[{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/categories/development/","section":"Categories","summary":"","title":"Development","type":"categories"},{"content":"I just released dnre-mcp 0.1.0, a standalone MCP server for .NET assembly reverse engineering and decompilation.\nWhat It Does # dnre-mcp lets AI assistants load, inspect, and decompile .NET assemblies directly through the Model Context Protocol. It exposes 10 tools covering assembly loading, type and method discovery, namespace browsing, and full C# source decompilation. Under the hood it uses ICSharpCode.Decompiler, the same engine that powers ILSpy.\nThe idea came out of a workflow where I was using dnSpyEx with an MCP extension to reverse engineer .NET binaries. That worked, but it meant running a full GUI application just to give Claude access to the decompiler. dnre-mcp strips that down to a lightweight CLI tool that communicates over stdio — no GUI needed.\nGetting Started # Pre-built binaries are available for Windows x64 and Linux x64 on the GitLab releases page, no .NET SDK required. If you prefer to build from source, you just need the .NET 10 SDK:\ndotnet build src/DnreMcp/DnreMcp.csproj Point your MCP client at the binary and you are good to go. Check the project page for full setup details.\nWhat\u0026rsquo;s Next # This is an initial release so there is plenty of room to grow. Some things I want to add include resource analysis, cross-reference support, and better handling of generic types. If you try it out, I would love to hear how it goes.\n","date":"5 March 2026","externalUrl":null,"permalink":"/posts/dnre-mcp-release/","section":"Posts","summary":"I just released dnre-mcp 0.1.0, a standalone MCP server for .NET assembly reverse engineering and decompilation.\nWhat It Does # dnre-mcp lets AI assistants load, inspect, and decompile .NET assemblies directly through the Model Context Protocol. It exposes 10 tools covering assembly loading, type and method discovery, namespace browsing, and full C# source decompilation. Under the hood it uses ICSharpCode.Decompiler, the same engine that powers ILSpy.\n","title":"dnre-mcp 0.1.0 — .NET Reverse Engineering via MCP","type":"posts"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/tags/dotnet/","section":"Tags","summary":"","title":"Dotnet","type":"tags"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/categories/genai/","section":"Categories","summary":"","title":"Genai","type":"categories"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/tags/genai/","section":"Tags","summary":"","title":"Genai","type":"tags"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/tags/mcp/","section":"Tags","summary":"","title":"Mcp","type":"tags"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/","section":"NTNINJA","summary":"","title":"NTNINJA","type":"page"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/categories/reverse-engineering/","section":"Categories","summary":"","title":"Reverse Engineering","type":"categories"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/tags/reverse-engineering/","section":"Tags","summary":"","title":"Reverse Engineering","type":"tags"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"5 March 2026","externalUrl":null,"permalink":"/tags/tools/","section":"Tags","summary":"","title":"Tools","type":"tags"},{"content":"","date":"12 February 2026","externalUrl":null,"permalink":"/categories/exploit-dev/","section":"Categories","summary":"","title":"Exploit Dev","type":"categories"},{"content":"","date":"12 February 2026","externalUrl":null,"permalink":"/tags/exploit-dev/","section":"Tags","summary":"","title":"Exploit Dev","type":"tags"},{"content":"Quick update on two projects that have been getting a lot of my attention lately.\nWEDP 1.0.0-rc1 # WEDP (Windows Exploit Development Plugin) has hit its first release candidate. If you are not familiar with it, WEDP is a native WinDbg extension I built for exploit development workflows. It provides ROP/SEH/stack-pivot gadget search, cyclic pattern utilities, module protection enumeration, inline assembly, and a bunch of other stuff you would normally need multiple tools for. I wrote a post recently on using it with an MCP server and that really pushed me to clean things up and get a proper release out.\nThis release has been a long time coming and I am happy to finally have it in a state where I feel good about tagging it. You can grab the release from the GitLab releases page and check out the full feature list on the project page.\ndbgeng-mcp 0.1.0 # dbgeng-mcp is the project I mentioned in my last post about wanting a native MCP server for the Windows Debugging Engine. Instead of relying on a third-party WinDbg extension to bridge MCP, dbgeng-mcp talks directly to dbgeng.dll through a native C++ bridge built with pybind11. This means you can have an AI assistant launch, attach to, and control debug sessions without needing WinDbg open at all.\nThis is an alpha release and there is still a lot of work to do, but the core functionality is there. You can install it right now from PyPI:\npip install dbgeng-mcp Check out the project page for more details on features and setup.\nWhat\u0026rsquo;s Next # The plan is to keep iterating on both of these. For WEDP, I want to get feedback on the RC and work towards a stable 1.0.0. For dbgeng-mcp, there is a long list of features I want to add, especially around better memory analysis and tighter integration with extensions like WEDP. If you end up trying either of these out, let me know how it goes.\n","date":"12 February 2026","externalUrl":null,"permalink":"/posts/wedp-and-dbgeng-mcp-releases/","section":"Posts","summary":"Quick update on two projects that have been getting a lot of my attention lately.\nWEDP 1.0.0-rc1 # WEDP (Windows Exploit Development Plugin) has hit its first release candidate. If you are not familiar with it, WEDP is a native WinDbg extension I built for exploit development workflows. It provides ROP/SEH/stack-pivot gadget search, cyclic pattern utilities, module protection enumeration, inline assembly, and a bunch of other stuff you would normally need multiple tools for. I wrote a post recently on using it with an MCP server and that really pushed me to clean things up and get a proper release out.\n","title":"WEDP 1.0.0-rc1 and dbgeng-mcp 0.1.0","type":"posts"},{"content":"","date":"12 February 2026","externalUrl":null,"permalink":"/tags/windbg/","section":"Tags","summary":"","title":"Windbg","type":"tags"},{"content":"","date":"12 February 2026","externalUrl":null,"permalink":"/categories/windows/","section":"Categories","summary":"","title":"Windows","type":"categories"},{"content":"","date":"12 February 2026","externalUrl":null,"permalink":"/tags/windows/","section":"Tags","summary":"","title":"Windows","type":"tags"},{"content":"","date":"6 February 2026","externalUrl":null,"permalink":"/tags/dll/","section":"Tags","summary":"","title":"Dll","type":"tags"},{"content":"","date":"6 February 2026","externalUrl":null,"permalink":"/categories/vr/","section":"Categories","summary":"","title":"Vr","type":"categories"},{"content":"","date":"6 February 2026","externalUrl":null,"permalink":"/tags/vr/","section":"Tags","summary":"","title":"Vr","type":"tags"},{"content":"","date":"6 February 2026","externalUrl":null,"permalink":"/tags/wedp/","section":"Tags","summary":"","title":"Wedp","type":"tags"},{"content":"","date":"6 February 2026","externalUrl":null,"permalink":"/tags/win32/","section":"Tags","summary":"","title":"Win32","type":"tags"},{"content":"I have been late to the game with adopting GenAI into my workflow, but we are at full steam now. I have slowly been adding it into my daily routines to see where I can gain efficiency leveraging this new tech. One of the big areas I am playing with right now is for writing Windows based CTF challenges, and now in the past few days, seeing how I can leverage GenAI for writing POCs for these new challenges. In this post we are going to walk through my initial setup for using the WinDbg EXT MCP to control a windbg instance that has the extension I wrote a long time ago, WEDP (Windows Exploit Development Plugin), to improve the process of going from crash to POC.\nUp front, I will probably try to update this over time as I improve this setup. The current set up is very simple and needs some adjusting. I have just began dabbling with MCP servers, so I will not go into details on what they are other than they allow you to connect GenAI to other tools.