PE by hand: map sections, fix relocations, resolve IAT,
  call TLS callbacks, then call entry point — foundation of reflective loading

- Relocation Fixups
  Patching absolute addresses when image loads at a different base than preferred


----------------------------------------------------------------
A2. WINDOWS INTERNALS
----------------------------------------------------------------
- Object Manager
  Kernel subsystem managing all named/unnamed kernel objects
  (files, events, mutexes, processes, threads)

- Handle Tables
  Per-process table mapping handle values to kernel object pointers

- Access Tokens & Security Reference Monitor (SRM)
  Tokens carry user SID, group SIDs, privileges; SRM enforces access checks

- ALPC (Advanced Local Procedure Call)
  High-performance IPC mechanism used internally by Windows (replaces LPC)

- Executive & Kernel layers
  HAL -> Kernel -> Executive (Ob, Mm, Io, Se, Ps, etc.) -> Subsystems

- Virtual Memory Manager (VMM)
  Manages VADs, page tables, working sets, paged/non-paged pool

- I/O Manager & IRP
  Manages driver stack communication via I/O Request Packets

- Session & Desktop isolation
  Sessions separate user contexts; desktops isolate window stations


----------------------------------------------------------------
A3. SHELLCODE ENGINEERING
----------------------------------------------------------------
- Position-Independent Code (PIC)
  Code that works regardless of where it's loaded — no hardcoded addresses;
  uses delta offsets or GetPC techniques

- GetPC Techniques
  Getting the current instruction pointer value at runtime
  (e.g., CALL/POP trick, LEA RIP-relative on x64)

- Null-Byte Avoidance
  Many injection vectors treat 0x00 as string terminator; shellcode must
  avoid null bytes through instruction substitution

- Encoder / Decoder Stubs
  XOR, ROT, or custom encoders wrap shellcode; decoder runs first,
  decodes in-place, then jumps to payload

- Syscall Shellcode
  Shellcode that invokes syscalls directly without relying on API stubs

- Alphanumeric Shellcode
  Shellcode restricted to printable ASCII characters — bypasses filters
  that only allow text input

- Egg Hunters
  Small shellcode that searches process memory for a unique tag (egg)
  preceding the real payload — useful when injection space is limited

- Staged vs Stageless Payloads
  Stageless: entire payload in one blob
  Staged: small stager downloads and executes the real payload from a C2

- Stack Pivoting
  Redirect the stack pointer (RSP/ESP) to attacker-controlled memory
  to enable ROP chain execution

- ROP Chains (Return-Oriented Programming)
  Chain together existing code "gadgets" (ending in RET) to execute
  arbitrary logic without injecting new code — bypasses DEP/NX


================================================================
  SECTION B — EXPLOITATION
================================================================

----------------------------------------------------------------
B1. EXPLOIT DEVELOPMENT
----------------------------------------------------------------
- Buffer Overflow (Stack)
  Overwrite return address on the stack to redirect execution

- Buffer Overflow (Heap)
  Corrupt heap metadata or adjacent allocations to gain control

- Use-After-Free (UAF)
  Access memory after it has been freed; if reallocated with attacker
  data, leads to type confusion or code execution

- Heap Corruption
  Corrupt allocator metadata (free lists, chunk headers) to redirect writes

- Format String Vulnerabilities
  Uncontrolled format strings (%n, %x) allow arbitrary read/write

- Integer Overflows / Underflows
  Arithmetic wrapping leads to incorrect size calculations and
  exploitable allocations

- Race Conditions (TOCTOU)
  Time-of-check vs time-of-use: win a race between check and use
  to substitute a different resource

- DEP / NX Bypass
  Data Execution Prevention marks memory non-executable;
  bypassed via ROP, ret2libc, or JIT spraying

- ASLR Bypass
  Address Space Layout Randomization randomized base addresses;
  bypassed via info leaks, partial overwrites, heap spraying, or brute force

- ROP / JOP / COP
  Return/Jump/Call Oriented Programming — code reuse attack variants

- Heap Feng Shui
  Carefully shape heap layout to place attacker data adjacent to
  target structures before triggering a vulnerability

- SEH Exploitation (Windows)
  Overwrite Structured Exception Handler chain to redirect execution
  on exception

