“According to the research published by Hackmosphere, the technique works by avoiding the conventional execution path where applications call Windows API functions through libraries like kernel32.dll, which then forwards requests to ntdll.dll before making the actual system call to the kernel.”
Additional Information:
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-1/
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-2/
Ftfy. not all CPUs have an xor register with itself instruction.
There are a lot more architectures than just x86 that are capable of XORing a register with itself (ie. ARM and RISC-V), and if you took OP to mean the accumulation register specifically, pretty much all CPUs going back as far as I can think have had that functionality.
Yes, but it’s not universal that xoring a register with itself is more performant than simply loading it with 0.
I never made that claim, nor did the person you corrected.
Yes, but that’s why x86 assembly programmers do it…
No argument there. It’s also why it’s done in ARM, 8080, SM83, z80, 6502, and basically every other assembly language. It’s only not done in RISC-V because you can fold 0 into any instruction as an operand, therefore eliminating the need to clear a register before an instruction.
So why correct the person with a more narrow claim that makes it seem like xor being faster than loading zero is a rarity in CPU architectures? If I said “birds can fly”, and your response was “eagles can fly. Ftfy. Not all birds can fly”, it would be both true and utterly unhelpful.
Hey look, I’m good at something.