\nMy Environment # The below is the setup I was using for this iteration:\nWindows 11 Pro Visual Studio 2026 (most recent as of Feb 2026) Python 3.14 WinDbg (installed from MS Store) WinDbg EXT MCP (commit hash: 49ec16224fad7428ca2e80608dd656b683c70a0c) WEDP (Windows Exploit Development Plugin) Gemini CLI (I am using a paid subscription) Setup # This section is going to go through setting up the MCP server and getting it to interact with windbg and wedp. I assume you have Visual Studio, python, windbg and whatever GenAI platform your using.\nMCP Server # WinDbg EXT MCP # First things first, we will build and install the MCP server. This MCP server consists of 2 components, a native windbg extension and a python MCP server. You should be able to follow along with the install instructions in the repo, but I will add on some additional steps I used to make life a little easier. Lets set up our native extension first.\nNative Extension # Build the extension as described in the repo, you may need to re-target the solution depending on the version of VS you are using I like to create a dedicated directory for user windbg extensions and would recommend the same. If you do use this method, you should also set the _NT_DEBUGGER_EXTENSION_PATH environment variable to point to your extension directory so that you can load extensions from it without having to use a full path. If you followed the above you can open WinDbg, load an exe and run .load windbgmcpExt to make sure it loads. You should see the following output: MCP server started on pipe: \\\\.\\pipe\\windbgmcp MCPServer: Waiting for client connection on \\\\.\\pipe\\windbgmcp Python MCP Server # To install, you should just follow the instructions on the repo. As a note, I install poetry using pipx. Using python 3.14 I had to update a few modules to make this work poetry add pywin32@latest fastmcp@latest poetry install Now the selftest and mcp commands should work Gemini CLI Configuration # If your not using Gemini, this will be different and the MCP server has a script to install into the config of several of the other major GenAI tools.\nIn your gemini config file, at C:\\users\\\u0026lt;USER\u0026gt;\\.gemini\\settings.json add the following block into the mcpServers key. Create the key if it does note exist. \u0026#34;windbg-mcp\u0026#34;: { \u0026#34;command\u0026#34;: \u0026#34;\u0026lt;ABSOLUTE PATH TO POETRY.EXE\u0026gt;\u0026#34;, \u0026#34;args\u0026#34;: [ \u0026#34;run\u0026#34;, \u0026#34;mcp\u0026#34; ], \u0026#34;cwd\u0026#34;: \u0026#34;\u0026lt;ABSOLUTE PATH\u0026gt;\\\\windbg-ext-mcp\u0026#34;, \u0026#34;env\u0026#34;: { \u0026#34;DEBUG\u0026#34;: \u0026#34;false\u0026#34; } \u0026#34;trust\u0026#34;: true } Start a fresh gemini session and you should be able to run /mcp list and get a list of tools and a nice green bubble next to windbg-mcp WEDP # If you followed the steps in the Native Extension simply download the most recent release of WEDP from the releases page and drop it in the windbg extension directory you created.\nRun Commands # Once you are all set up and in your gemini session you can prompt to load wedp.\nload the wedp windbg extension, it is already in the .extpath Once its loaded you can ask it fun questions. There are issues with the size of output you get from some commands, which is where some of the next steps will help, but here is an example command:\nwhat protections are enabled on the main binary? ✦ The main binary, agentactivationruntimestarter.exe, has the following protections enabled: * ASLR (Address Space Layout Randomization): True * DEP (Data Execution Prevention): True * CFG (Control Flow Guard): True * SafeSEH: False (Note: SafeSEH is an x86 protection; as this is an x64 binary, it uses exception handling tables instead). * Rebased: True All modern mitigations are active for this binary. Next Steps # Generate a system prompt to provide better context into how to use WEDP. Add an MCP server into WEDP and adjust output to take up less tokens and be more machine readable. Re-visit WEDP and see what additional stuff would be helpful for this guided productization process. Conclusion # This is the bare minimum setup and the next step I am taking is working out a better GEMINI.md file that will guide Gemini in how to use wedp more efficiently. The primary issues now are that wedp outputs a lot of information, so we need to make sure Gemini knows that it should output all data to a file that it can then ingest and not try to pass all the data through the MCP. This has also got me thinking about just updating WEDP to natively have an MCP server you can turn on and make the output more machine readable. Anyway, have fun with this and if you come up with a good system prompt for this let me know!\n","date":"6 February 2026","externalUrl":null,"permalink":"/posts/windbg-mcp-with-wedp/","section":"Posts","summary":"I have been late to the game with adopting GenAI into my workflow, but we are at full steam now. I have slowly been adding it into my daily routines to see where I can gain efficiency leveraging this new tech. One of the big areas I am playing with right now is for writing Windows based CTF challenges, and now in the past few days, seeing how I can leverage GenAI for writing POCs for these new challenges. In this post we are going to walk through my initial setup for using the WinDbg EXT MCP to control a windbg instance that has the extension I wrote a long time ago, WEDP (Windows Exploit Development Plugin), to improve the process of going from crash to POC.\n","title":"WinDBG MCP with WEDP","type":"posts"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/tags/development/","section":"Tags","summary":"","title":"Development","type":"tags"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/tags/encryption/","section":"Tags","summary":"","title":"Encryption","type":"tags"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/tags/git/","section":"Tags","summary":"","title":"Git","type":"tags"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/tags/gpg/","section":"Tags","summary":"","title":"GPG","type":"tags"},{"content":"Open source software development is great, and there exists an abundance of difference git solutions to create public and private repositories for collaboration and distribution. Private repos give you an extra layer of control by not allowing your code base to be seen by the public. Occasionally you may have a project that you want to be able to collaborate with a limited set of remote people, and want restrict the possiblity of your source being viewed, even by the git service provider. None of the commercial git providers have a good solution for this currently, at least that I know of.\nAfter some research I found that Keybase.io does offer a potential solution, but this requires all of your colloborators to create an account through keybase. While reading about their solution, I found out that they primarly use a custom git remote-helper for the encryption/decryption on the client side. That led me to find git-remote-gcrypt, a GPG solution for encrytped git repositories. As well, I came across an article from 9to5Answer of setting up encrypted git repositories and inspired me to test it out.\nWalkthrough # Environment # Ubuntu 22.04 Desktop GitLab with SSH keys configured GitHub with SSH keys configured Steps # 1.Make sure your system is fully up to date and install the git-remote-gcrypt and gpg packages\nsudo apt udpate sudo apt upgrade -y sudo apt install git-remote-gcrypt gpg If you dont have GPG keys already, you will need to generate them. I am not expert in GPG and just used the commands listed below for testing, but the 9to5Answer article links to Alex Cabal\u0026rsquo;s post to get a better idea on creating a GPG key. We will also need to grab the keys fingerprint for later. gpg --gen-key gpg --list-keys Create the repository on the remote git solution (GitHub / GitLab). We called our repo crypt-test on both platforms.\nSet up the local repository, we can either clone and modify the remotes here or we can initialize a local and add the new remote. We will call the remote crypt-origin in the walkthrough. This if all for a brand new repo.