Windows 0day Usermode Exploit: Syscall Hooks, Signed Module Payloads [NEW]

**Runo** · OP Posted at 03-11-2025, 11:43 PM

Hey,

We are selling our new Windows 0-day exploit in our Telegram channel. We have discovered it yesterday. It intercepts exceptions in processes and runs your malicious code system-wide. It works perfectly. PoC is ready and works on PowerShell, OneDrive, Notepad. Includes syscall hooking and pointer swapping.
It works in usermode, so it is very stealthy with no crashes or detections. You run a file with the exploit. It waits for an exception in the target process, like an error. Then it swaps a pointer in memory to point to your code. Your code runs inside signed system modules, like ntdll.dll or kernel32.dll. No one in usermode sees it.
What it can do:

Hook syscalls, like ReadProcessMemory or VirtualAllocEx. When the system calls them, your code runs first. This gives control over memory and processes.
Execute payloads like RATs or stealers in trusted apps. For example, run commands in PowerShell or leak files from OneDrive. It can spread to other processes without alerts.
For WoW, it hooks Warden and runs Lua code without taint protections. You can do custom functions, rotations, or automation hidden from checks.

Tested on Windows 10 22H2 and Windows 11 24H2. PoC shows it working on real processes.
It is simple to use. PoC is included so you can test the injection right away.

>>> TELEGRAM CHANNEL / CONTACT <<<