## https://sploitus.com/exploit?id=C5449C27-7E72-529E-BB3B-A2BECFAFBE53
# OPERATION VADER โ TOCTOU EXPLOITATION SYLLABUS
### OPERATIONS ORDER 001-26 (VADER)
### Classification: UNCLASSIFIED // ACADEMIC USE ONLY
### DTG: 130600Z JUN 2026
### Issuing Authority: VADER (Student Operator, CSEC Studies)
---
> **AUTHORIZATION:** This repository constitutes authorized academic security research
> conducted under CSEC (Cybersecurity) coursework requirements. All techniques are
> developed, tested, and documented on personally-owned hardware. No unauthorized
> systems are targeted. This is a war college thesis โ an offensive capability study
> with full academic justification.
---
## REFERENCES
- BOOK/GLOSSARY.md โ Field Reference Card (Military โ Technical terminology)
- BOOK/00_OVERVIEW.md through BOOK/11_RPC_ATTACK_SURFACE.md โ Field Manual chapters
- Microsoft Win32 API Documentation (kernel32.dll surface)
- EICAR Anti-Malware Test Standard
---
## 1. SITUATION
### a. Enemy Forces
**Windows Defender RealTime Protection (RTP)** โ the target's autonomous defense system.
Operates as a kernel-mode service (`MsMpEng.exe`) running as `NT AUTHORITY\SYSTEM`.
Defender executes a **check-then-act** pipeline:
1. **SCAN** โ File system minifilter intercepts file creation. Reads content. Evaluates
against signature database + heuristics + ML models + cloud lookup.
2. **DECIDE** โ If malicious: mark for quarantine.
3. **ACT** โ Re-opens the **same file path** to move/quarantine the threat.
The vulnerability exists between steps 2 and 3. Defender trusts that the path it scanned
still resolves to the same location when it returns to act. It does not re-validate the
path target. This is the **TOCTOU gap** โ Time-of-Check to Time-of-Use.
**Enemy Disposition (Target Machine):**
| Property | Value |
|----------|-------|
| OS | Windows 11 Home Build 26200 (24H2) |
| User Privilege | Standard (non-admin) |
| RealTime Protection | **ENABLED** |
| Tamper Protection | OFF |
| HVCI | Running |
| Behavior Monitoring | ENABLED |
The operator has **no admin access**. Cannot disable Defender. Cannot add exclusions.
Cannot modify services. The exploit must achieve its objective from a standard user shell.
See: [BOOK/08 โ Enemy Force Disposition](BOOK/08_DEFENDER_ARCHITECTURE.md)
### b. Friendly Forces
One operator. One compiler. Raw C and the Win32 API.
**No external dependencies.** No third-party libraries. No published exploit code.
No CldApi.dll (RedSun's fingerprint). No virtdisk.lib (RoguePlanet's fingerprint).
Standard kernel32.dll imports only โ the binary looks like any other C program to
static analysis.
### c. Terrain & Weather
The battlefield is the Windows NTFS filesystem. Key terrain features:
- **NTFS Junctions** โ Directory-level symlinks processed transparently by the kernel.
Any process following a path through a junction is redirected without notification.
Standard users can create junctions on paths they own.
- **Opportunistic Locks (Oplocks)** โ Kernel-level file access notifications. A batch
oplock fires the instant another process (Defender) attempts to open a locked file.
The requesting process is **frozen by the kernel** until the oplock holder responds.
- **C:\Windows\System32** โ The high-value target. SYSTEM-writable. If Defender follows
a junction into System32, it operates on critical OS files with SYSTEM privileges.
### d. Background โ Why Custom
Every published TOCTOU exploit gets signatured within days. RedSun, GreenPlasma,
BlueHammer, MiniPlasma, RoguePlanet โ all by the same researcher, all burned.
String mutations beat Layer 2 (YARA sigs) but not Layer 3 (PE structure / import
table fingerprinting).
**Published exploit code is a losing strategy.** If you want capability on the day
you need it, you write it yourself. This repo is that process โ from first principles
to functional exploit, documented as a teaching syllabus.
