Written by Christopher Paschen

Published on Thu 06 November 2025 by SAERXCIT (@SAERXCIT)

TL;DR: Using call gadgets to insert arbitrary modules in the call stack during module load, breaking signatures used in detection rules. The code is available here: https://github.com/AlmondOffSec/LibTPLoadLib

Professional: NVTDK-QB8J9-M28GR-92BPC-BTHXK
Enterprise: VYGRN-WPR22-HG4X3-692BF-QGT2V

This document provides a detailed technical analysis of a proof-of-concept that demonstrates DLL sideloading by targeting OneDrive.exe with a malicious version.dll. This technique is leveraged for achieving persistence, evading defenses, and executing arbitrary code within the context of a trusted process. The proof-of-concept further employs DLL proxying to maintain the normal operation of the host application and utilizes a sophisticated hooking mechanism based on Vectored Exception Handling (VEH) and hardware-like breakpoints to intercept and modify application behavior.

Rans dev from Chinese

Obfuscating function calls using Vectored Exception Handlers by redirecting execution through exception-based control flow. Uses byte switching without memory or assembly allocation.

A PowerShell utility that changes Windows account passwords through the native Samlib.dll API, the same low-level library used by Windows itself for SAM and NTLM account management.

This project demonstrates how local or domain password changes can occur at the NTLM level using SamiChangePasswordUser without triggering all of the typical password-change events.

Kerberos authentication reflection can be abused for remote privilege escalation, even after applying the fix for CVE-2025-33073.
Ghost SPNs (Service Principal Names mapped to hostnames that fail to resolve) introduce an exploitable attack surface that adversaries can leverage.
Default Active Directory (AD) settings allow standard users to register DNS records, enabling this attack, which Microsoft has cataloged as CVE‑2025‑58726 (SMB Server Elevation of Privilege).
Failure to enforce SMB signing is a critical enabler.
The attack works on all Windows versions unless SMB signing is required.
Microsoft addressed this issue in the October 2025 Patch Tuesday.

For years, reverse engineers and endpoint security software have used memory scanning to locate shellcode and malware implants in Windows memory. These tools rely on IOCs such as signatures and unbacked executable memory. This talk will dive into the various methods in which memory scanners search for these indicators and demonstrate a stable evasion technique for each method. A new position-independent reflective DLL loader, AceLdr, will be released alongside the presentation and features the demonstrated techniques to evade all of the previously described memory scanners. The presenter and their colleagues have used AceLdr on red team operations against mature security programs to avoid detection successfully.

https://x.com/vxunderground/status/1992173372474577065