\na. Clone and modify remotes\n# CLONE AND MODIFY REMOTES git clone \u0026lt;GIT URL\u0026gt; cd \u0026lt;GIT REPO\u0026gt; git remote remove origin git remote add crypt-origin gcrypt::\u0026lt;GIT URL\u0026gt; # Initialize local and add remotes from a blank directory git init git branch -m main git remote add crypt-origin gcrypt::\u0026lt;GIT URL\u0026gt; We need to then configure our repo to allow our GPG key. The last command is optional and will remove anonymity and allow others to see who is contributing to the project. Without that command you will have to cycle through your keypairs, if you have multiple, as described in more detail on the 9to5Answer article. git config remote.crypt-origin.gcrypt-participants \u0026lt;GPG FINGERPRINT\u0026gt; git config remote.crypt-origin.gcrypt-signingkey \u0026lt;GPG FINGERPRINT\u0026gt; git config remote.crypt-origin.gcrypt-publish-participants I am not sure if this was environmental or what and need to do more research, but while in bash/tmux I had to export GPG_TTY, as shown below, to allow for gpg to prompt for my passphrase and actually work. Other than that, you can start working with git as normal. export GPG_TTY=$(tty) git add * git commit -asm \u0026#34;My commit message\u0026#34; git push crypt-origin main Warnings and Information # Read the 9to5Answer Article for some of the warnings and issues they bring up. All push will implicity set the --force flag A push must pull the repo, decrypt, do the push locally, encrypt and then push the encrypted data back to the remote. I have not done the research to see if there is any sort of solution to deal with race conditions on pushes, but I forsee that being a potential issue with this solution. On early attempts to use this solution I seemed to corrupt my repo when I did not have GPG_TTY exported. As stated early, I am not a GPG expert and really have very little experience with GPG so there is probably some good information out there on ways to make this work better. I saw in some article that you could use a key without a passphrase, but then you lose that extra protection of your key. While it may seem obvious once you think about it, its worth mentioning that because everything on the remote end is encrypted, pretty much all of the Web UI functionality is useless in the different git solutions. Any collaborators should be comfortable working with git locally, including merging and handling merge issues. Final Thoughts # The fact is that there are very few solutions out there that implement solutions to the problem that is trying to be solved with this solution and most users probably dont need anything like this. With that in mind and the limited choices for remote encrypted git, I think that this solution is feasible and will hopefully continue to mature. Now that I am aware of this solution, I will continue to test it out and see how I can contribute to progessing it further to hopefully come to an easy to use and robust solution for encrypted remote git repos.\n","date":"21 November 2022","externalUrl":null,"permalink":"/posts/encrypted-git/","section":"Posts","summary":"Open source software development is great, and there exists an abundance of difference git solutions to create public and private repositories for collaboration and distribution. Private repos give you an extra layer of control by not allowing your code base to be seen by the public. Occasionally you may have a project that you want to be able to collaborate with a limited set of remote people, and want restrict the possiblity of your source being viewed, even by the git service provider. None of the commercial git providers have a good solution for this currently, at least that I know of.\n","title":"Protecting Repos with Encrypted GIT","type":"posts"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/categories/security/","section":"Categories","summary":"","title":"Security","type":"categories"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/tags/security/","section":"Tags","summary":"","title":"Security","type":"tags"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/categories/software/","section":"Categories","summary":"","title":"Software","type":"categories"},{"content":"","date":"21 November 2022","externalUrl":null,"permalink":"/tags/software/","section":"Tags","summary":"","title":"Software","type":"tags"},{"content":"","date":"8 October 2022","externalUrl":null,"permalink":"/categories/admin/","section":"Categories","summary":"","title":"Admin","type":"categories"},{"content":"","date":"8 October 2022","externalUrl":null,"permalink":"/tags/admin/","section":"Tags","summary":"","title":"Admin","type":"tags"},{"content":"","date":"8 October 2022","externalUrl":null,"permalink":"/tags/exchange/","section":"Tags","summary":"","title":"Exchange","type":"tags"},{"content":"Right off the bat, if you are looking for resources on how to set up or manange exchange in a production environment then stop reading, this installation was purely for a lab environment to practice red team techniques and play with some recent exploits.\nAs someone with 0 training in windows adminstration, getting exchange working in my lab has been a long and painful experience. It ended up just taking a lot of research to find a web site with a walk through that finally worked for me to get a basic setup. I will admit that I dont fully understand exactly what every command is completing in the setup process, but its not really necessary for the my use cases. This 5 part guide from nucleus technologies is what I followed for the most part and has much more detail, but I will add some additional links for dependencies to get everything in one place.\nNOTE: I am running everything under the domain admin account on my server here for the install process.\nPre-Installation # Environment # Before installing exchange you will need an active directory forest set up with at least one writeable DC. The Forest and Domain must be in 2K12 mode or higher and the DC must be 2K12 or newer. I also am only testing with IPv4 so didnt really need to worry about IPv6 at all. If you already have this type of environment, you can start installing the pre-requisites.\nPre-Requisites # We need to first install .NET Framework, the Visual C++ Redistributable runtime and the Unified communications runtime, then reboot the box. More detailed info can be found here.\n.NET Framework VC++ Redist 2K12 VC++ Redist 2K13 UCM Runtime After we install the above and reboot, we need to install the following packages using the following powershell commands.\nInstall-WindowsFeature RSAT-ADDS Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS Schema # Next we need to prep the AD environment for the install. Mount the Exchange ISO and open an elevated CMD in the mounted ISO drive. I used an older exchange cumulative update (CU), but assume the process should work on newer CUs as well.\nRun the following commands, this is the point where I did not do the research to figure out exactly what these do, but it made the install work.\nSetup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms The organization name is just a name that exchange uses, but from some quick research it seems like you only get 1 organization per forest when it comes to exchange. It also did not like special characters in the name.\nSetup.exe /PrepareAD /OrganizationName:”\u0026lt;ORG NAME\u0026gt;” /IAcceptExchangeServerLicenseTerms Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms Installation # Next we actually move on to installing exchange. In the mounted exchange ISO directory, double-click Setup.exe to bring up the installation wizard UI. For the most part we can skip through the UI screens until we get to server role selection. I skipped updates to keep the server vulnerable to recent exploits. At server role selection, select Mailbox role and the bottom check box to Automatically install Windows Server roles and features that are required to install Exchange Server. Let the installer do its thing, it may take a while and reboot when it finishes.\nPost-Installaion # Microsoft has a list of post-installation tasks here, but they arent necessary for the lab environment.\nVerification # In the start menu, look for the Microsoft Exchange Server 2019 folder and then open the Exchange Administrative Center. This will open in a browser with a login page. Log in with the domain administrator creds. You should be able to see the administrator mailbox and configure the exchange server to cater to your needs from here.