---
## 2. MISSION
Develop a custom TOCTOU race condition exploit against Windows Defender's RealTime
Protection scan-then-quarantine pipeline, achieving arbitrary file operations under
`NT AUTHORITY\SYSTEM` context from a **standard user** shell โ and document the entire
process as an 11-chapter field manual suitable for training future operators.
**Intent:** The operator understands not just the *how* but the *why* at every layer.
Every line of code maps to a concept in the field manual. Every concept maps to a
military doctrine analogy. The result is an operator who can adapt the technique to
future defensive changes, not one who can only run a script.
---
## 3. EXECUTION
### a. Concept of Operations
The attack proceeds in four phases, compressed into a single sub-second engagement:
```
PHASE 1 โ BAIT Deploy EICAR test pattern to controlled directory
PHASE 2 โ TRIPWIRE Batch oplock freezes Defender mid-scan
PHASE 3 โ SWAP Junction redirects path to C:\Windows\System32
PHASE 4 โ DETONATE Release oplock. Defender follows junction. SYSTEM writes.
```
The oplock makes the race **deterministic**. The kernel itself freezes Defender's
operation until the operator releases the lock. Swap takes ~0.2ms. Defender's gap
is 15-50ms. That is a 30-250x timing margin. This is not a race โ it is an ambush.
See: [BOOK/09 โ Ambush Doctrine](BOOK/09_TOCTOU_THEORY.md)
See: [BOOK/10 โ Full Kill Chain OPORD](BOOK/10_THE_CHAIN.md)
See: [BOOK/11 โ Enemy Comms Intercepted](BOOK/11_RPC_ATTACK_SURFACE.md)
### b. Force Disposition (Order of Battle)
```
vader-toctou/
โ
โโโ BOOK/ โ
โ โโโ 00_OVERVIEW.md โ FIELD MANUAL โ 12 Chapters
โ โโโ 00A_DEV_ENVIRONMENT.md โ "Setting Up the Armoury"
โ โโโ 01_HANDLES_AND_OBJECTS.md โ "Grips & Arsenal"
โ โโโ 02_FILESYSTEM_AND_PATHS.md โ "Terrain & Navigation"
โ โโโ 03_CREATEFILE_DEEP_DIVE.md โ "Primary Weapon System"
โ โโโ 04_DEVICEIOCONTROL.md โ "Fire Commands"
โ โโโ 05_ASYNC_IO.md โ "Radio Receivers"
โ โโโ 06_OPLOCKS.md โ "Claymores"
โ โโโ 07_NTFS_JUNCTIONS.md โ "Road Sign Swaps"
โ โโโ 08_DEFENDER_ARCHITECTURE.md โ "Enemy Force Disposition"
โ โโโ 09_TOCTOU_THEORY.md โ "Ambush Doctrine"
โ โโโ 10_THE_CHAIN.md โ "Full Kill Chain OPORD"
โ โโโ 11_RPC_ATTACK_SURFACE.md โ "Enemy Comms Intercepted"
โ โโโ GLOSSARY.md โ Field Reference Card
โ
โโโ BUILDING_BLOCKS/ โ
โ โโโ bb1_junction_annotated.c โ ANNOTATED WEAPON SYSTEMS
โ โโโ bb2_oplock_annotated.c โ (Reference implementations)
โ โโโ bb3_trigger_annotated.c โ (The answer key)
โ โโโ vader_toctou_annotated.c โ Full chain reference weapon
โ
โโโ LIVE/ โ
โ โโโ bb1_junction.c โ LIVE FIRE โ Operator writes these
โ โโโ bb2_oplock.c โ from the field manual, not by
โ โโโ bb3_trigger.c โ copying the annotated versions.
โ โโโ vader_toctou.c โ Final weapon: the full chain.
โ
โโโ TESTS/ โ
โ โโโ test01_handles.c โ
โ โโโ test02_paths.c โ DRY FIRE DRILLS
โ โโโ test03_createfile.c โ 7 standalone test programs,
โ โโโ test04_ioctl.c โ one per concept. Safe to run.
