I had this idea to do HTTPS stuff in C using the Windows Sockets API (Winsocks).
I did it. I got it working. I was able to verify an SSL cert, do a GET, do a POST octet binary stream thingy to upload a simple file (unironically testing using a picture of a cat).
After I got it working I decided to do what I always do: make it more malware like.
I decided I wanted to poke Windows with a stick, make the code position independent, and make it function as close to the metal as possible.
What happened next cannot be described as a "rabbit hole". I have fallen into an infinite abyss, a fucking Windows internals chasm. I am looking at things in Windows I have never looked at before. I am scared, confused, intrigued, ... but mostly confused (and lost).
ReactOS, x86matthew, some weird French Guy (can't remember his name), and random nerds on OSR, have done unholy work and really dug into it. They deserve a lot of credit for walking knee deep in Windows sludge.
I did it. I got it working. I was able to verify an SSL cert, do a GET, do a POST octet binary stream thingy to upload a simple file (unironically testing using a picture of a cat).
After I got it working I decided to do what I always do: make it more malware like.
I decided I wanted to poke Windows with a stick, make the code position independent, and make it function as close to the metal as possible.
What happened next cannot be described as a "rabbit hole". I have fallen into an infinite abyss, a fucking Windows internals chasm. I am looking at things in Windows I have never looked at before. I am scared, confused, intrigued, ... but mostly confused (and lost).
ReactOS, x86matthew, some weird French Guy (can't remember his name), and random nerds on OSR, have done unholy work and really dug into it. They deserve a lot of credit for walking knee deep in Windows sludge.
β€96π―19π₯°4π2π₯2π1π«‘1
I just randomly remembered when this lady was awarded some University scholarship for her contributions to the Linux kernel.
They noted she had made several hundred (or several thousand, I can't remember) contributions to the Linux kernel and her work, which she did in her free time, made a real world impact, or something.
They then took a photo the lady, some fancy presenter is giving her this fancy looking thingie.
Open source nerds reviewed her GitHub and discovered she went through and added "static" in front of thousands of variables. Alternatively, she would make small changes to how code appeared to improve legibility.
Nerds were absolutely enraged. They were screaming in the comment section. They hated her guts.
Meanwhile, I'm thinking to myself, "damn, that's a really good way to pad your resume". Yeah, this lady probably isn't a 1337 Linux internals science brain, but she has the fancy words on fancy paper now which allow her to open doors to fancy places.
Thanks for the trip down memory lane.
They noted she had made several hundred (or several thousand, I can't remember) contributions to the Linux kernel and her work, which she did in her free time, made a real world impact, or something.
They then took a photo the lady, some fancy presenter is giving her this fancy looking thingie.
Open source nerds reviewed her GitHub and discovered she went through and added "static" in front of thousands of variables. Alternatively, she would make small changes to how code appeared to improve legibility.
Nerds were absolutely enraged. They were screaming in the comment section. They hated her guts.
Meanwhile, I'm thinking to myself, "damn, that's a really good way to pad your resume". Yeah, this lady probably isn't a 1337 Linux internals science brain, but she has the fancy words on fancy paper now which allow her to open doors to fancy places.
Thanks for the trip down memory lane.
β€78π€£31π€7π―3π2
vx-underground
I just randomly remembered when this lady was awarded some University scholarship for her contributions to the Linux kernel. They noted she had made several hundred (or several thousand, I can't remember) contributions to the Linux kernel and her work, whichβ¦
I tried Googling it, but I couldn't find the exact post online. It was absolutely hysterical how angry stinky Linux nerds were. Overall I give it a 7 stinky cats out of 10 stinky cats.
Enjoy your Friday.
Enjoy your Friday.