\n","date":"8 October 2022","externalUrl":null,"permalink":"/posts/install-exchange2k19-server2k19/","section":"Posts","summary":"Right off the bat, if you are looking for resources on how to set up or manange exchange in a production environment then stop reading, this installation was purely for a lab environment to practice red team techniques and play with some recent exploits.\nAs someone with 0 training in windows adminstration, getting exchange working in my lab has been a long and painful experience. It ended up just taking a lot of research to find a web site with a walk through that finally worked for me to get a basic setup. I will admit that I dont fully understand exactly what every command is completing in the setup process, but its not really necessary for the my use cases. This 5 part guide from nucleus technologies is what I followed for the most part and has much more detail, but I will add some additional links for dependencies to get everything in one place.\n","title":"Installing Exchange 2019 on Server 2019 for Lab","type":"posts"},{"content":"","date":"8 October 2022","externalUrl":null,"permalink":"/tags/lab/","section":"Tags","summary":"","title":"Lab","type":"tags"},{"content":"","date":"8 October 2022","externalUrl":null,"permalink":"/categories/redteam/","section":"Categories","summary":"","title":"Redteam","type":"categories"},{"content":"","date":"28 September 2022","externalUrl":null,"permalink":"/tags/.net/","section":"Tags","summary":"","title":".Net","type":"tags"},{"content":" Challenge Download # In this challenge you are given a single binary. The binary can simply take in user input to serialize an object to a file or take in a file and deserialize the object and print the contents. Your goal is to get arbitrary command execution using any tools necessary from the binary.\nGood Luck!\n","date":"28 September 2022","externalUrl":null,"permalink":"/posts/dotnet-deserialization-challenge1/","section":"Posts","summary":"Challenge Download # In this challenge you are given a single binary. The binary can simply take in user input to serialize an object to a file or take in a file and deserialize the object and print the contents. Your goal is to get arbitrary command execution using any tools necessary from the binary.\nGood Luck!\n","title":".NET Deserialization Challenge 1","type":"posts"},{"content":" Challenge Download # Wacky File Transfer # In this challenge you are presented with the Wacky File Transfer client wft_client.exe and Wacky File Transfer server wft_server.exe. The helper library wft_helpers.dll that is used by both the client and the server is also included and must be present in the same directory as the client or server to execute them.\nWacky File Transfer is a simple network file transfer utilty, with some basic functionality. You goal is to find a way to get RCE on the Wacky File Transfer server.\nGood Luck!\nWARNING # The Wacky File Transfer service is vulnerable and should run listening on the open internet. Use at your own risk.\n","date":"28 September 2022","externalUrl":null,"permalink":"/posts/dotnet-deserialization-challenge2/","section":"Posts","summary":"Challenge Download # Wacky File Transfer # In this challenge you are presented with the Wacky File Transfer client wft_client.exe and Wacky File Transfer server wft_server.exe. The helper library wft_helpers.dll that is used by both the client and the server is also included and must be present in the same directory as the client or server to execute them.\n","title":".NET Deserialization Challenge 2","type":"posts"},{"content":"","date":"28 September 2022","externalUrl":null,"permalink":"/tags/.net-framework/","section":"Tags","summary":"","title":".Net Framework","type":"tags"},{"content":"","date":"28 September 2022","externalUrl":null,"permalink":"/tags/challenge/","section":"Tags","summary":"","title":"Challenge","type":"tags"},{"content":"","date":"28 September 2022","externalUrl":null,"permalink":"/tags/deserialization/","section":"Tags","summary":"","title":"Deserialization","type":"tags"},{"content":"","date":"28 September 2022","externalUrl":null,"permalink":"/tags/vulnerable/","section":"Tags","summary":"","title":"Vulnerable","type":"tags"},{"content":"","date":"25 September 2022","externalUrl":null,"permalink":"/tags/rundll/","section":"Tags","summary":"","title":"Rundll","type":"tags"},{"content":"Have you ever written a DLL that had standalone functionality and wasn\u0026rsquo;t meant to be used as a library? Considering that library is in the name, this idea seems contrary to what a library should be. Well, you can thank Microsoft for providing a way to execute standalone functionality from a DLL. Not only did they do that, they also provide DLLs with functionality that you need this utility to run!!! Say hello to rundll32, pronounced run dull all smashed as one word in some circles.\nrundll32, as described on MSDN in 1 of 6 sentences of documentation, \u0026ldquo;loads and runs 32-bit dynamic-link libraries (DLLs)\u0026rdquo;.1 Wait, the MSDN documentation doesn\u0026rsquo;t even get that correct\u0026hellip;\nrundll32 is a utility that will load a DLL and execute an exported function from the DLL. rundll32 comes in a 64-bit version and a 32-bit version:\n:: 64-bit c:\\windows\\system32\\rundll32.exe :: 32-bit c:\\windows\\syswow64\\rundll32.exe But why is it called rundll32 then? Well, I would say I have no idea, but of course Raymond Chen has the answer. In his blog post from 2014, he tells us that the naming is a left over from the days of 16-bit Windows.4 In that time, all of the system binaries were in the same directory, and thus rundll.exe was 16-bit and rundll32.exe was 32-bit. On modern systems, with WoW64, we have different directories for 32-bit and 64-bit system binaries so we got rid of the name collision. In order to maintain backwards compatibility, they just left the name rundll32.exe for the 64-bit version. This doesn\u0026rsquo;t just apply to rundll32 and is actaully the reason we have 32 in the name of several of the other system binaries and utilities.\nWhy should we use rundll32? Well, according to Raymond Chen you shouldn\u0026rsquo;t. On his blog, Raymond discusses the plethora of issues that come along with using rundll32.3 The gist of the post is that anything executed by rundll32, runs in the environment that it sets up, therefore you get no control over the execution environment. As well, it makes it difficult to track where issues are occurring and rundll32 assumes that the exported function is designed to handle windows messages.\nThen why am I writing a post about it? There are some useful things that admins can use rundll32 for, but were not really here for that. There is a group of people that are fairly used to executing code in environments they don\u0026rsquo;t control that tend to like to use rundll32\u0026hellip;\nHackers!\nRed teamer\u0026rsquo;s, APT\u0026rsquo;s, hacktivist\u0026rsquo;s and all the other things you can think of use rundll32. There is even a MITRE technique specifically for it.8 Many of the red teaming tools are delivered as DLLs, so what better way load and execute them than using a signed Windows binary.\nSo how how do we use rundll32? Well there are a few legitimate uses for rundll32. One of the big ones documented on MSDN is automating a lot of printer configuration tasks from printui.dll.10 As well, it can be used to run control panel items (.cpl files).5 You can search around the internet and find many other administrative tasks that use rundll32 to accomplish their task.\nThere are a plethora of uses, legitimate and illegitimate, that can be found through some simple searching. To save you some time, I will link a few resources that you can use at the bottom.\nNow that we have seen some normal uses, how do we write our own DLLs to be run with rundll32. We just write a DLL, export the function and we are good to go\u0026hellip;..\nWell maybe its not that easy.\nIn order to really figure out how we write a DLL that we can call with rundll32, we could search the internet\u0026hellip;\nor we can just RE it and find out first hand. It turns out that there isn\u0026rsquo;t actually too much going on in the binary. We will focus on the parts of loading and executing an exported function from a DLL. Before we get to this point, rundll32 has parsed the input command line into its different parts and done some setup and access checking.