- Browser Exploitation Concepts
  JIT compiler abuse, sandbox escapes, type confusion in JS engines,
  renderer vs browser process privilege separation

- Kernel Exploitation Basics
  NULL pointer dereference, pool overflows, race conditions in drivers,
  token stealing shellcode to escalate to SYSTEM


================================================================
  SECTION C — MALWARE INTERNALS
================================================================

----------------------------------------------------------------
C1. PROCESS & MEMORY INTERNALS
----------------------------------------------------------------
- Process Hollowing
  Spawn a legit process suspended, hollow out its memory, replace with payload

- Process Doppelganging
  Use NTFS transactions to load a modified executable without touching disk

- Process Herpaderping
  Map an executable image, modify it on disk after mapping but before
  section validation — confuses scanners that scan from disk

- Process Ghosting
  Create a file, mark it for deletion, map it as an image, then run it —
  appears to run from an already-deleted file

- PEB Walking
  Manually find loaded modules via the Process Environment Block (no API calls)

- VAD Manipulation
  Tamper with Virtual Address Descriptors to hide memory regions

- Page Table Manipulation
  Directly manipulate page tables at a lower level than VAD tricks

- Heap Spraying
  Fill heap with shellcode to increase odds of hitting it on overflow

- Pool Spraying
  Kernel-mode equivalent of heap spraying; targets kernel pool allocations

- EXE Packing (Custom Packer)
  Compress/encrypt an executable; stub decompresses and runs it at runtime

- DLL Memory Loading (Reflective DLL Injection)
  Load a DLL from a byte buffer in memory instead of from disk

- Thread Hijacking
  Suspend an existing thread, redirect its instruction pointer, resume it

- Memory Patching
  Overwrite bytes in a running process to change its behavior


----------------------------------------------------------------
C2. HOOKING TECHNIQUES
----------------------------------------------------------------
- Inline Hooking
  Patch first 5 bytes of a function with a JMP to your handler

- Trampoline Hooks
  Inline hook that also preserves and calls the original function

- Detours-style Hook
  Microsoft Detours approach — robust inline hook with trampoline

- IAT Hooking
  Replace function pointers in the Import Address Table

- VTable Hooking
  Overwrite C++ virtual function table pointers

- GOT/PLT Hooking (Linux)
  Overwrite Global Offset Table entries to redirect function calls

- SSDT Hooking
  Hook the kernel's System Service Descriptor Table (kernel mode)

- Kernel Callback Hooking
  Tamper with PsSetCreateProcessNotifyRoutine and similar callbacks
  to blind EDR/AV kernel drivers

- IRP Hooking
  Hook I/O Request Packets in kernel drivers

- SYSENTER / SYSCALL Hooking
  Modify MSRs to intercept syscall entry point


----------------------------------------------------------------
C3. CODE INJECTION TECHNIQUES
----------------------------------------------------------------
- Classic DLL Injection
  WriteProcessMemory + CreateRemoteThread -> LoadLibrary

- APC Injection
  Queue an Async Procedure Call to a thread's APC queue

- Early Bird Injection
  Inject via APC before the process fully initializes

- SetThreadContext Injection
  Redirect a suspended thread's context registers to shellcode

- Fiber Injection
  Hijack user-mode fibers to execute code inside a target process

- Transacted Hollowing
  Variant of Doppelganging using TxF (Transactional NTFS)

- Heaven's Gate
  Switch from 32-bit to 64-bit mode mid-execution to bypass hooks

- Atom Bombing
  Use Windows global atom tables as a data smuggling channel

- ptrace Injection (Linux)
  Use ptrace() syscall to read/write memory and registers of a process

- LD_PRELOAD Hijacking (Linux)
  Force a process to load your shared library before all others


----------------------------------------------------------------
C4. EVASION & ANTI-ANALYSIS
----------------------------------------------------------------
- API Unhooking
  Restore ntdll from a clean copy to remove AV/EDR hooks

- Direct Syscalls
  Invoke syscalls by number, bypassing hooked user-mode API stubs

- Indirect Syscalls
  JMP into ntdll's syscall instruction to avoid non-module execution

