1734722992877.pdf
1 MB
Exploring Kernel Callbacks in Windows for Red Teamers / Developers
Media is too big
VIEW IN TELEGRAM
Callback objects- everything you didn't know
#edr #windows
https://codemachine.com/articles/kernel_callback_functions.html
https://youtu.be/lnv4GYKS_jI?si=El4rDdW6bpy1puoM
#edr #windows
👾1
When the hunter becomes the hunted: Using custom callbacks to disable EDRs
How can we use that functions?
#edr #malware_dev
Security software and EDR systems register their process creation callbacks in this array using functions such as PsSetCreateProcessNotifyRoutine, PsSetCreateProcessNotifyRoutineEx, and PsSetCreateProcessNotifyRoutineEx2. Each of these functions allows drivers to add their specific callbacks to the array, enabling them to monitor process creation events effectively.
How can we use that functions?
#edr #malware_dev
👾2
Forwarded from Fuzzing Story
__attribute__ в языках С и С++Недавно изучил интересную возможность языка С - атрибуты функций и переменных. К примеру, с помощью атрибутов можно написать код, который выполнится до и после функции
main (#include <stdio.h>
__attribute__ ((constructor)) void before() {
printf("%s\n", "before");
}
__attribute__ ((destructor)) void after() {
printf("%s\n", "after");
}
int main()
{
printf("%s\n", "inside main");
return 0;
}
После запуска этого кода stdout будет таким:
before
inside main
after
__attribute__ были введены в GCC начиная с версии 2.0 , выпущенной в 1992 году как часть расширений, позже вошли в стандарт. Они предоставляют разработчикам гибкость при работе с компилятором, особенно в контексте низкоуровневого программирования, оптимизации и взаимодействия с аппаратным обеспечением.
Атрибуты позволяют:
- Указывать особенности функций, например, что функция является "чистой" (
pure) или "константной" (const), чтобы компилятор мог применять оптимизации.- Контролировать выравнивание данных в памяти
int x __attribute__ ((aligned (16))) = 0;- Управлять порядком инициализации глобальных переменных.
- Запрещать вызов функций, которые нattributeваться
__attribute__((deprecated))attributeлы __attribute__((weak)), которые могут быть переопределены сильными.// Эта функция никогда не возвращает управление
void __attribute__((noreturn)) exit_function() {
while (1);
}
Начиная с C++11 атрибуты так же поддерживаются в плюсах, как часть официального стандарта, до этого при использовании атрибутов компилятор
g++ вызывал gcc чтобы скомпилировать объектные файлы с атрибутами.С момента введения атрибутов в стандарте языка C++, появился новый синтаксис, атрибуты стали записываться через
[[attribute]]. Поэтому сейчас существует разница в синтаксисе:// В стиле GCC
void __attribute__((noreturn)) terminate();
// В стиле C++
[[noreturn]] void terminate();
#cpp
Please open Telegram to view this post
VIEW IN TELEGRAM
Shellcode_Loader_RT.pdf
4.4 MB
"My First And Last Shellcode Loader", 2025.
Collect Windows telemetry for Maldev
Stealthily inject shellcode into an executable
MalDev Myths
👾17
what is Windows software trace preprocessor (WPP)?
MSDN
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
#reverse
MSDN
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
Whether analyzing a Windows binary or assessing new data sources for detection engineering purposes, using lesser known tracing mechanisms, Windows software trace preprocessor (WPP) and TraceLogging offer a potential goldmine of valuable information that has been right under your nose. Both WPP and TraceLogging were designed primarily for debugging purposes but potentially offer reverse engineers, vulnerability researchers, and detection engineers an opportunity to peer inside Windows binaries all without requiring a debugger.
#reverse
👾7
Analysis malicious signed Driver
Learn how to find, reverse a killer driver.
Learn how to find, reverse a killer driver.
👾8
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 1)
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 2)
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 2)
This post, as indicated by the noscript, will cover the topic of writing Windows kernel drivers for advanced persistence. Because the subject matter is relatively complex, I have decided to divide the project into a three or a four part series. This being the first post in the series, it will cover the fundamental information you need to know to get started with kernel development. This includes setting up a development environment, configuring remote kernel debugging and writing your first “Hello World” driver.
👾10
Windows security
Bypass Azure Admin Approval Mode for User Consent Workflow When Enumerating
Finding TeamViewer 0days - Part III
Finding TeamViewer 0days - Part II
Finding TeamViewer 0days - Part I
Diamond Y Sapphire Tickets
Diamond And Sapphire Tickets
Playing With Windows Security - Part 2
Playing With Windows Security - Part 1
https://pgj11.com/categories/windows-security/
1👾8
Forwarded from Order of Six Angles
Reverse engineering a Lumma infection
https://labs.withsecure.com/publications/reverse-engineering-a-lumma-infection
https://labs.withsecure.com/publications/reverse-engineering-a-lumma-infection
Withsecure
Reverse engineering a Lumma infection
Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.
In this post we will focus on a Lumma…
In this post we will focus on a Lumma…
Forwarded from Cafe Security (Mohammad)
Macro-header for compile-time C obfuscation (tcc, win x86/x64)
https://github.com/DosX-dev/obfus.h
@cafe_security
https://github.com/DosX-dev/obfus.h
@cafe_security
GitHub
GitHub - DosX-dev/obfus.h: Macro-header for compile-time C obfuscation (tcc, win x86/x64)
Macro-header for compile-time C obfuscation (tcc, win x86/x64) - DosX-dev/obfus.h
👾2
UACMe
#uac_bypass
Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. This project demonstrates various UAC bypass techniques and serves as an educational resource for understanding Windows security mechanisms.
#uac_bypass
👾7