\nAt this point, rundll32 calls its _InitCommandInfo function, which handles calling LoadLibraryExW on the specified library, finding the export function and converting the command line to it from a wide character string to an MBCS string. After this, we see that the binary calls RunDLL_CreateStubWindow. Once again we go to Raymond Chen who talks about this in his blog.3 It boils down to the fact the rundll32 expects the entrypoint provides a task that will handle window messages and if you don\u0026rsquo;t handle those messages in a long running task you can clog up broadcasts that leads to unresponsive windows.\nFinally we see rundll32.exe call our exported function. We can also see that it will always call the function with 4 arguments. This means that if we want to write a DLL that works with rundll32, the export must handle those 4 arguments and also should handle window messages if its a long running task. If your trying to figure why rundll32 doesn\u0026rsquo;t crash when you don\u0026rsquo;t have the proper prototype on modern systems, you can thank Raymond Chen for the fix.2 Finally we have a prototype that we need to export.\nVOID __fastcall ExportFunction(HWND hWnd, HINSTANCE hInstance, LPSTR lpCmd, INT nShow) Now we can go ahead and write a simple example library that we can execute with rundll32. For this we will just write a simple hello world message box application, where the message is whatever we pass as command line arguments.\n#include \u0026lt;windows.h\u0026gt; extern \u0026#34;C\u0026#34; { __declspec(dllexport) VOID __fastcall MyExport(HWND hWnd, HINSTANCE hInst, LPSTR CommandLine, INT nShowCmd) { UNREFERENCED_PARAMETER(hWnd); UNREFERENCED_PARAMETER(hInst); UNREFERENCED_PARAMETER(nShowCmd); MessageBoxA(NULL, CommandLine, \u0026#34;RUNDLL-FUN\u0026#34;, MB_OK); return; } } The code simply defines and exports a function named MyExport that matches the prototype we found from rundll32.exe. Since we are using the MSVC C++ compiler, we wrap the function in the extern \u0026ldquo;C\u0026rdquo; so that we get an undecorated export name. This is all that it takes to write a DLL that we can use with rundll32.exe. Now we just need to test it out.\nWe can run the exported function either by supplying the name of the export, or by supplying the ordinal of the export pre-pended with a #. The examples below show both methods and will give us the same output.\n:: Export Name rundll32.exe rundll-fun.dll,MyExport This is my message :: Export Ordinal rundll32.exe rundll-fun.dll,#1 This is my message gives us\nHopefully this post has brought to light some of the internal workings of rundll32 and has brought to light some of the pitfalls associated with using it.\nIf this piqued your interest, there are also other windows DLLs that exist that you can use with rundll32 to load a DLL with a different export prototypes that you can find in the resources. As well, rundll32 interestingly supports executing different types of scripting languages. The resources below are a good starting point and can guide you towards a lot more fun with rundll32.\nResources # MSDN rundll32 Throwing garbage on the sidewalk: The sad history of the rundll32 program What’s the guidance on when to use rundll32? Easy: Don’t use it Why is Rundll32 called Rundll32 and not just Rundll? A Deep Dive Into rundll32.exe What is rundll32.exe SS64 rundll32.exe MITRE - System Binary Proxy Execution: Rundll32 LOLBAS rundll32.exe MSDN rundll32 printui ","date":"25 September 2022","externalUrl":null,"permalink":"/posts/rundll-fundll/","section":"Posts","summary":"Have you ever written a DLL that had standalone functionality and wasn’t meant to be used as a library? Considering that library is in the name, this idea seems contrary to what a library should be. Well, you can thank Microsoft for providing a way to execute standalone functionality from a DLL. Not only did they do that, they also provide DLLs with functionality that you need this utility to run!!! Say hello to rundll32, pronounced run dull all smashed as one word in some circles.\n","title":"rundll... more like fundll","type":"posts"},{"content":"","date":"25 September 2022","externalUrl":null,"permalink":"/tags/rundll32/","section":"Tags","summary":"","title":"Rundll32","type":"tags"},{"content":"Software Developer, Security Researcher, Extreme Sports Athlete.\nMy primary technical interests include Windows Internals research, Win32 Dev, Windows Kernel Dev, Windows VR and Exploit Dev. I also enjoy learning about and testing red team tools, doing CTF style challenges and continuing to grow my knowledge of the security field. I love to share my passion and teach what I have learned about Windows to others.\n","externalUrl":null,"permalink":"/about/","section":"NTNINJA","summary":"Software Developer, Security Researcher, Extreme Sports Athlete.\nMy primary technical interests include Windows Internals research, Win32 Dev, Windows Kernel Dev, Windows VR and Exploit Dev. I also enjoy learning about and testing red team tools, doing CTF style challenges and continuing to grow my knowledge of the security field. I love to share my passion and teach what I have learned about Windows to others.\n","title":"About","type":"page"},{"content":" Links # GitLab Repository Overview # dbgeng-mcp is a Model Context Protocol (MCP) server that bridges AI assistants to the Windows Debugging Engine (dbgeng.dll). Built with Python and a native C++ extension (pybind11), it exposes debugger functionality as MCP tools so that LLM-based agents can launch, attach to, and inspect processes through natural language. The project is currently alpha software under active development and is MIT licensed.\nFeatures # Process Control # Launch a process under the debugger Attach to a running process Detach from the target Restart the current debug session Execution Control # Continue, break, and step execution Run until a specific event occurs State Inspection # Query debugger state Retrieve debugger output and event log Get stack traces Memory \u0026amp; Commands # Read target memory Execute arbitrary WinDbg commands Extension Management # Load, unload, and list debugger extensions Safety # Read-only mode Automatic SDK discovery via Windows registry Quick Start # 1. Install (requires Python 3.10+ x64 and Debugging Tools for Windows):\npip install dbgeng-mcp 2. Run the MCP server:\ndbgeng-mcp 3. Example MCP client config (e.g. for Claude Desktop or similar):\n{ \u0026#34;dbgeng-mcp\u0026#34;: { \u0026#34;command\u0026#34;: \u0026#34;dbgeng-mcp\u0026#34;, \u0026#34;trust\u0026#34;: true } } ","externalUrl":null,"permalink":"/dbgeng-mcp/","section":"NTNINJA","summary":"Links # GitLab Repository Overview # dbgeng-mcp is a Model Context Protocol (MCP) server that bridges AI assistants to the Windows Debugging Engine (dbgeng.dll). Built with Python and a native C++ extension (pybind11), it exposes debugger functionality as MCP tools so that LLM-based agents can launch, attach to, and inspect processes through natural language. The project is currently alpha software under active development and is MIT licensed.\n","title":"dbgeng-mcp","type":"page"},{"content":" Links # GitLab Repository Overview # dnre-mcp is a Model Context Protocol (MCP) server for .NET assembly reverse engineering and decompilation. It gives AI assistants like Claude the ability to load, analyze, and decompile .NET assemblies without needing a GUI tool like dnSpy or ILSpy open. Built in C# on .NET 10 and powered by ICSharpCode.Decompiler (the engine behind ILSpy), it communicates over stdio for easy integration with Claude Code and Claude Desktop. The project is MIT licensed.\nFeatures # Assembly Management # Load .NET assemblies (dll/exe) from disk List all currently loaded assemblies Type Analysis # List all types in an assembly with optional namespace filtering Search for types by name (case-insensitive) Get complete type metadata — base class, interfaces, fields, properties, methods, events, nested types Decompile entire types to C# source code Method Analysis # Search for methods across all types by name Get method signature details — parameters, return type, accessibility, virtual/abstract/override Decompile specific methods to C# source (handles overloads) Namespace Browsing # List all namespaces in an assembly Quick Start # 1. Download the latest release from the GitLab releases page (pre-built binaries available for Windows x64 and Linux x64, no .NET SDK required).