VADER is a Windows security research platform built to study detection gaps in endpoint protection software. Every technique was developed on researcher-owned hardware with Windows Defender Real-Time Protection enabled throughout. No third-party frameworks or copied shellcode — every component built from first principles to ensure complete mechanical understanding.
The project grew from a TOCTOU race condition study into a full kill chain, documenting how Windows security mechanisms behave at the CPU and kernel level. Findings are documented for responsible disclosure via MSRC.
Windows Defender monitors memory modifications (VirtualProtect, inline hooks) but does not alert on CPU debug register manipulation via SetThreadContext. Hardware breakpoints on DR0-DR3 intercept AMSI and ETW callbacks without modifying a single byte of process memory. MSRC response: detection bypasses outside the security boundary.
Windows services with overly permissive file ACLs allow a standard user to replace the service executable. On next service start, the replacement runs with SYSTEM privileges — no UAC prompt, no admin credentials required.
Office ClickToRunSvc loads osppc.dll — a DLL that does not exist on the system. Standard user writes a malicious DLL to a user-writable path that the privileged service resolves. Detection signal: missing DLL dependencies in high-integrity processes.
| Phase | Technique | Status |
|---|---|---|
| 0 — C2 | XOR-obfuscated reverse shell, auto-reconnect | OPERATIONAL |
| 1 — AMSI | Hardware breakpoint DR0 on AmsiScanBuffer | OPERATIONAL |
| 2 — ETW | Hardware breakpoint DR1 on EtwEventWrite | OPERATIONAL |
| 3 — Privesc | CWE-732 service binary replacement to SYSTEM | CONFIRMED |
| 4 — Injection | DLL injection + HWBP propagation to all threads | OPERATIONAL |
| 7 — Cloak | NtQuery* inline hooks — process/file/connection hiding | OPERATIONAL |
| META | XOR key rotation, recompile, Defender rescan loop | OPERATIONAL |
All research conducted on a dedicated Windows 11 (Build 26200, 24H2) machine, standard user context, Defender RTP enabled. Every test cycle logged with date, technique, and detection result. Novel findings submitted to MSRC within 90 days. Binaries never distributed — source only, in private repository.