Analysis malicious signed Driver
Learn how to find, reverse a killer driver.
Learn how to find, reverse a killer driver.
👾8
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 1)
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 2)
Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 2)
This post, as indicated by the noscript, will cover the topic of writing Windows kernel drivers for advanced persistence. Because the subject matter is relatively complex, I have decided to divide the project into a three or a four part series. This being the first post in the series, it will cover the fundamental information you need to know to get started with kernel development. This includes setting up a development environment, configuring remote kernel debugging and writing your first “Hello World” driver.
👾10
Windows security
Bypass Azure Admin Approval Mode for User Consent Workflow When Enumerating
Finding TeamViewer 0days - Part III
Finding TeamViewer 0days - Part II
Finding TeamViewer 0days - Part I
Diamond Y Sapphire Tickets
Diamond And Sapphire Tickets
Playing With Windows Security - Part 2
Playing With Windows Security - Part 1
https://pgj11.com/categories/windows-security/
1👾8
Forwarded from Order of Six Angles
Reverse engineering a Lumma infection
https://labs.withsecure.com/publications/reverse-engineering-a-lumma-infection
https://labs.withsecure.com/publications/reverse-engineering-a-lumma-infection
Withsecure
Reverse engineering a Lumma infection
Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.
In this post we will focus on a Lumma…
In this post we will focus on a Lumma…
Forwarded from Cafe Security (Mohammad)
Macro-header for compile-time C obfuscation (tcc, win x86/x64)
https://github.com/DosX-dev/obfus.h
@cafe_security
https://github.com/DosX-dev/obfus.h
@cafe_security
GitHub
GitHub - DosX-dev/obfus.h: Macro-header for compile-time C obfuscation (tcc, win x86/x64)
Macro-header for compile-time C obfuscation (tcc, win x86/x64) - DosX-dev/obfus.h
👾2
UACMe
#uac_bypass
Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor. This project demonstrates various UAC bypass techniques and serves as an educational resource for understanding Windows security mechanisms.
#uac_bypass
👾7
ida-pro_92_x64win.exe
505.5 MB
IDA Pro 9.2 Beta 2 Windows
source: http://xjepeflts2qwhqb77bw5vj6xguve56rpyeoxibztd7t7fehxxowt5fad.onion/9.2/, https://bbs.kanxue.com/thread-287796.htm, https://www.52pojie.cn/thread-2049414-1-1.html
VT: https://www.virustotal.com/gui/file/894fca47a5f0f9f7a0790013073dbaf38a50540ae9c336533f3ebb5a0bf27280/details (signed by Hex-Rays)
same keygen
source: http://xjepeflts2qwhqb77bw5vj6xguve56rpyeoxibztd7t7fehxxowt5fad.onion/9.2/, https://bbs.kanxue.com/thread-287796.htm, https://www.52pojie.cn/thread-2049414-1-1.html
$ sha256sum *
894fca47a5f0f9f7a0790013073dbaf38a50540ae9c336533f3ebb5a0bf27280 ida-pro_92_x64win.exe
VT: https://www.virustotal.com/gui/file/894fca47a5f0f9f7a0790013073dbaf38a50540ae9c336533f3ebb5a0bf27280/details (signed by Hex-Rays)
same keygen
👾12
Forwarded from Threat Hunting Father 🦔
В бразильском IR-кейсе Kaspersky зафиксировал новый AV-киллер, работающий по схеме BYOVD (Bring Your Own Vulnerable Driver).
Атакующие принесли с собой легитимный драйвер ThrottleStop.sys (TechPowerUp, сертификат DigiCert, 2020), чтобы выключить защиту на уровне ядра и спокойно запустить MedusaLocker.
Первичный доступ — валидные RDP-учётки (SMTP-сервер, подключение из Бельгии).