π€54π€£26π₯°7π4β€2π€1
Don't do this. Don't make this mistake. Do something cooler. Listen to your peers when they recommend reviewing other peoples research.
https://malwaresourcecode.com/home/my-projects/proof-of-concepts/dont-code-like-this-https-post-and-get-with-position-independent-windows-sockets
https://malwaresourcecode.com/home/my-projects/proof-of-concepts/dont-code-like-this-https-post-and-get-with-position-independent-windows-sockets
Malwaresourcecode
Don't code like this: HTTPS Post and Get with Position Independent Windows Sockets | malware source code
π€£32β€βπ₯4β€2
vx-underground
Don't do this. Don't make this mistake. Do something cooler. Listen to your peers when they recommend reviewing other peoples research. https://malwaresourcecode.com/home/my-projects/proof-of-concepts/dont-code-like-this-https-post-and-get-with-position-independentβ¦
tl;dr
> decide to do winsock malware poc
> need to be position indepedent
> low as possible to metal
> post about it
> domchell recommends x86matthew research
> "nah not related"
> mfw i was wrong
> get code working
> need to remove abstractions
> start reversing winsocks
> mfw confused by code
> provider to provider to ???
> check reactos
> wtf confused by code
> remember domchell comment
> look at x86matthew research
> look at afd.sys
> mfw wtf i fuk up
> dommy chommy was right
> code already 3k lines of code
> to make as low as id like, need another 2k lines
> might not even work
> would require more debugging
> fuck it idc
> look at security.h make tls stuff more low
> look inside
> mfw confused by code
> cchainengine ???
> look at reactos
> thousands of lines of code
> registry stuff
> mfw wtf
> remember comment from Xst3nZ
> look at code from Eduard Suica
> manual tls 10k+ lines of code
> need 10k+ lines position independent
> mfw code would be 30k lines+
> this is only simple GET and simple POST
> mfw
> decide to do winsock malware poc
> need to be position indepedent
> low as possible to metal
> post about it
> domchell recommends x86matthew research
> "nah not related"
> mfw i was wrong
> get code working
> need to remove abstractions
> start reversing winsocks
> mfw confused by code
> provider to provider to ???
> check reactos
> wtf confused by code
> remember domchell comment
> look at x86matthew research
> look at afd.sys
> mfw wtf i fuk up
> dommy chommy was right
> code already 3k lines of code
> to make as low as id like, need another 2k lines
> might not even work
> would require more debugging
> fuck it idc
> look at security.h make tls stuff more low
> look inside
> mfw confused by code
> cchainengine ???
> look at reactos
> thousands of lines of code
> registry stuff
> mfw wtf
> remember comment from Xst3nZ
> look at code from Eduard Suica
> manual tls 10k+ lines of code
> need 10k+ lines position independent
> mfw code would be 30k lines+
> this is only simple GET and simple POST
> mfw
π€―70π€£19β€5π5π±1
I was looking at AI cat slop on OpenAI Sora (I have literally nothing going on in my life). It says you can make yourself a "character" and do prompts for yourself, or insert yourself into other prompts.
I was like, "lol wtf ok ill try it". Sora makes you turn your head to the left, look up, then say 3 different numbers.
It "scanned me" and "generated" my character. Then I asked it to make a silly video of me.
Dawg, from the left side of my face, me looking up, and saying 3 different numbers, this AI shit perfectly AI slopped me. I got my body type right, my voice mannerisms right, my facial hair, ... basically everything.
I feel like a paranoid schizophrenic now. All someone needs is your face looking to the left, you looking up, and just a few words, and they can just ... make up shit about you? What the fuck?
I'm like, what if they use this shit to frame you for crimes? Do I sound like a crazy person right now?
I was like, "lol wtf ok ill try it". Sora makes you turn your head to the left, look up, then say 3 different numbers.
It "scanned me" and "generated" my character. Then I asked it to make a silly video of me.
Dawg, from the left side of my face, me looking up, and saying 3 different numbers, this AI shit perfectly AI slopped me. I got my body type right, my voice mannerisms right, my facial hair, ... basically everything.
I feel like a paranoid schizophrenic now. All someone needs is your face looking to the left, you looking up, and just a few words, and they can just ... make up shit about you? What the fuck?
I'm like, what if they use this shit to frame you for crimes? Do I sound like a crazy person right now?
π₯°63π±23π―19π€£7π€6β€4π€―2
A few days ago there was some banter online about Microsoft breaking stuff (as is tradition). Specifically, some users were trying to open Notepad, but Windows was displaying an error code.