\n2. Or build from source (requires .NET 10 SDK):\ndotnet build src/DnreMcp/DnreMcp.csproj 3. Example MCP client config (e.g. for Claude Code or Claude Desktop):\n{ \u0026#34;mcpServers\u0026#34;: { \u0026#34;dnre\u0026#34;: { \u0026#34;command\u0026#34;: \u0026#34;/path/to/DnreMcp\u0026#34; } } } ","externalUrl":null,"permalink":"/dnre-mcp/","section":"NTNINJA","summary":"Links # GitLab Repository Overview # dnre-mcp is a Model Context Protocol (MCP) server for .NET assembly reverse engineering and decompilation. It gives AI assistants like Claude the ability to load, analyze, and decompile .NET assemblies without needing a GUI tool like dnSpy or ILSpy open. Built in C# on .NET 10 and powered by ICSharpCode.Decompiler (the engine behind ILSpy), it communicates over stdio for easy integration with Claude Code and Claude Desktop. The project is MIT licensed.\n","title":"dnre-mcp","type":"page"},{"content":" TantoC2 - Red Team Command \u0026amp; Control Framework # A modular C2 framework for authorized penetration testing and adversary simulation. Single deployable Python process with multi-operator support, P2P relay, agentless operations, and full audit logging.\nWEDP - Windows Exploit Development Plugin # A native WinDbg extension for exploit development. Provides 20 commands for gadget search, pattern utilities, memory analysis, and more. Written in C++ with native x86/x64 support.\ndbgeng-mcp - Windows Debug Engine MCP # An MCP server bridging AI assistants to the Windows Debugging Engine (dbgeng.dll). Exposes debugger functionality as MCP tools so LLM-based agents can launch, attach to, and inspect processes. Built with Python and C++ (pybind11).\ndnre-mcp - .NET Reverse Engineering MCP # An MCP server for .NET assembly reverse engineering and decompilation. Lets AI assistants load, analyze, and decompile .NET assemblies to C# source code. Built in C# on .NET 10, powered by the ILSpy decompiler engine.\n","externalUrl":null,"permalink":"/projects/","section":"NTNINJA","summary":"TantoC2 - Red Team Command \u0026 Control Framework # A modular C2 framework for authorized penetration testing and adversary simulation. Single deployable Python process with multi-operator support, P2P relay, agentless operations, and full audit logging.\nWEDP - Windows Exploit Development Plugin # A native WinDbg extension for exploit development. Provides 20 commands for gadget search, pattern utilities, memory analysis, and more. Written in C++ with native x86/x64 support.\n","title":"Projects","type":"page"},{"content":" Web Sites / Blogs # Windows # Alex Ionescu CodeMachine Pavel Yosifovich Microsoft Security Response Center Blogs Geoff Chappel The Old New Thing OSR Online WinWorld PC Microsoft Learn Steve Syfuhs Steves Tech Spot Uninformed Attl4s InfoSec # MalwareTech Stygian Security Infosec Reference Security Sift Bad Sector Labs I Hack 4 Falafel Cyber Khalid Trail of Bits FuzzySecurity Corelan Phrack DEFCON Media Server Exploit DB Papers Black Hills Infosec iRed.Team ZeroDay Engineering Google Project Zero Forrest Orr VX-Underground Windows Papers wumb0 Andrea Fortuna 0xinfection XPN (Adam Chester) SpecterOps Dirk-jan Mollema 0xcsandker Shogun Lab 0x00 Sec PreEmpt.Dev Klez Virus HackTricks 0xRick\u0026rsquo;s Blog Back Engineering Blog Reverse Engineering # likeagod Reverse Engineering Awesome Reversing Programming # Beej.us Tenouk C/C++ Notes Vulnerability Research / Exploit Dev / Red Teaming # General Exploitation # Smashing the Stack for Fun and Profit Basic Integer Overflows The Art of Hunting ROP Gadgets Awesome Hacking Analysis of CVE-2012-4792 (IE Use-After-Free) Anatomy of an Exploit - RCE with SIGRed Reproducing the ProxyLogon Exploit Chain Windows # Abusing Token Privileges for EOP Windows Binary Index (Old Binaries) Exploiting the Windows CryptoAPI Awesome Windows Exploitation Shellcode from Visual Studio NixAwk Awesome Windows Exploitation Exploiting with SEH Heap # Windows 8 Heap Internals Abusing the Windows Segment Heap Exploit Development Tools Deterministic LFH Windows Heap-Backed Pool (BlackHat USA 2021) Windows 10 Segment Heap Internals (Yason Slides) Windows 10 Segment Heap Internals (Yason Whitepaper) Windows Heap Exploitation (McDonald BH2009) Heap Overflow Exploitation on Windows 10 Memory Corruption Part II - Heaps Corelan Windows 10 x86/WoW64 Userland Heap LazyFragmentationHeap WCTF 2019 Writeup Advanced Windows Debugging: Heaps (InformIT) Inside CRT: Debug Heap Management Patch Diffing # Patch Extraction and Diffing Orange Defense Patch Diffing P1 Orange Defense Patch Diffing P2 Orange Defense Patch Diffing P3 Hyper-V Automation for Patch Diffing Google Project Zero Patch Diffing Patch Diffing with Ghidra How to Deal with MS Monthly Updates BinDiff Diffing Portal (Quarkslab) MSRC-PatchReview (PowerShell) Kernel # Vulnerable Driver Mega Thread Windows 7 Kernel Pool Exploitation Abusing GDI Objects for Ring0 Primitives Exploting MS16-098 Abusing GDI Objects Taking Windows 10 Exploitation to the Next Level (VIDEO) Demystifying Kernel Exploiation by Abusing GDI Objects Starting with Windows Kernel Exploitation (hasherezade) Vulnerable Kernel Drivers for Exploitation Driver Signature Enforcement (j00ru) Signed Kernel Drivers - Unguarded Gateway (WeLiveSecurity) Windows 10 KVAS and Software SMEP PatchGuard # PatchGuard: A Provably Robust Defense PatchGuard++: Efficient Provable Attack Detection Bypassing x64 PatchGuard Fuzzing # WinAFL What The Fuzz BooFuzz Tutorials / Practice # Zaratec.io Windows PwnAble Notes Getting Started with Exploitation FuzzySecurity Tutorials Corelan Tutorials FullShade Windows Exploitation Tutorials PWK Buffer Overflow Practice Shogun Lab Windows Exploit Development Windows Exploit Development Class (Just Curriculum) VulnServer VulnHub HackTheBox OverTheWire UnderTheWire BadBlood Binary Exploitation Roadmap Nightmare Root Me CTFd Challenge Levels VR / ED Tools # Windows Exploit Development Plugin Gadgetrie Lisa.py Mona.py Mona.py Manual VX-Underground API PSAmsi MalAPI.io SheLLVM VulnFanatic (Binary Ninja Plugin) !exploitable Crash Analyzer Red Team Tools # Scanning / Enumeration # nmap Windows # Impacket Defender Check Crimson Wisp WinAPI Exec (WinAPI through CLI) lsassy ConPtyShell SpoolFool Evil-WinRM BloodHound Mimikatz SharpSploit Seatbelt Understanding a Payloads Life Getting Started w/ Windows Malware Dev Tunneling # Chisel ProxyChains WireProxy SpectreOPS gTunnel C2 # Sliver Mythic Covenant Other # SharpGen Snaffler Git Dumper Red Teaming Toolkit Exegol Hacking Setup Evasion / AV Bypass # Spoofing PE Section Headers Lets Create An EDR\u0026hellip; And Bypass It! Part 1 Alternative Shellcode Execution Via Callbacks Process Injection via Program Entry Points Encrypting Strings at Compile Time A Universal EDR Bypass Built in Windows 10 PoCs # CVE-2022-21907 Windows HTTP.SYS DoS PoC CVE-2022-26809 MSRPC RCE (Need-Translation) Git Accounts # GhostPack Cobbr 0x43434343 VX-Underground wumb0 wumb0 Gists Tactics, Techniques, Examples, Write-Ups # Lazarus Shellcode Execution Combining HiveNightmare and SeriousSAM Avoiding Memory Scanners C++ Time Trigger Scheduled Task MSRC Hunting for Emerging C2 Frameworks Advanced Process Injection RE PsExec CertiFried ADCS Hidden Scheduled Task Azure ADConnectDump AzureADConnect for Red Teamers AzureAD MSOL Dump PowerShell Attacking Active Directory Domain Trusts Phishing Made Easyish Offensive Windows IPC Internals Windows DFIR Tools and Artifacts Modern Red Team Architecture Empire as a Docker Container The Dog Whisperers Handbook: BloodHound Ever Wondered How AV Knows Builtin Offensive Windows RPC Stealing Access Tokens From Office Applications A PIC Security Research Adventure Injecting .NET Assemblies Into Unmanaged Processes Donut - Injecting .NET Assemblies as Shellcode Hosting CLR and Managed Code Injection Active Directory Tricks (InternalAllTheThings) COM Hijacking # Userland Persistence w/ Scheduled Tasks and COM Handler Hijacking COM Object Hijacking (3gstudent) acCOMplice - COM Hijack Discovery and Abuse Abusing the COM Registry