https://s4dbrd.github.io/Kernel vulnerability research and exploit development. 2026-03-29T17:41:28+02:00 s4dbrd https://s4dbrd.github.io/ Jekyll © 2026 s4dbrd /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png 2026-03-29T00:00:00+01:00 2026-03-29T00:00:00+01:00 https://s4dbrd.github.io/posts/win32k-type-confusion-async-window-action-cmonitor/ s4dbrd

CVE-2026-20811 is a type confusion in win32kfull.sys (KB5074109, CVSS 7.8). The bug is in the async window action processing path introduced by a feature flag rollout (Feature_ApplyWindowActionConvergence), where a kernel pointer to a CMonitorTopology object survives incomplete sanitization of a cross-thread message buffer and is dereferenced in the receiving thread’s context. Note: despite bei...

2026-03-06T00:00:00+01:00 2026-03-28T23:50:25+01:00 https://s4dbrd.github.io/posts/reversing-bedaisy/ s4dbrd

In the first post I covered how kernel anti-cheat systems work at an architectural level: the callbacks they register, the memory scanning they perform, the detection techniques they use. All of that was theoretical, with small proof-of-concept drivers and WinDbg demos to illustrate each concept. This post is the practical follow-up. I wanted to take one real, production anti-cheat driver and s...

2026-02-23T00:00:00+01:00 2026-02-23T00:00:00+01:00 https://s4dbrd.github.io/posts/how-kernel-anti-cheats-work/ s4dbrd

Modern kernel anti-cheat systems are, without exaggeration, among the most sophisticated pieces of software running on consumer Windows machines. They operate at the highest privilege level available to software, they intercept kernel callbacks that were designed for legitimate security products, they scan memory structures that most programmers never touch in their entire careers, and they do ...