Reverse Engineering on Windows Without Symbols or Source, Part Fun (One)
Other blogs
#reverse
#windows
Other blogs
Methodology
#reverse
#windows
Klogixsecurity
Reverse Engineering on Windows Without Symbols or Source, (Part One)
Blog post describing reverse engineering techniques including a review of calling conventions, and what to do if your binary doesn't have symbols.
👾2
Decrease Entropy of shellcode
#shellcode
#evasion
The more predictable you are, the less you get detected - hiding malicious shellcodes via Shannon encoding
#shellcode
#evasion
👾1
The .NET Export Portal
Via XPN
While working on some tooling recently I revisited this topic and wanted to know just why this works in the way that it does. After all, by now we’ve all seen the COM calls required to spin up the CLR, so what makes unmanaged exports so special?
#reverse
#dotnet
Via XPN
A while back I published a post looking at how to craft a .NET assembly which exposes managed code via DLL exports, RunDLL32 your .NET.
While working on some tooling recently I revisited this topic and wanted to know just why this works in the way that it does. After all, by now we’ve all seen the COM calls required to spin up the CLR, so what makes unmanaged exports so special?
#reverse
#dotnet
New blog on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that identified by author in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.
https://github.com/passthehashbrowns/Being-A-Good-CLR-Host
Related Works and Resources
HostingCLR - Original implementation of CLR hosting
InlineExecute-Assembly - Original implementation of executing .NET assemblies as a BOF
Dealing with Failure: Failure Escalation Policy in CLR Hosts – This is the only real example I could find of offensive tradecraft using CLR Customizations when I was initially doing this research.
Hosted Pumpkin – A GitHub repository containing a proof-of-concept for implementing several CLR Customizations.
Shellcode: Loading .NET Assemblies From Memory – Donut was a great deal of help in wrangling all of the relevant data structures and definitions in C.
Customizing the Microsoft .NET Framework Common Language Runtime by Steven Pratschner – This is the definitive text on CLR Customizations. Simply a must-read if you have any interest in this area.
#redteam #net #clr #dotnet
Proof-of-concept for the AMSI bypass and an implementation of a CLR memory manager is on GitHub. We can implement custom memory routines and track all allocations made by the CLR.
https://github.com/passthehashbrowns/Being-A-Good-CLR-Host
Related Works and Resources
HostingCLR - Original implementation of CLR hosting
InlineExecute-Assembly - Original implementation of executing .NET assemblies as a BOF
Dealing with Failure: Failure Escalation Policy in CLR Hosts – This is the only real example I could find of offensive tradecraft using CLR Customizations when I was initially doing this research.
Hosted Pumpkin – A GitHub repository containing a proof-of-concept for implementing several CLR Customizations.
Shellcode: Loading .NET Assemblies From Memory – Donut was a great deal of help in wrangling all of the relevant data structures and definitions in C.
Customizing the Microsoft .NET Framework Common Language Runtime by Steven Pratschner – This is the definitive text on CLR Customizations. Simply a must-read if you have any interest in this area.
#redteam #net #clr #dotnet
👾2
Forwarded from Order of Six Angles
fluxsec.red
Windows 11 Alternate Syscalls Deep Dive
A comprehensive technical walkthrough of Windows 11 Alternate Syscalls: allocating executable thunks, building the dispatch table, patching PspServiceDenoscriptorGroupTable, handling PspSyscallProviderServiceDispatchGeneric, and caching syscall arguments. Includes…
Feeling overwhelmed trying to learn security research? (Analyzing the PayloadRestrictions.dll Export Address Filtering)
#research #reverse #internals
Check out the "Process of Step-by-Step" by Yarden Shafir — a great resource that breaks it down clearly.
#research #reverse #internals
Windows Anti-Debug techniques - OpenProcess filtering
"OBREGISTERCALLBACKS AND COUNTERMEASURES"
Debugging AV
"OBREGISTERCALLBACKS AND COUNTERMEASURES"
XPN InfoSec Blog
@_xpn_ - Windows Anti-Debug techniques - OpenProcess filtering
This week I took a break from SYSTEM chasing to review some anti-debugging techniques. With quite a few Bug Bounty programs available relying on client-side applications, I thought I'd share one of the techniques used by numerous security products (and apparently…