- Syscall Stomping
  Overwrite an unused syscall stub with your own to blend in

- Unhooking via KnownDlls Cache
  Load clean ntdll from the KnownDlls section object

- ETW Patching
  Patch ETW to blind event logging and telemetry

- Call Stack Spoofing / Return Address Spoofing
  Fake the call stack to hide the real caller from EDR stack walking

- Sleep Obfuscation
  Encrypt shellcode in memory while sleeping to evade memory scanning

- Stack Encryption
  Encrypt the stack during sleep/wait periods

- Gargoyle Memory Hiding
  Mark shellcode as non-executable while not running; flip back on timer

- Timing Attacks / Sleep Skipping Detection
  Detect sandbox time acceleration; behave benignly when detected

- PPID Spoofing
  Fake the parent process ID of a spawned process

- Misleading Disassembly
  Insert junk bytes or overlapping instructions to fool disassemblers

- Hardware Breakpoint Detection
  Scan Dr0-Dr7 registers to detect hardware breakpoints

- AMSI Bypass
  Patch or tamper with the Antimalware Scan Interface to blind
  script-based detection


================================================================
  SECTION D — PRIVILEGE & CREDENTIALS
================================================================

----------------------------------------------------------------
D1. CREDENTIAL & PRIVILEGE TECHNIQUES
----------------------------------------------------------------
- Token Impersonation
  Steal/duplicate another process's access token

- Pass-the-Hash
  Authenticate using an NTLM hash without the plaintext password

- LSASS Dumping
  Extract credential material from LSASS process memory

- DPAPI Abuse
  Decrypt Chrome cookies, WiFi passwords, Windows credentials via
  CryptProtectData / CryptUnprotectData

- Kerberoasting
  Request TGS tickets for SPNs and crack service account passwords offline

- Golden Ticket
  Forge a Kerberos TGT using the KRBTGT hash — full domain access

- Silver Ticket
  Forge a TGS for a specific service without touching the DC

- Shadow Credentials
  Add key credentials to an AD object as a stealthy backdoor

- Skeleton Key
  Patch LSASS to accept a universal master password

- UAC Bypass
  Escalate to high-integrity without a UAC prompt

- ACL Abuse
  Exploit weak permissions on registry keys, services, or files


================================================================
  SECTION E — ACTIVE DIRECTORY TRADECRAFT
================================================================

----------------------------------------------------------------
E1. AD ATTACKS & ABUSE
----------------------------------------------------------------
- DCSync
  Impersonate a DC to request password hashes via MS-DRSR replication protocol

- DCShadow
  Register a rogue DC temporarily to push malicious AD changes

- BloodHound Graph Abuse
  Use BloodHound-collected AD relationship data to find attack paths
  to Domain Admin

- Constrained Delegation Abuse
  Abuse services allowed to delegate to specific targets to impersonate users

- Resource-Based Constrained Delegation (RBCD)
  Write msDS-AllowedToActOnBehalfOfOtherIdentity to gain impersonation rights

- NTLM Relay
  Capture and relay NTLM authentication to authenticate to other services

- PetitPotam
  Coerce a DC to authenticate to an attacker via MS-EFSRPC — feeds NTLM relay

- PrinterBug (SpoolSample)
  Abuse the Print Spooler to coerce DC authentication

- Zerologon (CVE-2020-1472)
  Cryptographic flaw in Netlogon — set DC machine account password to empty

- AdminSDHolder Abuse
  Modify AdminSDHolder ACL to propagate permissions to protected groups

- SID History Abuse
  Add high-priv SID to a user's SID history as a stealthy backdoor

- Kerberos Delegation (Unconstrained)
  Machines with unconstrained delegation store TGTs — coerce DC auth to steal it


================================================================
  SECTION F — DEFENSIVE INTERNALS & EDR CONCEPTS
================================================================

----------------------------------------------------------------
F1. EDR / DETECTION ENGINEERING INTERNALS
----------------------------------------------------------------
- AMSI (Antimalware Scan Interface)
  Windows API that allows AV/EDR to inspect script content
  (PowerShell, VBScript, JScript) before execution

- ETW (Event Tracing for Windows) Providers & Consumers
  Kernel and user-mode components emit structured events;
  EDRs subscribe to security-relevant providers for telemetry

