From Windows drivers to a almost fully working EDR
https://blog.whiteflag.io/blog/from-windows-drivers-to-a-almost-fully-working-edr
@reverseengine
https://blog.whiteflag.io/blog/from-windows-drivers-to-a-almost-fully-working-edr
@reverseengine
blog.whiteflag.io
From Windows drivers to a almost fully working EDR
In this article we will see how Windows drivers work, how to create one and, in the end, we will develope a custom EDR that will rely on kernel callback functions, static analysis and API hooking.
❤2
FirmWire is a full-system baseband firmware emulation platform for fuzzing, debugging, and root-cause analysis of smartphone baseband firmwares
https://github.com/FirmWire/FirmWire
@reverseengine
https://github.com/FirmWire/FirmWire
@reverseengine
GitHub
GitHub - FirmWire/FirmWire: FirmWire is a full-system baseband firmware emulation platform for fuzzing, debugging, and root-cause…
FirmWire is a full-system baseband firmware emulation platform for fuzzing, debugging, and root-cause analysis of smartphone baseband firmwares - FirmWire/FirmWire
❤2
Debugging and Reversing ALPC
https://csandker.io/2022/05/29/Debugging-And-Reversing-ALPC.html
@reverseengine
https://csandker.io/2022/05/29/Debugging-And-Reversing-ALPC.html
@reverseengine
csandker.io
Debugging and Reversing ALPC
This post is an addendum to my journey to discover and verify the internals of ALPC, which I've documented in Offensive Windows IPC Internals 3: ALPC. While preparing this blog I figured a second post, explaining the debugging steps I took to verify and discover…
🔥2
DJI - The ART of obfuscation
https://blog.quarkslab.com/dji-the-art-of-obfuscation.html
@reverseengine
https://blog.quarkslab.com/dji-the-art-of-obfuscation.html
@reverseengine
Quarkslab
DJI - The ART of obfuscation - Quarkslab's blog
Study of an Android runtime (ART) hijacking mechanism for bytecode injection through a step-by-step analysis of the packer used to protect the DJI Pilot Android application.
🔥2
LayeredSyscall – Abusing VEH to Bypass EDRs
https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs
@reverseengine
https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs
@reverseengine
White Knight Labs
LayeredSyscall - Abusing VEH to Bypass EDRs | White Knight Labs
Generating legitimate call stack frame along with indirect syscalls by abusing Vectored Exception Handling (VEH) to bypass User-Land EDR hooks in Windows.
🔥2
Rusty Bootkit - Windows UEFI Bootkit in Rust (Codename: RedLotus)
https://github.com/memN0ps/bootkit-rs
@reverseengine
https://github.com/memN0ps/bootkit-rs
@reverseengine
GitHub
GitHub - memN0ps/redlotus-rs: Rusty Bootkit - Windows UEFI Bootkit in Rust (Codename: RedLotus)
Rusty Bootkit - Windows UEFI Bootkit in Rust (Codename: RedLotus) - memN0ps/redlotus-rs
❤2
A Linux eBPF rootkit with a backdoor C2 library injection execution hijacking persistence and stealth capabilities
https://github.com/h3xduck/TripleCross
@reverseengine
https://github.com/h3xduck/TripleCross
@reverseengine
GitHub
GitHub - h3xduck/TripleCross: A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and…
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
❤2
Forwarded from Sec Note
G3tSyst3m's Infosec Blog
PIC Shellcode from the Ground up - Part 2
Let’s PIC back up where we left off shall we? 😸 I gave you the framework for developing PIC friendly shellcode back in Part 1. We went from the original code written in a high level language (C++), down to a pseudo low level representation of that C++ code.…
❤2
Forwarded from Source Byte
Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files
https://www.morphisec.com/blog/morphisec-thwarts-russian-linked-stealc-v2-campaign-targeting-blender-users-via-malicious-blend-files/
https://www.morphisec.com/blog/morphisec-thwarts-russian-linked-stealc-v2-campaign-targeting-blender-users-via-malicious-blend-files/
❤3
Binary Ninja 3.0 The Next Chapter (Pseudo C decompile!)
https://binary.ninja/2022/01/27/3.0-the-next-chapter.html
@reverseengine
https://binary.ninja/2022/01/27/3.0-the-next-chapter.html
@reverseengine
Binary Ninja
Binary Ninja - 3.0 The Next Chapter
Binary Ninja is a modern reverse engineering platform with a noscriptable and extensible decompiler.
❤3
HashDB is a free community-sourced library of hashing algorithms used in malware, with an IDA plugin!
