WWSyscalls.pdf
59.3 MB
❤🔥4❤2👍2🤝1
Forwarded from Source Byte
Diffing 7-Zip for CVE-2025-11001
https://pacbypass.github.io/2025/10/16/diffing-7zip-for-cve-2025-11001.html
https://pacbypass.github.io/2025/10/16/diffing-7zip-for-cve-2025-11001.html
❤3
Attacking the IPsec Standards in Encryption-only Configurations
https://eprint.iacr.org/2007/125.pdf
@OrcaCyberWeapons
https://eprint.iacr.org/2007/125.pdf
@OrcaCyberWeapons
👍4❤2
Forwarded from Source Byte
Playing with the Tigress software protection. Break some of its protections and solve their reverse engineering challenges. Automatic deobfuscation using symbolic execution, taint analysis and LLVM.
https://tigress.cs.arizona.edu/challenges.html
https://tigress.cs.arizona.edu/challenges.html
Forwarded from Source Byte
www.cs.cornell.edu
Flattening ASTs (and Other Compiler Data Structures)
This is an introduction to data structure flattening, a special case of arena allocation that is a good fit for programming language implementations. We build a simple interpreter twice, the normal way and the flat way, and show that some fairly mechanical…
Happy New Year to the Orca Cyber Weapons community — wishing you a year full of learning, research, and new security discoveries 🎉🔐
@OrcaCyberWeapons
@OrcaCyberWeapons
❤7🔥3
Obfusk8 now integrates a state-of-the-art Indirect Syscall mechanism to bypass User-Mode Hooks (EDRs/AVs) and static analysis checks.
=> "The Sorting Hat" Resolution: Instead of reading the .text section of ntdll.dll (which is often hooked or monitored), the engine parses the Export Directory. It filters functions starting with Zw, sorts them by memory address, and deduces the System Call Number (SSN) based on their index. This allows SSN resolution without ever touching executable code.
=> Lateral Gadget Execution: The engine does not contain the syscall (0F 05) instruction in its own binary. Instead, it locates a valid syscall; ret gadget inside ntdll.dll memory at runtime.
Clean Call Stacks: A custom thunk is allocated that jumps to the ntdll gadget. To the OS kernel and security sensors, the system call appears to originate legitimately from ntdll.dll, maintaining a clean call stack.
=> Usage: Simply use
You have built a system that :
1 - Does not scan
2 - Does not execute syscall locally (Lateral Gadget execution).
3 - Does not leave traces (Clean Call Stacks).
@OrcaCyberWeapons
=> "The Sorting Hat" Resolution: Instead of reading the .text section of ntdll.dll (which is often hooked or monitored), the engine parses the Export Directory. It filters functions starting with Zw, sorts them by memory address, and deduces the System Call Number (SSN) based on their index. This allows SSN resolution without ever touching executable code.
=> Lateral Gadget Execution: The engine does not contain the syscall (0F 05) instruction in its own binary. Instead, it locates a valid syscall; ret gadget inside ntdll.dll memory at runtime.
Clean Call Stacks: A custom thunk is allocated that jumps to the ntdll gadget. To the OS kernel and security sensors, the system call appears to originate legitimately from ntdll.dll, maintaining a clean call stack.
=> Usage: Simply use
K8_SYSCALL("ZwOpenProcess", ...) instead of NtOpenProcess.You have built a system that :
1 - Does not scan
.text (Sorting Hat logic on Exports).2 - Does not execute syscall locally (Lateral Gadget execution).
3 - Does not leave traces (Clean Call Stacks).
@OrcaCyberWeapons
22🔥5❤3
Obfusk8 now supports method-based obfuscation, simply wrap class functions with the
Example: Standard vs Obfuscated methods
In this example, PrintStatus is a normal, readable function. Obfusk8_PrintStatus is protected by Obfusk8.
The project link :
https://github.com/x86byte/Obfusk8
To support the project and stay updated on the latest development steps, follow the journey at :
https://github.com/x86byte
You have questions about Obfusk8?, feel free to ask on VHN.
OBF_METHOD macro for targeted protection.Example: Standard vs Obfuscated methods
In this example, PrintStatus is a normal, readable function. Obfusk8_PrintStatus is protected by Obfusk8.
```
#include "Obfusk8Core.hpp"
class Obfusk8_C
{
public:
// standard method which is visible to reverse engineers
void PrintStatus(void)
{
printf_("method\n");
}
// Obfuscated method protected by Obfusk8
OBF_METHOD_(void, Obfusk8_PrintStatus, (void),
{
printf_("same method but Obfuscated\n");
})
};
_main({
Obfusk8_C *pp = new Obfusk8_C;
pp->PrintStatus();
pp->Obfusk8_PrintStatus();
delete pp;
})
```
The project link :
https://github.com/x86byte/Obfusk8
To support the project and stay updated on the latest development steps, follow the journey at :
https://github.com/x86byte
You have questions about Obfusk8?, feel free to ask on VHN.
64🔥4👏2
help wanted!
Wanna contribute? Pull requests are wide open.
Repo’s here: Obfusk8
Our first PR (#13) dropped yesterday, it fixed memory leaks, cleaned up unobfuscated strings, solved linker errors, and more. We merged it straight into main. Jump in and add your magic.
You have questions about Obfusk8?, feel free to ask on VHN.
@OrcaCyberWeapons
Wanna contribute? Pull requests are wide open.
Repo’s here: Obfusk8
Our first PR (#13) dropped yesterday, it fixed memory leaks, cleaned up unobfuscated strings, solved linker errors, and more. We merged it straight into main. Jump in and add your magic.
You have questions about Obfusk8?, feel free to ask on VHN.
@OrcaCyberWeapons
❤2🔥1
Bypassing KPP on Windows 11 25H2
An alternative way for SSDT hooking that bypasses KPP (Kernel Patch Protection/PatchGuard). Traditional SSDT hooking is a suicide mission on modern Windows because PatchGuard obsessively monitors the
@OrcaCyberWeapons
An alternative way for SSDT hooking that bypasses KPP (Kernel Patch Protection/PatchGuard). Traditional SSDT hooking is a suicide mission on modern Windows because PatchGuard obsessively monitors the
KeServiceDenoscriptorTable. Instead of fighting the kernel, we play by its rules. We use the System Call Provider infrastructure which is a legitimate framework designed for subsystems like WSL or Pico to route syscalls through our own custom dispatch logic.@OrcaCyberWeapons
GitHub
GitHub - HexilionLabs/AltSys: KPP bypass with alternative syscall pipeline
KPP bypass with alternative syscall pipeline. Contribute to HexilionLabs/AltSys development by creating an account on GitHub.
👍3❤1