- ETWTI (ETW Threat Intelligence)
  ETW provider specifically for kernel-level process/thread telemetry
  used by modern EDRs; harder to blind than user-mode hooks

- Sysmon Internals
  Sysinternals tool using kernel callbacks and ETW to log process
  creation, network, registry, file, and driver events

- Userland vs Kernel Telemetry
  Userland (IAT/inline hooks on ntdll) vs kernel (callbacks, ETW, minifilters)
  — kernel telemetry is far harder to evade

- Minifilter Drivers
  Kernel drivers that attach to the filter manager to intercept file I/O;
  used by AV/EDR to scan files on access

- Kernel Callbacks
  PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine,
  CmRegisterCallback — EDRs use these for visibility; malware tries to remove them

- CFG (Control Flow Guard)
  Compiler+OS mitigation: validates indirect call targets against a bitmap
  of valid function entry points

- CET / Hardware Shadow Stack
  Intel CET pushes return addresses to a separate shadow stack protected
  by hardware; defeats ROP chains that corrupt the normal stack

- PatchGuard (KPP)
  Kernel Patch Protection: periodically checks integrity of SSDT, IDT,
  GDT, and other kernel structures; BSODs on tampering

- HVCI / VBS (Hypervisor-Protected Code Integrity / Virtualization Based Security)
  Uses a hypervisor to isolate the kernel credential store and enforce
  code integrity — makes unsigned kernel code execution nearly impossible

- Protected Process Light (PPL)
  Restricts which processes can open handles to sensitive processes
  (like LSASS) with certain access rights

- LSASS Protection
  RunAsPPL registry key makes LSASS a protected process;
  requires a signed driver to dump it


================================================================
  SECTION G — REVERSE ENGINEERING
================================================================

----------------------------------------------------------------
G1. REVERSE ENGINEERING SKILLS
----------------------------------------------------------------
- Static Analysis
  Reading disassembly without running it (IDA Pro, Ghidra, Binary Ninja)

- Dynamic Analysis
  Running under a debugger (x64dbg, WinDbg)

- Anti-Debug Tricks
  IsDebuggerPresent, NtQueryInformationProcess, timing checks, TLS callbacks

- Hardware Breakpoint Detection
  Detect debuggers via debug register inspection (Dr0-Dr7)

- Unpacking
  Extracting real payload from a packed/compressed executable

- Deobfuscation
  Recovering readable code from obfuscated or encrypted samples

- Binary Patching
  Modifying compiled binaries to change behavior

- Binary Diffing
  Comparing two binary versions to find changes (Diaphora, BinDiff)
  — essential for patch analysis and 1-day research

- Emulation / Unicorn Engine
  Run shellcode in an emulated CPU without a full OS environment

- Taint Tracking / Symbolic Execution
  Track attacker-controlled data flow through a binary (Angr, Triton)

- Debugger Scripting
  Automate analysis with IDAPython, x64dbg's Python API, WinDbg JS


================================================================
  SECTION H — LINUX & CROSS-PLATFORM
================================================================

----------------------------------------------------------------
H1. LINUX TECHNIQUES
----------------------------------------------------------------
- ptrace Injection
  Linux syscall for process inspection/control; abuse for code injection

- LD_PRELOAD Hijacking
  Force a process to load your shared library before system libraries;
  override functions like read(), write(), getuid()

- GOT / PLT Hooking
  Overwrite Global Offset Table to redirect function calls in ELF binaries

- ELF Internals
  ELF header, program headers, section headers, dynamic segment,
  symbol tables — Linux equivalent of PE format knowledge

- /proc Manipulation
  /proc/[pid]/mem for reading/writing process memory;
  /proc/[pid]/maps for layout; used in Linux injection techniques

- eBPF Rootkits
  Extended Berkeley Packet Filter programs run in kernel context;
  can hook syscalls and hide processes/network connections

- Linux Capabilities Abuse
  Fine-grained privilege system (CAP_SYS_ADMIN, CAP_NET_RAW, etc.)
  — misconfigurations lead to container escapes and privilege escalation

- cron / systemd Persistence
  Classic persistence via crontab entries or malicious systemd units