โ โโโ test05_async.c โ No Defender interaction.
โ โโโ test06_oplock.c โ
โ โโโ test07_junction.c โ
โ
โโโ .gitignore No compiled binaries in repo.
```
**Reading order:**
1. BOOK/ chapters 00-10 sequentially (the doctrine)
2. TESTS/ programs matching each chapter (dry fire)
3. BUILDING_BLOCKS/ annotated sources (study the answer key)
4. LIVE/ โ write your own from understanding, not from memory
### c. Tasks to Subordinate Units
**BOOK/** โ Provides doctrinal foundation. Each chapter teaches one Win32 API concept
through military analogy. The operator reads, understands, then proves understanding
through the corresponding test program.
**TESTS/** โ Isolated experiments. Each test program exercises one API in a safe context.
No Defender interaction. No malicious payloads. Pure API mechanics. This is dry fire โ
trigger squeeze without live rounds.
**BUILDING_BLOCKS/** โ Three annotated reference implementations. Every line has a
comment explaining *what* it does, *why* it does it, and *what doctrine chapter* it
maps to. These are the answer key. The operator studies them but does not copy them.
**LIVE/** โ The operator writes these from scratch, guided by the field manual and
informed by the building blocks. This is where understanding becomes capability.
The final deliverable is `vader_toctou.c` โ all three building blocks fused into
a single kill chain.
### d. Coordinating Instructions
- All code is **C** โ not C++. Direct kernel API access. No runtime overhead. No
vtables, no exceptions, no RTTI. If the CPU doesn't need it, it doesn't ship.
- Every source file must compile clean with `cl.exe /W4` (warning level 4).
- No third-party dependencies. `kernel32.dll` and `ntdll.dll` surface only.
- EICAR pattern is XOR-encoded in the binary. The exploit executable itself must
not trigger Defender static analysis.
- `.gitignore` excludes all compiled binaries. Source only in the repo.
---
## 4. SERVICE & SUPPORT
### a. Weapons Assembly (Compile Instructions)
**Prerequisites:**
- Visual Studio 2022 Community (C/C++ workload installed)
- VS Developer Command Prompt (provides `cl.exe` on PATH)
**Standard Compile โ Single Source File:**
```cmd
:: Open "x64 Native Tools Command Prompt for VS 2022"
:: Or source the environment manually:
"C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"
:: Compile any source file:
cl.exe filename.c /Fe:output.exe /O1 /GS-
```
| Flag | Purpose |
|------|---------|
| `/Fe:output.exe` | Output filename |
| `/O1` | Optimize for size (minimal binary footprint) |
| `/GS-` | Disable stack buffer security checks (we handle our own memory) |
| `/W4` | Warning level 4 (add during development โ treat warnings as intel) |
**Dry Fire (Test Programs):**
```cmd
cl.exe test01_handles.c /Fe:test01.exe /O1 /W4
```
**Live Fire (Building Blocks / Kill Chain):**
```cmd
cl.exe bb1_junction.c /Fe:bb1.exe /O1 /GS-
cl.exe bb2_oplock.c /Fe:bb2.exe /O1 /GS-
cl.exe bb3_trigger.c /Fe:bb3.exe /O1 /GS-
cl.exe vader_toctou.c /Fe:vader.exe /O1 /GS-
```
**Do NOT commit binaries.** The `.gitignore` is configured. Source in, binaries out.
Compile on the target or on a matching build environment.
### b. Supply
All materials are contained within this repository. No external downloads required.
No package managers. No build systems. One compiler, one command, one binary.
---
## 5. COMMAND & SIGNAL
### a. Command
**Operator:** VADER (sole operator, sole authority)
This is a solo engagement. No team coordination required. The operator is the
researcher, developer, tester, and documenter.
### b. Signal
**Field Reference:** [BOOK/GLOSSARY.md](BOOK/GLOSSARY.md) โ Military โ Technical
terminology mapping. Every military term used in this syllabus has a precise technical
equivalent defined in the glossary.