API
https://hashdb.openanalysis.net/
IDA Plugin
https://github.com/OALabs/hashdb-ida
Add Custom Algorithms
https://github.com/OALabs/hashdb
@reverseengine
API
https://hashdb.openanalysis.net/
IDA Plugin
https://github.com/OALabs/hashdb-ida
Add Custom Algorithms
https://github.com/OALabs/hashdb
@reverseengine
GitHub
GitHub - OALabs/hashdb-ida: HashDB API hash lookup plugin for IDA Pro
HashDB API hash lookup plugin for IDA Pro. Contribute to OALabs/hashdb-ida development by creating an account on GitHub.
❤4
❤4
Forwarded from Fuzzing ZONE (0x0F1)
Analysis of Encryption Structure of Yurei Ransomware Go-based Builder
https://asec.ahnlab.com/en/90975/
@FUZZ0x
https://asec.ahnlab.com/en/90975/
@FUZZ0x
ASEC
Analysis of Encryption Structure of Yurei Ransomware Go-based Builder - ASEC
Analysis of Encryption Structure of Yurei Ransomware Go-based Builder ASEC
❤4
File Tunnel
https://github.com/fiddyschmitt/File-Tunnel
Bypassing a firewall:
Tunnel TCP through RDP:
@reverseengine
https://github.com/fiddyschmitt/File-Tunnel
Bypassing a firewall:
# Host A
ft.exe -L 5000:127.0.0.1:3389 --write "\\server\share\1.dat" --read "\\server\share\2.dat"
# Host B
ft.exe --read "\\server\share\1.dat" --write "\\server\share\2.dat"Tunnel TCP through RDP:
# Host A
ft.exe -L 5000:192.168.1.50:8888 --write "C:\Temp\1.dat" --read "C:\Temp\2.dat"
# Host B
ft.exe --read "\\tsclient\c\Temp\1.dat" --write "\\tsclient\c\Temp\2.dat"@reverseengine
GitHub
GitHub - fiddyschmitt/File-Tunnel: Tunnel TCP connections through a file
Tunnel TCP connections through a file. Contribute to fiddyschmitt/File-Tunnel development by creating an account on GitHub.
❤4
FlexibleFreet: macOS Malware Deploys in Fake Job Scams
https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/
@reverseengine
https://www.jamf.com/blog/flexibleferret-malware-continues-to-adapt/
@reverseengine
Jamf
FlexibleFerret: macOS Malware Deploys in Fake Job Scams
Jamf Threat Labs analyzes the FlexibleFerret macOS malware, a threat that uses fake recruitment lures and social engineering to infect systems and steal credentials.
❤4
Locals متغیرهای محلی
هر متغیر محلی داخل استک فریم قرار میگیره
مثلا در C:
کامپایلر ممکنه این فریم رو بسازه:
|--------------------------|
| return address |
| previous RBP |
|--------------------------|
| a (4 bytes) |
| b (4 bytes) |
| padding (align) |
| c[10] (40 bytes) |
|--------------------------|
Saved Registers رجیسترهایی که باید ذخیره بشن
طبق ABI سه نوع register داریم:
نوعنیاز به ذخیره توسط callee
مثال
caller-savedنهRAX, RCX, RDX
callee-savedبلهRBX, RBP, R12-R15
specialبسته به شرایطRSP
پس اگر تابعی مثل این باشه:
کامپایلر باید RBX رو هم داخل فریم ذخیره کنه چون callee-saved هست
Spill slots وقتی رجیستر کم میاد
اگر تعداد متغیرها زیاد بشه رجیستر کم میاد و کامپایلر مجبور میشه بعضی مقدار ها رو داخل استک بریزه
مثلا:
برای اینا رجیستر کم میاد
میرن spill slot روی استک
Temporary space فضاهای موقت
کامپایلر برای کارهایی مثل call هایی که پارامتر زیاد دارن حافظه موقت روی استک میسازه
مثال:
ممکنه کامپایلر موقت همه رو داخل استک بچینه
Locals
Every local variable is placed in a stack frame
For example, in C:
The compiler may create this frame:
|--------------------------|
| return address |
| previous RBP |
|---------------------|
| a (4 bytes) |
| b (4 bytes) |
| padding (align) |
| c[10] (40 bytes) |
|---------------------|
Saved Registers Registers that need to be saved
According to the ABI, we have three types of registers:
Types that need to be saved by the callee
Example
caller-saved No RAX, RCX, RDX
callee-saved Yes RBX, RBP, R12-R15
special Depending on the RSP conditions
So if a function is like this:
The compiler must also store RBX in the frame because it is callee-saved
Spill slots when the register runs out
If the number of variables increases, the register runs out and the compiler is forced to push some values onto the stack
For example:
For this, the register runs out
They go to the spill slot on the stack
Temporary space Temporary spaces
The compiler creates temporary memory on the stack for tasks such as calls that have many parameters
For example:
The compiler may temporarily push everything onto the stack
@reverseengine
هر متغیر محلی داخل استک فریم قرار میگیره
مثلا در C:
void f() {
int a;
int b;
int c[10];
}
کامپایلر ممکنه این فریم رو بسازه:
|--------------------------|
| return address |
| previous RBP |
|--------------------------|
| a (4 bytes) |
| b (4 bytes) |
| padding (align) |
| c[10] (40 bytes) |
|--------------------------|
Saved Registers رجیسترهایی که باید ذخیره بشن
طبق ABI سه نوع register داریم:
نوعنیاز به ذخیره توسط callee
مثال
caller-savedنهRAX, RCX, RDX
callee-savedبلهRBX, RBP, R12-R15
specialبسته به شرایطRSP
پس اگر تابعی مثل این باشه:
void foo() {
int a;
int b;
// uses RBX
}
کامپایلر باید RBX رو هم داخل فریم ذخیره کنه چون callee-saved هست
Spill slots وقتی رجیستر کم میاد
اگر تعداد متغیرها زیاد بشه رجیستر کم میاد و کامپایلر مجبور میشه بعضی مقدار ها رو داخل استک بریزه
مثلا:
void f(int a, int b, int c, int d, int e, int f) {
....
