Tom Brice

CVE-2026-20820 is a vulnerability in the Common Log File System (CLFS) driver that was included in the January 2026 Patch Tuesday. The advisory lists it as a heap overflow that can be used for EoP. CLFS.sys has a rich history of vulnerabilities and exploits, but a lot of them historically have involved modifying or corrupting the BLF files parsed by the driver. I hadn’t looked into CLFS in much detail before, so I thought doing some n-day analysis would be a good framing exercise to gain some familiarity. I also noticed in the docs the mention of Authentication Codes, a relatively recent hardening feature that was added with the intent of mitigating the type of exploits that modify the BLF files. So I was curious as to what other areas of attack surface were still yielding bugs that are capable of being used for EoP. ...

This post is a writeup of my notes from reversing npsvctrig.sys. I was recently looking into Service Triggers and couldn’t find any writeups or info on this driver - hence sharing this. Overview npsvctrig.sys is a native Windows filesystem minifilter driver that implements, as the name suggests, part of the functionality for Named Pipe Service Triggers. The driver is small and straightforward. In a nutshell, it maintains a list of active named pipe triggers, uses minifilter callbacks to intercept specific actions being performed against those named pipes, and then publishes an ETW event containing the name of the pipe when one occurs. The Service Control Manager (SCM) consumes these events, and takes them as an indicator it should start the corresponding service executable. ...

Around a year ago, I decided to orient myself more keenly towards vulnerability research. It had become apparent to me that it was the area of offensive security, and the process, that I had enjoyed dipping my toes into the most. I spent much of the last year shoring up fundamentals - finishing Ret2Systems’ excellent Wargames, a bunch of OST2 modules, and the Trainsec Kernel Programming modules - before jumping into some real world targets and starting to develop my workflow. This blog post documents the first vulnerability that I found and reported, CVE-2024-11616, in a driver created by Netskope. The bug is a pretty typical double-fetch, and requires elevated privileges to exploit, but due to the risk of Bring Your Own Vulnerable Driver (BYOVD) attacks, these bugs are still pretty important for vendors to catch. Despite it being a simple bug, successfully reporting something was a milestone I was eager to hit, so a small writeup seemed justified! ...

I’ve recently been working on a small fun obfuscation tool called CSSHide, which can encode a payload in the colour values of a CSS file. This was inspired by the payload encoding modules featured at Maldev Academy, that include encoding payloads as IP addresses, UUIDs, and MAC addresses. Why CSS files? The purpose of the tool is to help facilitate blending in with common browser traffic, which will usually include frequent requests for CSS files that the browser will then use to format the layout of a webpage. For example, here are all the CSS files requested when loading a youtube video: ...

A common method of unhooking user-land API hooks is to load a fresh copy of NTDLL from KnownDlls, a special object directory that’s used to essentially cache commonly used system DLLs. We can use WinObj to view the Object Manager namespace, where we can see the KnownDlls directory, and the mapped sections it contains for each system DLL. Whilst working through the excellent Maldev Academy course material, it was pointed out that you can’t seem to use OpenFileMapping to retrieve a handle to the KnownDlls directory, despite it’s purpose being to open named file mapping objects. Attempting to use the function to open \KnownDlls\ntdll.dll, or any other DLL in that directory, will result in error 161 - ERROR_BAD_PATHNAME. Instead, most malware uses the native NtOpenSection instead. ...

I recently encountered a blog post by Signal Labs about using in-memory disassembly to perform EDR unhooking. In the post, the authors outline a technique whereby hook jumps implemented by Sophos are followed in order to find the relocated original syscall stub. This is first done for NtAllocateVirtualMemory, which the authors unhook by replacing the EDR’s hook with their own hook pointing to the relocated stub. Once they’ve unhooked this function, it can be leveraged for the further unhooking of other functions. ...

It’s almost a bit of a cliché after passing the OSCP to do a writeup about the journey it took to get there - but I’m embracing the cliché for two reasons: When I was preparing I encountered tips and suggestions in blog posts that had a huge impact on the rest of my preparation. Approaching the OSCP with experience as a Programmer/Software Engineer can result in slightly different prioritisation during preparation, and anecdotally it’s touched on in fewer guides because it’s not the common path. This isn’t going to be a structured plan, and it won’t encapsulate everything I did to prepare. I just want to throw out there - at a high level - some of the more important lessons I learnt and resources I used. ...