**Doctrine Reference:** Each BOOK/ chapter header contains the military analogy mapping.
When in doubt about terminology, check the glossary first, then the relevant chapter.
---
## MISSION PHASE TRACKER
```
PHASE STATUS NOTES
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ RECON [COMPLETE] Target enumerated.
Defender config mapped.
โ PUBLISHED EXPLOIT STUDY [COMPLETE] RedSun, RoguePlanet โ
both signatured. Dead end.
โ EVASION TESTING (GaySun) [COMPLETE] Beat Layer 2 (strings).
Failed Layer 3 (PE structure).
โ DECISION: CUSTOM EXPLOIT [COMPLETE] Write from scratch.
Own trajectory. No signatures.
โ FIELD MANUAL [COMPLETE] 12 chapters in BOOK/.
Full doctrinal coverage.
Ch11 RPC attack surface added.
โ DRY FIRE DRILLS [COMPLETE] 7 test programs in TESTS/.
All API concepts verified.
โ ANNOTATED WEAPON SYSTEMS [COMPLETE] 3 building blocks annotated.
Answer key complete.
โก LIVE FIRE โ BB1 JUNCTION [IN PROGRESS] LIVE/bb1_junction.c
Operator writing from manual.
โก LIVE FIRE โ BB2 OPLOCK [PENDING] LIVE/bb2_oplock.c
โก LIVE FIRE โ BB3 TRIGGER [PENDING] LIVE/bb3_trigger.c
โก FULL CHAIN ASSEMBLY [PENDING] LIVE/vader_toctou.c
All BBs fused. The weapon.
โก LOCAL TESTING [PENDING] Test on build machine.
โก TARGET DEPLOYMENT [PENDING] Deploy to target laptop.
โก AFTER ACTION REPORT [PENDING] Document results.
Academic submission.
```
---
## ANNEX A โ BACKGROUND (OPERATIONAL JOURNAL)
### Why Custom Code
I spent weeks studying published Defender exploits โ RedSun, GreenPlasma, BlueHammer,
MiniPlasma, RoguePlanet. All by the same researcher (Nightmare Eclipse). I forked
RedSun as "GaySun," mutated strings, XOR-encoded the service name, neutralised printf
signatures. Clean compile, zero sig strings in the binary via `findstr`.
Still detected. `Exploit:Win32/DfndrPERedSun.BC`.
The string mutations beat Layer 2 (YARA-style string sigs) but not Layer 3 (PE
structure / import table fingerprinting). RedSun uses CldApi.dll for the Cloud Files
API โ that import alone is a distinctive fingerprint. Defender matches the import
table topology, not just the strings.
Then I tested RoguePlanet (June 2026, latest from Nightmare Eclipse โ uses virtual
disk mounts instead of CF_API). Also detected: `Exploit:Win32/DfndrRugPlnt.BB`.
Signatured within 4 days of publication.
**Lesson learned:** Every public PoC gets signatured faster than you can mutate it.
The only exploit that works on the day you need it is the one nobody has seen before.
### The Custom Approach
Same vulnerability class (TOCTOU in Defender's RTP quarantine flow), completely
different implementation:
- No CldApi.dll (RedSun's fingerprint)
- No virtdisk.lib (RoguePlanet's fingerprint)
- No published source code โ no existing Defender signatures
- Standard Win32 imports only (kernel32.dll) โ looks like any C program
- XOR-encoded trigger (EICAR) so the binary itself is clean under static analysis
### 2026-06-13 โ Project Stood Up
- Wrote 11-chapter field manual covering every API and concept needed
- Created 7 dry fire test programs for hands-on API experimentation
- Ported 3 annotated building blocks from prior engagement analysis
- Split from `offsec-vader-assessment` (concluded โ published exploit work was a dead end)
- This repo is the custom exploit built from first principles. Clean slate.
---
## ANNEX B โ OPERATIONAL LOG
### 2026-06-13 / 0600-2359Z โ FULL STANDUP
**SITUATION:** Project split from `offsec-vader-assessment` (dead end โ published exploits all signatured). Custom exploit development initiated from first principles.