================================================================
  SECTION I — PERSISTENCE MECHANISMS
================================================================

- Registry Run Keys
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run

- Scheduled Tasks
  Via COM or XML; survive reboots

- COM Hijacking
  Replace a legitimate COM object with your own DLL

- DLL Proxying / DLL Side-Loading
  Malicious DLL named to match what a legit app expects; forward real exports

- WMI Subscriptions
  Trigger payloads on system events

- Boot/Login Scripts via GPO
  Scripts in SYSVOL executed at boot/login

- SID History Abuse
  Add high-priv SID to user's history as a stealthy backdoor

- SIH Abuse
  Abuse Windows maintenance scheduled tasks

- Boot/Pre-OS (Bootkit)
  MBR/VBR level persistence


================================================================
  SECTION J — FIRMWARE & HARDWARE
================================================================

- UEFI Bootkit
  Persist in SPI flash firmware (LoJax, CosmicStrand) — survives reinstalls

- SMM (System Management Mode) Rootkit
  Executes in SMRAM, invisible to OS; triggered by SMIs

- PCIe DMA Attacks
  Read/write host memory via PCIe/Thunderbolt without CPU (PCILeech)

- ACPI Table Tampering
  Embed malicious code in custom ACPI methods


================================================================
  SECTION K — HYPERVISOR & VM CONCEPTS
================================================================

- VM Exits
  Conditions that cause a guest VM to trap back to the hypervisor (VMM);
  hypervisors monitor sensitive instructions via VM exits

- EPT Hooking (Extended Page Tables)
  Hook guest physical memory mappings at the hypervisor level —
  invisible to the guest OS; used in stealth monitors and rootkits

- Blue Pill Rootkit Concept
  Transparently insert a hypervisor under a running OS; OS is unaware
  it's now a VM guest

- Hypervisor Introspection (VMI)
  Inspect guest VM memory and state from the hypervisor without
  touching the guest — powerful for transparent monitoring

- Intel VT-x Internals
  VMX root/non-root operation, VMCS fields, VMLAUNCH/VMRESUME,
  EPT, VPID — foundational for building a hypervisor

- CPUID Fingerprinting
  Detect virtualization via CPUID hypervisor bit and vendor strings

- Timing-Based VM Detection
  RDTSC delta differences between bare metal and VM environments

- SGX Enclaves
  Intel Software Guard Extensions — isolated encrypted memory regions
  even the OS/hypervisor can't read; used for secrets and anti-analysis

- TPM Abuse Concepts
  Trusted Platform Module sealing/unsealing secrets tied to platform state;
  research into PCR manipulation and TPM-based malware resilience


================================================================
  SECTION L — NETWORK, C2 & TRAFFIC EVASION
================================================================

- C2 Protocol Mimicry
  Disguise traffic as: HTTPS, DNS, MS Graph API, Telegram, Slack, OneDrive

- JA3 / JA3S Fingerprinting
  Fingerprint TLS clients/servers from handshake parameters;
  EDRs/NDRs use this to identify C2 tools

- JARM Fingerprint Spoofing
  Manipulate active TLS fingerprint to avoid C2 server identification

- HTTP/2 C2
  Use HTTP/2 multiplexing to blend C2 traffic into normal web traffic

- QUIC-Based Transport
  UDP-based protocol; harder to inspect than TCP/TLS streams

- Domain Fronting
  Route C2 through a CDN; largely mitigated, replaced by CDN impersonation

- Dead Drop Resolvers
  Store C2 address in a public service (Twitter, Pastebin, GitHub)
  so the real C2 IP never appears in the binary

- DGA (Domain Generation Algorithms)
  Algorithmically generate hundreds of domain names; only the attacker
  knows which one is registered today

- Fast Flux DNS
  Rapidly rotate IPs behind a C2 domain to evade IP blocklists

- Peer-to-Peer Botnets
  Decentralized C2 with no single point of failure; nodes relay commands

- Traffic Shaping
  Throttle and time C2 beacons to mimic normal user browser traffic

- Covert Channels
  Hide data in protocol fields not meant for data (DNS TXT, ICMP payload,
  HTTP headers, image steganography)

- C2 Over WebSocket / gRPC
  Modern protocol channels that blend naturally into enterprise traffic