If you have no idea what I'm referencing, I'll attach the post and discussion below this post so you can understand the lore.
Anyway, some nerd named "xakpc" on Twitter commented about Windows "App Execution Aliases". I jokingly commented, "wtf new malware idea". I changed my mind. This isn't a joke.
To the best of my knowledge, and please correct me if I'm wrong, no one has abused Windows App Execution Aliases for malware persistence.
In Windows 11 if you go to:
-> Settings
-> Apps
-> Advanced App Settings
-> App execution aliases
You'll see "aliases". Hence, when a user types something into Powershell, or CMD, or Windows search, it defaults to whatever is aliased. Upon further review, it turns out that a good chunk of these are stored in HKEY_CURRENT_USER, meaning it does not require administrative privileges to create, modify, or delete some app execution aliases.
It's stored under: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths"
On my machine, notepad.exe has an app execution alias for (God save me) the new fancy Windows Notepad thingie which was giving people problems. It does NOT default to the one in SYSTEM32 like I initially thought.
On the contrary... and something I don't understand, although these settings are stored in the registry, they contain a stub in %LOCALAPPDATA% in
%LOCALAPPDATA%\Microsoft\WindowsApps
I don't understand how they're connected. I have no idea how this all works still. However, this can be abused and we must abuse it for malware persistence.
Under ideal conditions, it should be possible to programmatically modify an App Execution Alias (i.e. Notepad) which in actuality points to a malicious payload. When the malicious payload is triggered it should then subsequently execute Notepad.exe to give the illusion the user executed Notepad and not the payload
tl;dr
Old alias:
notepad -> notepad.exe
New (bad) alias:
notepad -> malware.exe -> notepad.exe
We must poke it with a stick and make malware.
If you have no idea what I'm referencing, I'll attach the post and discussion below this post so you can understand the lore.
Anyway, some nerd named "xakpc" on Twitter commented about Windows "App Execution Aliases". I jokingly commented, "wtf new malware idea". I changed my mind. This isn't a joke.
To the best of my knowledge, and please correct me if I'm wrong, no one has abused Windows App Execution Aliases for malware persistence.
In Windows 11 if you go to:
-> Settings
-> Apps
-> Advanced App Settings
-> App execution aliases
You'll see "aliases". Hence, when a user types something into Powershell, or CMD, or Windows search, it defaults to whatever is aliased. Upon further review, it turns out that a good chunk of these are stored in HKEY_CURRENT_USER, meaning it does not require administrative privileges to create, modify, or delete some app execution aliases.
It's stored under: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths"
On my machine, notepad.exe has an app execution alias for (God save me) the new fancy Windows Notepad thingie which was giving people problems. It does NOT default to the one in SYSTEM32 like I initially thought.
On the contrary... and something I don't understand, although these settings are stored in the registry, they contain a stub in %LOCALAPPDATA% in
%LOCALAPPDATA%\Microsoft\WindowsApps
I don't understand how they're connected. I have no idea how this all works still. However, this can be abused and we must abuse it for malware persistence.
Under ideal conditions, it should be possible to programmatically modify an App Execution Alias (i.e. Notepad) which in actuality points to a malicious payload. When the malicious payload is triggered it should then subsequently execute Notepad.exe to give the illusion the user executed Notepad and not the payload
tl;dr
Old alias:
notepad -> notepad.exe
New (bad) alias:
notepad -> malware.exe -> notepad.exe
We must poke it with a stick and make malware.
π₯°47β€19π€6π2π―2
vx-underground
A few days ago there was some banter online about Microsoft breaking stuff (as is tradition). Specifically, some users were trying to open Notepad, but Windows was displaying an error code. If you have no idea what I'm referencing, I'll attach the post andβ¦
X (formerly Twitter)
vx-underground (@vxunderground) on X
This is very silly.