PrivEsc + Lateral Movement — Mimikatz → Pass-the-Hash (
Invoke-WMIExec.ps1, Invoke-SMBExec.ps1), массовое создание локальных админов (User1, User2...).Деплой артефактов —
ThrottleBlood.sys (уязвимый драйвер) и All.exe (киллер AV) → сначала C:\Users\Administrator\Music, потом на другие хосты в C:\Users\UserN\Pictures.Выключение защиты — через уязвимые IOCTL-коды драйвера (
MmMapIoSpace) малварь модифицирует NtAddAtom и вызывает PsLookupProcessById + PsTerminateProcess для убийства AV.Финал — загрузка и запуск MedusaLocker (
haz8.exe) на уже «раздетых» системах.Hardcode: список процессов всех топ-вендоров (𝗛𝗮𝗿𝗱𝗰𝗼𝗱𝗲𝗱 𝘃𝗲𝗻𝗱𝗼𝗿 𝗹𝗶𝘀𝘁:
— 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 (
MsMpEng.exe, SecurityHealthService.exe, etc.)— 𝗞𝗮𝘀𝗽𝗲𝗿𝘀𝗸𝘆 (
avp.exe, klnagent.exe, etc.)— 𝗕𝗶𝘁𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 (
bdservicehost.exe, BDAvScanner.exe, etc.)— 𝗖𝗿𝗼𝘄𝗱𝗦𝘁𝗿𝗶𝗸𝗲 (
CSFalconService.exe, CSFalconUI.exe)— 𝗘𝗦𝗘𝗧 (
ekrn.exe, egui.exe, etc.)— 𝗦𝘆𝗺𝗮𝗻𝘁𝗲𝗰 / 𝗕𝗿𝗼𝗮𝗱𝗰𝗼𝗺 (
ccSvcHst.exe, SepMasterService.exe, etc.)— 𝗠𝗰𝗔𝗳𝗲𝗲 / 𝗧𝗿𝗲𝗹𝗹𝗶𝘅 (
mfevtps.exe)— 𝗦𝗼𝗽𝗵𝗼𝘀 (
SEDService.exe, SophosHealth.exe, etc.)— 𝗦𝗲𝗻𝘁𝗶𝗻𝗲𝗹𝗢𝗻𝗲 (
SentinelAgent.exe, SentinelServiceHost.exe)— 𝗔𝘃𝗮𝘀𝘁 / 𝗔𝗩𝗚 (
AvastSvc.exe, AVGSvc.exe, etc.)— 𝗤𝘂𝗶𝗰𝗸 𝗛𝗲𝗮𝗹 (
QHPISVR.EXE, SAPISSVC.EXE)— 𝗣𝗮𝗻𝗱𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (
PSUAService.exe, PSUAMain.exe)).Kernel R/W: получение base address ядра (
NtQuerySystemInformation → SystemModuleInformation), перевод виртуальных адресов в физические (Superfetch technique).Hook: патч
NtAddAtom → shellcode → вызов целевой функции ядра → восстановление оригинального кода.Persistence loop: при перезапуске службы AV — мгновенное повторное убийство.
🌍 География
Атака активна с октября 2024, жертвы: 🇧🇷 Бразилия, 🇷🇺 Россия, 🇧🇾 Беларусь, 🇰🇿 Казахстан, 🇺🇦 Украина.
Уязвимость получила CVE-2025-7771.
Blocklist уязвимых драйверов (ThrottleStop.sys / ThrottleBlood.sys).
MFA и ограничение RDP-доступа, отключение публикации в интернет.
EDR с самозащитой и контролем загрузки драйверов.
Сегментация сети и whitelisting приложений.
Мониторинг аномалий DeviceIoControl и NtAddAtom.
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
👾7
Scorpio_Advanced_Windows_Kernel_Programming_w_Pavel_Yosifovich_2023.rar
543.7 MB
Module 0 : Introduction
Module 1 : Windows Internals Overview
Module 2 : The I/O System
Module 3 : Device Driver Basics
Module 4 : The I/O Request Packet
Module 5 : Kernel Mechanisms
Module 6 : Process and Thread Monitoring
Module 7 : Object and Registry Notifications
Module 8 : File System Mini-Filters Fundamentals
Module 9 : Miscellaneous Techniques
Scorpio Advanced Windows Kernel Programming w Pavel Yosifovich (2023)
👾12