**ACTIONS COMPLETED:**
```
TIME ACTION STATUS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
0600 Field Manual authored โ 11 chapters (BOOK/) [DONE]
Ch00 Overview through Ch10 Full Kill Chain.
All chapters rewritten with infantry/warfare
doctrine framing.
0800 Dry Fire Drills created โ 7 programs (TESTS/) [DONE]
test01_handles through test07_junction.
Standalone, safe, no Defender interaction.
0900 Building Blocks annotated โ 3 sources [DONE]
bb1_junction_annotated.c โ junction ops
bb2_oplock_annotated.c โ oplock tripwire
bb3_trigger_annotated.c โ EICAR deployment
All rewritten with military annotations.
0930 BB2 FILE_SHARE_DELETE bug fixed [DONE]
Missing share flag caused oplock to break
on Defender open. Critical race condition fix.
0945 BB3 misleading header corrected [DONE]
Header implied full chain โ actually just
EICAR trigger component. Fixed.
1000 GLOSSARY.md created (BOOK/) [DONE]
80+ military-to-technical term mappings.
Field reference card for all doctrine.
1030 TRAINING_BOARD.md created [DONE]
38-item operator qualification checklist.
Maps to every chapter and building block.
1100 README.md rewritten as 5-paragraph OPORD [DONE]
Full military operations order format.
Situation, Mission, Execution, S&S, C&S.
1200 Defender SITREP script created [DONE]
test_defender_rtp.ps1 โ enumerates target
RTP status, HVCI, tamper protection, etc.
1300 Dev environment setup chapter added (00A) [DONE]
VS2022 install, vcvars64, cl.exe verification.
1400 Full kill chain weapon authored [DONE]
vader_toctou_annotated.c โ all BBs fused
into single annotated reference weapon.
1500 Consistency audit performed [DONE]
14 PASS / 7 FAIL / 10 ENHANCE.
Critical bugs from audit fixed in-session.
1700 All materials pushed to GitHub [DONE]
rainfantry/vader-toctou โ clean repo.
```
**OPERATOR POSITION (LIVE/ FILES):**
```
FILE STATUS NOTES
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
LIVE/bb1_junction.c [IN PROGRESS] #includes, typedef, and
CreateJunction() through
memcpy line TYPED.
NEXT: DeviceIoControl block,
free/CloseHandle cleanup,
main() function.
LIVE/bb2_oplock.c [PENDING] After bb1 compile/test.
LIVE/bb3_trigger.c [PENDING] After bb2 compile/test.
LIVE/vader_toctou.c [PENDING] Full chain. Last to write.
```
**NEXT SESSION BATTLE PLAN:**
1. Finish typing `bb1_junction.c` โ DeviceIoControl call + main()
2. Compile bb1: `cl.exe bb1_junction.c /Fe:bb1.exe /O1 /GS- /W4`
3. Test bb1 โ verify junction creation works on controlled dirs
4. Begin `bb2_oplock.c` โ guided, line by line from field manual
5. Run `test_defender_rtp.ps1` โ get current target SITREP
6. Eventually: `vader_toctou.c` in LIVE/ โ the complete weapon
**OPEN ITEMS (FROM CONSISTENCY AUDIT):**
```
ITEM PRIORITY STATUS
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Ch04 IOCTL number system section โ LOW [ENHANCE]
needs more operator engagement hooks
Ch02 path namespaces โ add "try this LOW [ENHANCE]
in terminal" practical exercise
Ch01 unused kernel object types in LOW [ENHANCE]
table (Mutex, Section) โ trim or
justify their inclusion
Ch10 Payload Strategies section โ MED [ENHANCE]
needs code examples for each strategy
Timeout values across chapters โ MED [FIXED]
standardized to 30s / 15-50ms gap
Timing margin numbers โ reconciled MED [FIXED]
to canonical 30-250x across all chapters
```
---
> *"Everyone has a plan until they get punched in the mouth."*
> โ Not relevant here. The oplock IS the punch. Defender doesn't get to plan.
---
**ACKNOWLEDGE RECEIPT. EXECUTE ON ORDER.**