Windows has a very different types of error codes. Most notably you have Win32 (native API error codes), NT (kernel mode error codes), and HRESULT (COM, WinRT error codes). For sale of argument, you have other error codes too, like forβ¦
Windows has a very different types of error codes. Most notably you have Win32 (native API error codes), NT (kernel mode error codes), and HRESULT (COM, WinRT error codes). For sale of argument, you have other error codes too, like forβ¦
π₯°20β€5
vx-underground
>wake up >take a shit >get out of bed >slide trash off desk >get on beep boop machine >powered by lots of hamsters >get on internet >check news >russia malwares poland >something about clawd idfk >windows is dumb >some other stuff probably >thank God it'sβ¦
HAVE U SEEN LATEST AI THING?
No, because every other day some fucking AI company pops out the bushes and tries yelling in my face about how they're going to "change everything". I can't keep up. I'm busy with malware, cats, a big stinky baby (he fucking STINKS)
No, because every other day some fucking AI company pops out the bushes and tries yelling in my face about how they're going to "change everything". I can't keep up. I'm busy with malware, cats, a big stinky baby (he fucking STINKS)
β€42π16π₯°5π―3π«‘2
In you missed it (I did, I don't know how), Microsoft is aiming to phase out UAC and replace it with a more secure thingie called "Administrative Protection".
They're doing this because UAC currently has over 81 bypasses and, for reasons unknown to me, Microsoft decided to scrap UAC in totality and redo the entire thing from the ground up. Why? I have literally no idea. Maybe you stinky nerds can educate me.
AP is now in preview mode for Windows Insider builds (testing stuff). Big brain security researchers from Google Project Zero poked it with a stick and discovered eight vulnerabilities that allowed them to bypass AP. Microsoft has since patched it. AP has yet to be deployed to Windows 11 as of this writing.
AP on paper, when reading about it, seems like a good idea and seems like it unironically would be a massive security improvement for Windows. However, the new architecture would bamboozle some legacy applications. Making it work with older stuff will require lots of science from Microsoft. Additionally, and maybe I'm being a bit pessimistic, I am concerned Microsoft will vibe code slop their new security module and make it one massive cluster fuck disaster.
Please read the research performed by Tirando (can't find his social media profile) and the other nerds at Project Zero. It's interesting. They're all very talented security researchers and make feel like an imbecile.
https://projectzero.google/2026/26/windows-administrator-protection.html
They're doing this because UAC currently has over 81 bypasses and, for reasons unknown to me, Microsoft decided to scrap UAC in totality and redo the entire thing from the ground up. Why? I have literally no idea. Maybe you stinky nerds can educate me.
AP is now in preview mode for Windows Insider builds (testing stuff). Big brain security researchers from Google Project Zero poked it with a stick and discovered eight vulnerabilities that allowed them to bypass AP. Microsoft has since patched it. AP has yet to be deployed to Windows 11 as of this writing.
AP on paper, when reading about it, seems like a good idea and seems like it unironically would be a massive security improvement for Windows. However, the new architecture would bamboozle some legacy applications. Making it work with older stuff will require lots of science from Microsoft. Additionally, and maybe I'm being a bit pessimistic, I am concerned Microsoft will vibe code slop their new security module and make it one massive cluster fuck disaster.
Please read the research performed by Tirando (can't find his social media profile) and the other nerds at Project Zero. It's interesting. They're all very talented security researchers and make feel like an imbecile.
https://projectzero.google/2026/26/windows-administrator-protection.html
projectzero.google
Bypassing Windows Administrator Protection - Project Zero
A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Cont...
β€30π₯°11π7π―3π€£2π±1π€©1
Last time on Dragon Ball Z: I did a sort of long post discussing wanting to abuse Windows Application Execution Aliases for malware.
To make this schizo rant short, I'll call it AEA (App Execution Alias).
Refresher:
In Windows 11 if you go to:
-> Settings
-> Apps
-> Advanced App Settings
-> App execution aliases
You'll see "aliases". Hence, when a user types something into Powershell, or CMD, or Windows search, it defaults to whatever is aliased (see image 1)
Windows did a pretty good job at making this a convoluted mess. I am lost and confused. I am in places I have never been on Windows (as is tradition).
All of the execution aliases are the result of Microsoft store apps because they're from AppX and/or MSIX packages (although technically it doesn't NEED to come from the Microsoft app store, it's just the most common). MSIX is a Windows program installation file format. If you're not familiar with it, look it up online. It's nothing crazy. It's pretty common.