- Living Off the Land (LOLBins)
  Use built-in Windows binaries to avoid dropping files:
  mshta, regsvr32, cscript, wmic, certutil, rundll32, msiexec, bitsadmin


================================================================
  SECTION M — ADVANCED RESEARCH TOPICS
================================================================

- DKOM (Direct Kernel Object Manipulation)
  Directly modify kernel structures (e.g., unlink a process from
  ActiveProcessLinks to hide it from task managers)

- Object Callbacks
  ObRegisterCallbacks — kernel mechanism for object open/duplicate
  notification; abused by anti-cheat and rootkits alike

- Heaven's Gate Variants
  Beyond 32->64 mode switch: variants for syscall table switching
  and wow64 layer abuse

- Gargoyle Memory Hiding
  Execute shellcode, then mark it non-executable and hide it in heap;
  re-arm via timer to re-execute later

- Sleep Obfuscation Techniques
  Encrypt implant in memory during sleep: Ekko, Foliage, Cronos variants

- Stack Encryption
  XOR or AES the stack during wait periods to evade memory scanning

- Return Address Spoofing
  Overwrite return addresses on the stack to fake call origin

- Intel VT-x Internals
  VMCS, EPT, VM exits — foundation for building custom hypervisors

- Kernel Patch Protection (PatchGuard) Internals
  How PatchGuard works: encrypted timer callbacks, integrity checks,
  randomized scheduling — and why bypassing it is extremely difficult

- ETWTI (ETW Threat Intelligence Provider)
  Kernel ETW provider emitting thread/process events used by modern EDRs;
  patching it requires kernel access and triggers PatchGuard


================================================================
  SECTION N — LEARNING RESOURCES
================================================================

Courses:
  - OSCP   (Offensive Security Certified Professional)
  - OSED   (Offensive Security Exploit Developer)
  - CRTO   (Certified Red Team Operator)
  - CRTE   (Certified Red Team Expert — AD focused)
  - Sektor7 Malware Development (intro + intermediate + rootkits)
  - SANS FOR610  (Reverse Engineering Malware)
  - SANS SEC760  (Advanced Exploit Development)
  - TCM Security Malware Analysis Courses

Books:
  - The Shellcoder's Handbook
  - Practical Malware Analysis (Sikorski & Honig)
  - Windows Internals Parts 1 & 2 (Russinovich et al.)
  - The Art of Memory Forensics
  - Rootkits: Subverting the Windows Kernel
  - Hacking: The Art of Exploitation (Erickson)
  - The Web Application Hacker's Handbook

Disassemblers / Decompilers:
  - IDA Pro            (industry standard)
  - Ghidra             (free, NSA open-source)
  - Binary Ninja       (scriptable, modern UI)
  - Cutter / Rizin     (free open-source)

Debuggers:
  - x64dbg             (Windows user-mode)
  - WinDbg / WinDbg Preview  (kernel + user-mode)
  - GDB + pwndbg/peda  (Linux)

Dynamic Instrumentation:
  - Frida              (scriptable, cross-platform)
  - DynamoRIO          (binary translation framework)
  - PIN (Intel)        (x86 instrumentation)

System Inspection:
  - Process Hacker / System Informer
  - Process Monitor (ProcMon)
  - API Monitor

Network Analysis:
  - Wireshark
  - Zeek / Bro
  - Fakenet-NG         (dynamic network analysis for malware)

Emulation / Symbolic Execution:
  - Unicorn Engine     (CPU emulation)
  - Angr               (symbolic execution)
  - Triton             (dynamic taint + symbolic)

Hardware / DMA:
  - PCILeech / MemProcFS

Practice Environments:
  - TryHackMe
  - HackTheBox
  - VulnHub
  - Any.run            (online sandbox)
  - MalwareBazaar      (real samples)
  - Flare-VM           (Windows RE environment)
  - REMnux             (Linux RE environment)
  - pwn.college        (exploit development)

================================================================
  NOTE: These concepts are for educational purposes —
  malware analysis, red teaming, CTFs, and security research.
  Always operate within legal boundaries and in authorized
  environments (your own lab, CTFs, bug bounty programs).
================================================================