Structure Part 2 Persistence - COM Hijacking Cheat Sheets # OWASP Cheat Sheet Series Kernel Debugging Cheat Sheet Windows Development / Internals # Windows Error Codes Microsoft SDK Archive WinWorld PC Old SDKs Windows Implementation Library Windows Classic Samples Getting Started with Win32 Windows API List Using SAL .NET SDKs Reproducable Builds Sanity for C/C++ Dev on Windows RPC Programming for Windows Developer Configuring IntelliSense with CMake Making NtCreateUserProcess Work Windows ConPTY Blog Series Memory Leak Detection in Windows Service (Deleaker) Using MSVC in a Docker Container VS Community Workload and Component IDs Windows XP Activation Algorithm Cracked Windows OS Internals (FSU Lecture Notes) Networking # Getting Started with WinSock WinSock Tutorial WinSock / .NET Network Programming Using SSPI w/ Windows Sockets Server SSPT TLS Client Example WinSock SSPI/IoCompletion Examples WinCrypt / Crypto Next Generation (CNG) # CAPI Import Public from Private PEM CAPI PEM Import Example Schannel Mutual Auth MSDN Schannel Peforming Auth Blackhat 2016 CNG Slides Microsoft SDL Cryptographic Recommendations WinDbg # SOSEX .NET WinDbg Extenstion Bug Check Code Reference Talos JS in WinDbg for Malware Analysis WinDbg Anti-RootKit Debugger Extension APIs DbgEng Header Index OSR Basics of Debugger Extensions TWinDbg Internals # Tokens for Security Practitioners German OIS ETW Paper CRT Initialization WoW64 Deep Dive (Broken?) Deep Dive into OS Internals with WinDbg Defender Exploit Protections Windows 10 x86 Emulation on ARM Devirtualizing C++ with Binary Ninja Microsoft Protocol Documentation # Kerveberos (MS-KILE)\nKernel # Windows EWDK Windows Custom Kernel Signers Geoff Chappell Driver Signing Verfilius Windows Kernel Structures Quibble: Windows Bootloader OSR Driver Loader Previous WDK Versions Creating a Primitive Driver Packing / Loading / etc. # Blackbone Memory Hacking MemoryModule Loader PE-to-Shellcode In Memory Load EXE (2004) Designing and Implementing PEzor Packer Administration # Microsoft Update Catalog Windows Secure Boot Keys GPO Search Remoter Server Administration Tools (RSAT) PowerShell Unpin Taskbar Shortcuts Activating Windows WMIC CLI Cheatsheet Key Management Services Installing Exchange 2019 Exchange 2019 Pre-Reqs Group Policy Best Practices Install Windows 11 on Unsupported CPU Remotely Manage Hyper-V on Non-Domain Hyper-V NAT VMSwitch Windows Defender Hardening SS64 Disable DEP Disable ASLR Building a AD Domain Lab Deleting Certs w/ PowerShell Exchange Server Docs Reset Domain Admin AV # How AV Hooks NTDLL .NET # Internals # .NET Internals and Native Compiling Writing a Managed JIT in C# ASP.NET # ASP.NET API w/ SQLITE Example ASP.NET Core Creating an ASP.NET Admin Panel Microsoft .NET Web API Tutorial ASP.NET Core Authorization ASP.NET Core RBAC HomeLab # Services # Random # CloudFlare Tutorials Unbound and NSD DNS Setup Trasa Zero Trust PFSense VPN ProtonVPN PFSense VPN Setting up Security Onion at Home Installing Guacamole w/ Docker Password Protection for Cloudflare Pages Proxmox VE Helper Scripts Windows/Office ISO Download Tool (Mido) Virtualization # Converting Hyper-V VHDX for KVM/Proxmox VMWare # VCSA DomainJoin CLI VCSA Join/Leae AD Domain GitLab # GitLab LDAP Auth GitLab Redundant LDAP Monitoring # Elastic # Install and Configure Elasting on Ubuntu 22.04 General Development # C # An OOP in C Beej\u0026rsquo;s Guides Beginners Guide Away from scanf Simple Makefile Tutorial The Absolute Minimum About Unicode (Joel on Software) Python # Flask Mega Tutorial Offline Python Packaging Modular CLI in Python Networking / Protocols # Analyzing Encrypted RDP Connections with Zeek The Tox Reference HTTP/1.0 Specification Version Control # Oh Shit, Git!?! Libraries # NNG: Lightweight Messaging ZyDis AsmJit Binary Formats # Life of Binaries ","externalUrl":null,"permalink":"/resources/","section":"NTNINJA","summary":"Web Sites / Blogs # Windows # Alex Ionescu CodeMachine Pavel Yosifovich Microsoft Security Response Center Blogs Geoff Chappel The Old New Thing OSR Online WinWorld PC Microsoft Learn Steve Syfuhs Steves Tech Spot Uninformed Attl4s InfoSec # MalwareTech Stygian Security Infosec Reference Security Sift Bad Sector Labs I Hack 4 Falafel Cyber Khalid Trail of Bits FuzzySecurity Corelan Phrack DEFCON Media Server Exploit DB Papers Black Hills Infosec iRed.Team ZeroDay Engineering Google Project Zero Forrest Orr VX-Underground Windows Papers wumb0 Andrea Fortuna 0xinfection XPN (Adam Chester) SpecterOps Dirk-jan Mollema 0xcsandker Shogun Lab 0x00 Sec PreEmpt.Dev Klez Virus HackTricks 0xRick’s Blog Back Engineering Blog Reverse Engineering # likeagod Reverse Engineering Awesome Reversing Programming # Beej.us Tenouk C/C++ Notes Vulnerability Research / Exploit Dev / Red Teaming # General Exploitation # Smashing the Stack for Fun and Profit Basic Integer Overflows The Art of Hunting ROP Gadgets Awesome Hacking Analysis of CVE-2012-4792 (IE Use-After-Free) Anatomy of an Exploit - RCE with SIGRed Reproducing the ProxyLogon Exploit Chain Windows # Abusing Token Privileges for EOP Windows Binary Index (Old Binaries) Exploiting the Windows CryptoAPI Awesome Windows Exploitation Shellcode from Visual Studio NixAwk Awesome Windows Exploitation Exploiting with SEH Heap # Windows 8 Heap Internals Abusing the Windows Segment Heap Exploit Development Tools Deterministic LFH Windows Heap-Backed Pool (BlackHat USA 2021) Windows 10 Segment Heap Internals (Yason Slides) Windows 10 Segment Heap Internals (Yason Whitepaper) Windows Heap Exploitation (McDonald BH2009) Heap Overflow Exploitation on Windows 10 Memory Corruption Part II - Heaps Corelan Windows 10 x86/WoW64 Userland Heap LazyFragmentationHeap WCTF 2019 Writeup Advanced Windows Debugging: Heaps (InformIT) Inside CRT: Debug Heap Management Patch Diffing # Patch Extraction and Diffing Orange Defense Patch Diffing P1 Orange Defense Patch Diffing P2 Orange Defense Patch Diffing P3 Hyper-V Automation for Patch Diffing Google Project Zero Patch Diffing Patch Diffing with Ghidra How to Deal with MS Monthly Updates BinDiff Diffing Portal (Quarkslab) MSRC-PatchReview (PowerShell) Kernel # Vulnerable Driver Mega Thread Windows 7 Kernel Pool Exploitation Abusing GDI Objects for Ring0 Primitives Exploting MS16-098 Abusing GDI Objects Taking Windows 10 Exploitation to the Next Level (VIDEO) Demystifying Kernel Exploiation by Abusing GDI Objects Starting with Windows Kernel Exploitation (hasherezade) Vulnerable Kernel Drivers for Exploitation Driver Signature Enforcement (j00ru) Signed Kernel Drivers - Unguarded Gateway (WeLiveSecurity) Windows 10 KVAS and Software SMEP PatchGuard # PatchGuard: A Provably Robust Defense PatchGuard++: Efficient Provable Attack Detection Bypassing x64 PatchGuard Fuzzing # WinAFL What The Fuzz BooFuzz Tutorials / Practice # Zaratec.io Windows PwnAble Notes Getting Started with Exploitation FuzzySecurity Tutorials Corelan Tutorials FullShade Windows Exploitation Tutorials PWK Buffer Overflow Practice Shogun Lab Windows Exploit Development Windows Exploit Development Class (Just Curriculum) VulnServer VulnHub HackTheBox OverTheWire UnderTheWire BadBlood Binary Exploitation Roadmap Nightmare Root Me CTFd Challenge Levels VR / ED Tools # Windows Exploit Development Plugin Gadgetrie Lisa.py Mona.py Mona.py Manual VX-Underground API PSAmsi MalAPI.io SheLLVM VulnFanatic (Binary Ninja Plugin) !exploitable Crash Analyzer Red Team Tools # Scanning / Enumeration # nmap Windows # Impacket Defender Check Crimson Wisp WinAPI Exec (WinAPI through CLI) lsassy ConPtyShell SpoolFool Evil-WinRM BloodHound Mimikatz SharpSploit Seatbelt Understanding a Payloads Life Getting Started w/ Windows Malware Dev Tunneling # Chisel ProxyChains WireProxy SpectreOPS gTunnel C2 # Sliver Mythic Covenant Other # SharpGen Snaffler Git Dumper Red Teaming Toolkit Exegol Hacking Setup Evasion / AV Bypass # Spoofing PE Section Headers Lets Create An EDR… And Bypass It! Part 1 Alternative Shellcode Execution Via Callbacks Process Injection via Program Entry Points Encrypting Strings at Compile Time A Universal EDR Bypass Built in Windows 10 PoCs # CVE-2022-21907 Windows HTTP.SYS DoS PoC CVE-2022-26809 MSRPC RCE (Need-Translation) Git Accounts # GhostPack Cobbr 0x43434343 VX-Underground wumb0 wumb0 Gists Tactics, Techniques, Examples, Write-Ups # Lazarus Shellcode Execution Combining