However, the MSIX installation thingie has package manifest elements, and this is where AEA come from. It's an element called "uap5:AppExecutionAlias".
The MSIX installer creates an NTFS reparse point in %LOCALAPPDATA%\Microsoft\WindowsApps\*
Inside that directory you'll see all the aliased programs, but they're 0 bytes in size. However, if you use fsutil you'll see this (image 2)
It was at this point I began researching "0x8000001B", which translates to "IO_REPARSE_TAG_APPEXECLINK". This lead me to discovering James Forshow (tiraniddo) reversed engineered AEA in 2019 as a result of people on social media arguing about Windows executing the incorrect Python as a result of AEA (see subsequent post for his write-up).
.... which coincidentally we're here discussing THIS RIGHT NOW because people on social media were arguing about Windows executing the wrong Notepad. It's been 7 years and people are still rustled by it.
He concludes his technical write-up with the message, "I'm sure there's probably some exploitable security bug in the code here, but I'm too lazy to find it :-)"
Now I am in a situation where I can continue to poke AEA with a stick, to find a mechanism to abuse for malware, or I could give up and go back to watching Dragon Ball Z.
To make this schizo rant short, I'll call it AEA (App Execution Alias).
Refresher:
In Windows 11 if you go to:
-> Settings
-> Apps
-> Advanced App Settings
-> App execution aliases
You'll see "aliases". Hence, when a user types something into Powershell, or CMD, or Windows search, it defaults to whatever is aliased (see image 1)
Windows did a pretty good job at making this a convoluted mess. I am lost and confused. I am in places I have never been on Windows (as is tradition).
All of the execution aliases are the result of Microsoft store apps because they're from AppX and/or MSIX packages (although technically it doesn't NEED to come from the Microsoft app store, it's just the most common). MSIX is a Windows program installation file format. If you're not familiar with it, look it up online. It's nothing crazy. It's pretty common.
However, the MSIX installation thingie has package manifest elements, and this is where AEA come from. It's an element called "uap5:AppExecutionAlias".
The MSIX installer creates an NTFS reparse point in %LOCALAPPDATA%\Microsoft\WindowsApps\*
Inside that directory you'll see all the aliased programs, but they're 0 bytes in size. However, if you use fsutil you'll see this (image 2)
It was at this point I began researching "0x8000001B", which translates to "IO_REPARSE_TAG_APPEXECLINK". This lead me to discovering James Forshow (tiraniddo) reversed engineered AEA in 2019 as a result of people on social media arguing about Windows executing the incorrect Python as a result of AEA (see subsequent post for his write-up).
.... which coincidentally we're here discussing THIS RIGHT NOW because people on social media were arguing about Windows executing the wrong Notepad. It's been 7 years and people are still rustled by it.
He concludes his technical write-up with the message, "I'm sure there's probably some exploitable security bug in the code here, but I'm too lazy to find it :-)"
Now I am in a situation where I can continue to poke AEA with a stick, to find a mechanism to abuse for malware, or I could give up and go back to watching Dragon Ball Z.
β€23π₯°6
vx-underground
Last time on Dragon Ball Z: I did a sort of long post discussing wanting to abuse Windows Application Execution Aliases for malware. To make this schizo rant short, I'll call it AEA (App Execution Alias). Refresher: In Windows 11 if you go to: -> Settingsβ¦
www.tiraniddo.dev
Overview of Windows Execution Aliases
I thought I'd blogged about this topic, however it turns out I hadn't. This blog is in response to a recent Twitter thread from Bruce Dawso...
β€15
vx-underground
Last time on Dragon Ball Z: I did a sort of long post discussing wanting to abuse Windows Application Execution Aliases for malware. To make this schizo rant short, I'll call it AEA (App Execution Alias). Refresher: In Windows 11 if you go to: -> Settingsβ¦
> be me
> have idea
> look inside
> james forshaw, or x86matthew, or hexacorn, or grzegorz tworek did it
/me flips desk
> have idea
> look inside
> james forshaw, or x86matthew, or hexacorn, or grzegorz tworek did it
/me flips desk
π₯°24π17β€6