About Me

In this blog I'm writing some articles about exploitation and reverse engineering of various low level stuff including operating systems, bootloaders, hypervisors and, of course, platform firmware. Also, here you can find many of my old materials written in Russian moved from other places. I've been around for the last two decades or so, currently I'm mostly active on Twitter and GitHub and writing more code instead of long and boring texts.

I was first independent researcher ever who get paid by Intel (see announcement part) for reporting a few industry-wide high severity platform firmware vulnerabilities.

Once I broke Apple FileVault at hardware level with my fancy DMA attack setup for PCI Express and did accidental full disclosure.

One time, using the same DMA attack setup, I found really cool way to gain arbitrary System Management Mode (SMM) code execution from malicious PCI Express endpoint connected to the system, this vulnerability was recognised by Intel as high severity but still remains unfixed in many computers with Intel chips.

Another time I bought some new hardware for my home server and found remotely exploitable vulnerabilities in Baseboard Management Controller (BMC) firmware from AMI that can lead to the compromise of the host operating system on good half of all servers and server motherboards made by Intel.

However, most (if not all) of the work you can find in this blog and my GitHub account was done for hobby on non-commercial basis. I don't like people who reposting my texts on other places or making translations but I can't prohibit you to do that.

Contact information


E-mail: cr4sh0@gmail.com [see PGP key below]
Twitter and GitHub
d_olex at Keybase

Other links

Here you can find an information about some of my public projects and activities for the long period of time. All this information is provided with no warranties: I'm not your tech support and not responsible for your bricked hardware:

  • PCI Express DIY Hacking Toolkit − Started as FPGA design and tools for DMA attacks for Xilinx SP605 development board, now this repository is also home of Hyper-V Backdoor and Boot Backdoor. Probably, one of my largest and most interesting public projects, check readme for links and detailed info [GitHub]
  • Xilinx Zynq DMA Attack Tools − FPGA design and tools for DMA attacks for development boards based on Xilinx Zynq chips. This design is compatible with all of the host software that was made for PCI Express DIY Hacking Toolkit project [GitHub]
  • ThinkPwn − Started as arbitrary System Management Mode code execution exploit for Lenovo ThinkPad model line, ended as exploit for industry-wide 0day vulnerability in machines of many vendors [GitHub]
  • Aptiocalysis − Another cool arbitrary System Management Mode code execution exploit for industry-wide 0day vulnerability in AMI Aptio based firmwares that I found [GitHub]
  • Firmware Exploitation Tool and Library − Library and tools for development of System Management Mode exploits for Windows targets. Project includes examples of exploits for 0day and 1day vulnerabilities in firmware of various Lenovo machines. Also, this project provides DSE bypass techniques that allows to exploit this vulnerabilities even on Hypervisor-Protected Code Integrity (HVCI) enabled machines [GitHub]
  • SMM Backdoor − First open source and publicly available System Management Mode backdoor for UEFI based platforms. Good as general purpose playground for various SMM experiments [GitHub]
  • PEI Backdoor − First open source and publicly available Pre-EFI Initialization (PEI) phase backdoor for UEFI based platforms. Good as general purpose playground for various experiments at earliest possible boot stages when most part of the platform components and features was not initialized yet [GitHub]
  • Micro Backdoor − C2 tool for Windows targets with easy customizeable code base and small footprint. It wasn't designed as replacement for your favourite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code [GitHub]
  • Kernel Forge − A library to develop kernel level Windows payloads for post HVCI era when Hyper-V security features of modern platforms prevents you from executing of any unsigned kernel code at all [GitHub]
  • OpenREIL − Open source library that implements translator and tools for REIL: reverse engineering intermediate language [GitHub, archived]
  • IOCTL Fuzzer − Windows tool for reverse engineering and hunting vulnerabilities in Windows kernel drivers, it also can monitor & log IOCTL requests you're interested in [GitHub, archived]
  • Windows Registry Rootkit − My old rootkit that stores its body in registry values and gaining kernel mode code execution at early boot by exploiting 0day vulnerability in win32k.sys function that parses malicious data read from registry [GitHub, archived]
  • Once with my colleague Andrey Rassokhin we gained control over the largest botnet in the world of that time: TDSS. We wrote detailed article about this operation (EN, RU, internet archive)
  • I also was co-founder and long time member of the first ever hackerspace of post-soviet country: Neuron. It was located in the center of Moscow from 2011 to 2020 but unfortunately it was closed at the beginning of the pandemics.
  • Some of my old articles are also available at nobunkum.ru (EN, internet archive) / nobunkum.ru/ru (RU, internet archive): technical e-zine on guns, germs, and steel of the digital age. There's also some of my even older technical articles that can be found over the internet, for example the one about finding Windows kernel drivers vulnerabilities, but most of them are quite lame and don't worth to be mentioned
  • Long time ago I was a member of Hell Knights Crew: Russian hacking team of early 00's with strong interest in reverse engineering, malware and vulnerabilities. It's all been gone, but most likely you will able to find proper archives
  • Really long time ago I had... well, a typical cool hax0r kid homepage of mid 2000's with some of my code archives and sort of a blog. Looks good enough for cemetery monument of post-soviet underground hacking culture that days

My PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.13

mQGiBEosHP4RBACusXfXOj7FE8WRwvbo57sv0inGq3c0e7WUQA0ClvXFP/rsGWmo
vHXrdfEB8CDglE+ivCaoQOYu2MIw1tghhq3HDKouOuZmUkPkjO8L88i6fSiYBVAI
B6fzbh2EzMsvSHp6Y8qPyQaE/ViiO4j0Qxj34J9AB84KbQ1OTxrkfOmUYwCgkT7w
CTLyIgQJFlIpVOrqShCtyM8D/1Pk1BPOoLpAhGKF6bKu/QKxWA0AmB1mJtqoNzEq
sYBtoqgDmbdyN00j5lqDEQflZfixXWspEvN3IZqYeNspwaMA577OGnX1O/x7EYfs
vpNsDLJBlmUrSDht1VdT6arGgLWNBVGfbeUmpZBbFffvzfh7zFbu8dwhFNZ8y9Zu
AY3LBACXTf6o43mSm4jCZAsMdMD5sux5CBzkEFvBF7kQ4jJe+kgFeEsiAAcqVzly
zXJI+6/eHrGXeZPv5F82E000tn0wunj+Tjstwk1jfUC/dVvL9wx2b0A+kH1Ns3mo
JWt6NSmPpWVlSqFj35vefmQ5BA05zLN4qp4bYumJ+WJFdTALlbQZRG1pdHJ5IDxj
cjRzaDBAZ21haWwuY29tPohgBBMRAgAgBQJKLBz+AhsDBgsJCAcDAgQVAggDBBYC
AwECHgECF4AACgkQdXLuVmCTKcMH6ACdEzlKRktqzEzHkis6aN97QPmY2YEAn2V6
4YhXJtCN85NqcWCrJlnVrJJsiHQEExECADQCGwMGCwkIBwMCBBUCCAMEFgIDAQIe
AQIXgAUCTr3fyhMYaHR0cDovL3BncC5taXQuZWR1AAoJEHVy7lZgkynDnCEAn28M
l/3H0R1artS94ELXGI5dcD7/AJ0Vbx9nPtQoHGTwAchnlAQV8QNnf7QcRG1pdHJ5
IDxkbWl0cnlAZXNhZ2VsYWIuY29tPohiBBMRAgAiBQJOvd6eAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAAKCRB1cu5WYJMpw0a3AJ9yP4Lc0soZP6JFqXDgkOMb
fSdaQwCfUg5h/2rkquyxOx5ab3UyZHQ3SfaIdgQTEQIANgIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AFAk6938oTGGh0dHA6Ly9wZ3AubWl0LmVkdQAKCRB1cu5W
YJMpw+5KAJ9ww0e/lYh9QGmeDgRAV/3kIT+XcACdG87O5Utf/fMVJQknryL/3wNI
8v65Ag0ESiwc/hAIANt/RS3oDnsNUmwLoefuXrbONbh+S0CdyCYqAuWLLroZt+mQ
Wp0OAQNycRO7N+f0kNNMVrMIX/kCS20PKW5fOyDWOC82XfwYaw4onu8bq0WzCBHK
i7wpbURrh/OWECqTD1DORHPlE9TFRIVpyp8VvU5A3VrHT1ZNXDb/8yRoATHwgMLU
fimTAL9UwCZASZbZ8A4PZUdeDo9NZ2GxKPv5JGXXL4xOhlRoV9ByBiSnMg7zPE0o
KczTBKkG69ST90DLqC0ba7tjsVpZI9ZaZmLrCIjiAQY1Xri/qmNhpJ5MREpCsB2p
vNJb9i1QekVUK1fJCcezcI4XYXSwoctDEYUOo9cABA0H/jo2nbS/HH8KBb3ka0M5
YyCziVIyS6EAbTFaAKYftmdcPNbx8XKUyH+RhGFFmFvxf+DqGQJfYISV7hQkI00b
wJb8ZToafC24BARMFiqbhUjb9fgxSKBxV6VKz6xfEgsKoTWjERaeR8EMf35dG+i+
ruo2iYIy3pgGloIMNK2jQhdpI4rSE8CliDlJARNLudRHWzDbzTzHFzLTPxproGCC
hc81IvYTguZrPlp+O2EZ2b6eP/xYygTAYOHilkoz0NYv6vDilBykBjhkPVFAWCkX
sWpY561Usqz3tU958YeUs85Y3xBqLyUI15CQtp79CENSDG+1RwibkrvdbiG9Ni17
e9KISQQYEQIACQUCSiwc/gIbDAAKCRB1cu5WYJMpw2rNAJ4iMD301RqZBwcyF7J7
bOW1qNa3HQCfaaPbABf8usWfrOrtx0m2/+MFhsU=
=FUPF
-----END PGP PUBLIC KEY BLOCK-----