HiveNightmare and SeriousSAM Avoiding Memory Scanners C++ Time Trigger Scheduled Task MSRC Hunting for Emerging C2 Frameworks Advanced Process Injection RE PsExec CertiFried ADCS Hidden Scheduled Task Azure ADConnectDump AzureADConnect for Red Teamers AzureAD MSOL Dump PowerShell Attacking Active Directory Domain Trusts Phishing Made Easyish Offensive Windows IPC Internals Windows DFIR Tools and Artifacts Modern Red Team Architecture Empire as a Docker Container The Dog Whisperers Handbook: BloodHound Ever Wondered How AV Knows Builtin Offensive Windows RPC Stealing Access Tokens From Office Applications A PIC Security Research Adventure Injecting .NET Assemblies Into Unmanaged Processes Donut - Injecting .NET Assemblies as Shellcode Hosting CLR and Managed Code Injection Active Directory Tricks (InternalAllTheThings) COM Hijacking # Userland Persistence w/ Scheduled Tasks and COM Handler Hijacking COM Object Hijacking (3gstudent) acCOMplice - COM Hijack Discovery and Abuse Abusing the COM Registry Structure Part 2 Persistence - COM Hijacking Cheat Sheets # OWASP Cheat Sheet Series Kernel Debugging Cheat Sheet Windows Development / Internals # Windows Error Codes Microsoft SDK Archive WinWorld PC Old SDKs Windows Implementation Library Windows Classic Samples Getting Started with Win32 Windows API List Using SAL .NET SDKs Reproducable Builds Sanity for C/C++ Dev on Windows RPC Programming for Windows Developer Configuring IntelliSense with CMake Making NtCreateUserProcess Work Windows ConPTY Blog Series Memory Leak Detection in Windows Service (Deleaker) Using MSVC in a Docker Container VS Community Workload and Component IDs Windows XP Activation Algorithm Cracked Windows OS Internals (FSU Lecture Notes) Networking # Getting Started with WinSock WinSock Tutorial WinSock / .NET Network Programming Using SSPI w/ Windows Sockets Server SSPT TLS Client Example WinSock SSPI/IoCompletion Examples WinCrypt / Crypto Next Generation (CNG) # CAPI Import Public from Private PEM CAPI PEM Import Example Schannel Mutual Auth MSDN Schannel Peforming Auth Blackhat 2016 CNG Slides Microsoft SDL Cryptographic Recommendations WinDbg # SOSEX .NET WinDbg Extenstion Bug Check Code Reference Talos JS in WinDbg for Malware Analysis WinDbg Anti-RootKit Debugger Extension APIs DbgEng Header Index OSR Basics of Debugger Extensions TWinDbg Internals # Tokens for Security Practitioners German OIS ETW Paper CRT Initialization WoW64 Deep Dive (Broken?) Deep Dive into OS Internals with WinDbg Defender Exploit Protections Windows 10 x86 Emulation on ARM Devirtualizing C++ with Binary Ninja Microsoft Protocol Documentation # Kerveberos (MS-KILE)\n","title":"Resources","type":"page"},{"content":" Links # Documentation Overview # TantoC2 is a red team command-and-control framework designed for authorized penetration testing and adversary simulation. It runs as a single deployable Python process with no external service dependencies — no Redis, Celery, or external databases — making deployment trivial. Built with Flask, SQLAlchemy, and SQLite, it supports concurrent multi-operator engagements with real-time WebSocket event streaming.\nTantoC2 provides a terminal CLI, a web UI, and a REST API for operator interaction. Its plugin architecture allows extending transports, agent packages, server-side modules, and agentless modules without modifying core code. All operations are fully audited with per-engagement database isolation and encryption.\nFeatures # Agent Management # Multi-agent management with beacon (async) and session (sync) modes Modular agent architecture with pluggable crypto and protocol pipelines Agent lifecycle tracking — Active, Dormant, Dead, Killed states Capability declarations and loadable agent modules Kill date enforcement for automatic agent expiration P2P Chaining \u0026amp; Relay # Agents can relay traffic through other agents to reach isolated networks Flexible peer-to-peer topology for complex network environments Server-Side Modules # Module execution on the teamserver with task dispatch to agents Hot-reload module discovery from the filesystem Credential auto-extraction from module results Agentless Operations # Direct network protocol exploitation (SSH, SMB, etc.) without deployed agents Bidirectional credential integration with the credential store Multi-Operator \u0026amp; RBAC # Four-tier role system — Admin, Operator, Spectator, Collector Dynamic permission grants for collectors scoped by agent with optional expiration Real-time event streaming via WebSocket for all connected operators Security \u0026amp; Isolation # Per-engagement database isolation with independent encryption keys RSA-2048, ECDH+HKDF, AES-256-GCM, PBKDF2 cryptography TLS support on all listeners Token-based authentication with refresh and revocation Comprehensive audit logging of all operator and agent actions Operator Interfaces # Interactive terminal CLI with tab management Web UI (React-based) REST API with JSON output mode for scripting Quick Start # 1. Clone the repository and install:\ngit clone \u0026lt;repo-url\u0026gt; tantoc2 cd tantoc2 pip install -e . 2. Start the teamserver:\ntantoc2-server 3. Connect with the CLI:\ntantoc2-cli ","externalUrl":null,"permalink":"/tantoc2/","section":"NTNINJA","summary":"Links # Documentation Overview # TantoC2 is a red team command-and-control framework designed for authorized penetration testing and adversary simulation. It runs as a single deployable Python process with no external service dependencies — no Redis, Celery, or external databases — making deployment trivial. Built with Flask, SQLAlchemy, and SQLite, it supports concurrent multi-operator engagements with real-time WebSocket event streaming.\n","title":"TantoC2 - Red Team Command \u0026 Control Framework","type":"page"},{"content":" Links # GitLab Repository Releases WinDBG MCP with WEDP — Blog post on using WEDP with an MCP server Overview # WEDP is a native WinDbg extension built for exploit development workflows. Written in C++ with native x86 and x64 support, it provides 20 commands covering gadget search, pattern generation, memory analysis, and more — all from within the debugger. WEDP is MIT licensed and leverages Zydis for disassembly and AsmJit/AsmTk for assembly.\nFeatures # Gadget Search # ROP gadget search (!wedp_rop) SEH gadget search (!wedp_seh) Redirect gadget search (!wedp_redirect) Stack-pivot gadget search (!wedp_stackpivot) Module \u0026amp; Memory Analysis # Enumerate loaded modules with protection details — ASLR, DEP, SafeSEH, CFG (!wedp_modules) Memory mapping of committed regions (!wedp_memory) IAT dump (!wedp_iat) Pattern Utilities # Generate cyclic patterns (!wedp_pattern_gen) Find pattern offset (!wedp_pattern_off) Auto-scan registers and memory for pattern matches (!wedp_findmsp) Exploit Utilities # Bad character byte array generation and comparison (!wedp_bytearray) Inline assembler — Intel syntax to raw bytes (!wedp_asm) Disassembler — raw bytes to Intel assembly (!wedp_disasm) Search committed memory for strings or byte sequences (!wedp_find) Output \u0026amp; Filtering # JSON output mode for tool integration Filter results by module, protection flags, address range, or bad bytes File output support Session-level defaults with per-command overrides (!wedp_getopts, !wedp_setopts) Quick Start # 1. Download the latest DLL from the Releases page.\n2. Load the extension (pick one):\n# Copy to WinDbg winext directory, then: .load wedp # Or load from an absolute path: .load C:\\tools\\wedp.dll 3. Verify it loaded:\n!wedp_version !wedp.help 4. Example usage:\n# List loaded modules with protection info !wedp_modules # Search for ROP gadgets !wedp_rop # Generate a 500-byte cyclic pattern !wedp_pattern_gen 500 # Find offset in pattern !wedp_pattern_off Aa4a ","externalUrl":null,"permalink":"/wedp/","section":"NTNINJA","summary":"Links # GitLab Repository Releases WinDBG MCP with WEDP — Blog post on using WEDP with an MCP server Overview # WEDP is a native WinDbg extension built for exploit development workflows. Written in C++ with native x86 and x64 support, it provides 20 commands covering gadget search, pattern generation, memory analysis, and more — all from within the debugger. WEDP is MIT licensed and leverages Zydis for disassembly and AsmJit/AsmTk for assembly.\n","title":"WEDP - Windows Exploit Development Plugin","type":"page"}]