Content Shift

Moving from userland back to the kernel and moving from 3D2A to drones

Shift from userland

“Hey everyone, welcome back to the Crackamphetamine Show. So, we’re about to do a change in our curriculum, right? A lot of people are talking to me like, ‘I would really love to pay for your malware course, as long as you make it make sense.’ And yes, I am starting to have that amount of time.

The reason why is I took everything I developed since early 2025—maybe February 2025, which you may have heard I was very impactful in activism—but enough flexing. I modularized the tooling with a state machine. Right, so basically just an Excel spreadsheet of payloads that are separate as comma-separated values (CSV). I built my own interpreter to execute each payload and gave it rules.

It’s hard to defend against that. Basically, to make it make sense, I decoupled it like a transmission gear—like a torque converter that connects to the crankshaft and the flywheel of an automatic car. You can decouple and disengage the gears, right? Most detection rules expect things to be mated together. You look for suspicious behavior or suspicious code before it gets entered into the AMSI (Anti-Malware Scan Interface) buffer. I already showed you my framework on Codeberg and on my Substack.

By decoupling and swapping out payloads, you make a more modular framework for your attack campaigns and can change its mission at will just by updating the Cloudflare Worker and the config, which is just a spreadsheet. You can’t defend against a spreadsheet. If Microsoft or antivirus vendors patch a spreadsheet, they’re going to break a lot of legitimate Office applications like Excel, LibreOffice Calc, or Google Sheets.

I already showed you my PowerMetal framework, which has hard-coded offsets generated from an image. You can use any image you want—even the same image—and they can’t defend against that to create malicious strings to bypass AMSI so you can start your fileless loader combos. At that point, I just split up all my payloads; now it’s just hammering out bugs. For example, if it refuses to exfiltrate files to OneDrive, all you have to do is fix the payload on your testing VM and redo it. You can just put a comment or hash mark on your status.txt file, hammer out the bug, and switch it back on.

Back to Virtual machine Obfuscation

The other thing is I am going back to Virtual Machine Obfuscation. I had some bugs. I have to go back to the States to hammer out issues—my bank card is expiring and I’ve got to get new ones—as well as issues I see politically and economically. I’ve got to grab my stuff and get to Mexico. I’ll sign a rental lease because I can get a two-bedroom apartment for $400 or $600. FYI, each recámara (bedroom) is half the size of this studio I’m paying double for. American houses are lavish by comparison. But it won’t be long before I get the power, Totalplay or Infinitum internet, and VPNs turned on.

We’re going back to VM Obfuscation. I’ve never heard of a single course on this except what I learned through the MCSI (Mossé Cyber Security Institute). I am an MCSI Certified Code Obfuscation Specialist since late 2023. We need to translate that tradecraft from the Tigress open-source obfuscator to Windows, because nobody is teaching a course on obfuscating malware for Windows. Most attackers just buy VMProtect or ASPack for $1,000, or use a cracked version that gets signatured immediately.

Back to Kernel Mode Exploitation Research

If you saw my code on Codeberg, you noticed bugs because I didn’t add call/jump instructions. I had to brute-force from the Tigris non-Windows API obfuscator to get it to work on a Windows machine. Secondly, I’m working on Kernel Mode Obfuscation. Since I took a course back in November 2024, Microsoft has added incredible mitigations like SLAT (Second Level Address Translation) built upon VBS (Virtualization-Based Security). It’s on by default now in Windows 10 and 11.

There is a bypass via a single function. You open Ghidra, reverse engineer the driver, and compensate for physical-to-virtual address translation to abuse a vulnerable driver. You can use it to leak the physical base address. You could load buggy drivers to get the functions you want, but that sets off EDR alerts. You have to blind the EDR with kernel exploits. I suggest signing up for Guided Hacking or UnknownCheats to learn the latest on kernel mode exploitation.

Pivoting from 3D2A to Drones

Number three: I am working on drone warfare. There is incredible content on drones now. This is a $150 full-power FPV drone. I need to study how to fly; I have simulator apps.

You need an ISR drone for spotting range, mrad calculations, and seeing where targets are hiding. You can 3D print drone parts now—using Carbon Fiber Nylon, PLA+, or Pro—outside of the motors.

I’m studying how to make drones based on info from Ukraine and Mexico. The CJNG cartel is well-known for drone squads, and the Mexican military has jammer guns. I’m studying this for home defense—to pave a 300-mile route back to my home. If there’s civil unrest or choke points in Mexicali, I can use a drone to look ahead. This video is a Substack exclusive. We’re fixing the VM obfuscator, moving to kernel mode, and moving from 3D printing guns to ISR drones.”