}
برای اینا رجیستر کم میاد
میرن spill slot روی استک
Temporary space فضاهای موقت
کامپایلر برای کارهایی مثل call هایی که پارامتر زیاد دارن حافظه موقت روی استک میسازه
مثال:
printf("%d %d %d %d", a, b, c, d);
ممکنه کامپایلر موقت همه رو داخل استک بچینه
Locals
Every local variable is placed in a stack frame
For example, in C:
void f() {
int a;
int b;
int c[10];
}
The compiler may create this frame:
|--------------------------|
| return address |
| previous RBP |
|---------------------|
| a (4 bytes) |
| b (4 bytes) |
| padding (align) |
| c[10] (40 bytes) |
|---------------------|
Saved Registers Registers that need to be saved
According to the ABI, we have three types of registers:
Types that need to be saved by the callee
Example
caller-saved No RAX, RCX, RDX
callee-saved Yes RBX, RBP, R12-R15
special Depending on the RSP conditions
So if a function is like this:
void foo() {
int a;
int b;
// uses RBX
}
The compiler must also store RBX in the frame because it is callee-saved
Spill slots when the register runs out
If the number of variables increases, the register runs out and the compiler is forced to push some values onto the stack
For example:
void f(int a, int b, int c, int d, int e, int f) {
....
}
For this, the register runs out
They go to the spill slot on the stack
Temporary space Temporary spaces
The compiler creates temporary memory on the stack for tasks such as calls that have many parameters
For example:
printf("%d %d %d %d", a, b, c, d);
The compiler may temporarily push everything onto the stack
@reverseengine
❤4👍1
Red zone
فقط روی System V لینوکس/مک نه ویندوز
یک فضای 128 بایتی پایین تر از RSP که تابع بدون تغییر دادن RSP میتونه از اون استفاده کنه
ویندوز red zone نداره
همیشه فریم ساخته میشه؟
نه
مواردی که Stack Frame ساخته نمیشه:
تابع خیلی ساده باشد Leaf Function
اگر تابع هیچ تابع دیگری رو call نکنه
و رجیسترهای callee-saved رو استفاده نکنه
و متغیر محلی هم نداشته باشه
کامپایلر Frame رو حذف میکنه
مثال:
اسم این تکنیک:
Frame Omission Optimization
Red zone
Only on System V Linux/Mac, not Windows
A space 128 bytes below the RSP that a function can use without changing the RSP
Windows does not have a red zone
Is a frame always created?
No
Cases where a Stack Frame is not created:
The function is very simple Leaf Function
If the function does not call any other function
And does not use callee-saved registers
And does not have any local variables
The compiler will omit the Frame
Example:
Name of this technique:
Frame Omission Optimization
@reverseengine
فقط روی System V لینوکس/مک نه ویندوز
یک فضای 128 بایتی پایین تر از RSP که تابع بدون تغییر دادن RSP میتونه از اون استفاده کنه
ویندوز red zone نداره
همیشه فریم ساخته میشه؟
نه
مواردی که Stack Frame ساخته نمیشه:
تابع خیلی ساده باشد Leaf Function
اگر تابع هیچ تابع دیگری رو call نکنه
و رجیسترهای callee-saved رو استفاده نکنه
و متغیر محلی هم نداشته باشه
کامپایلر Frame رو حذف میکنه
مثال:
int add(int a, int b) {
return a + b;
}
اسم این تکنیک:
Frame Omission Optimization
Red zone
Only on System V Linux/Mac, not Windows
A space 128 bytes below the RSP that a function can use without changing the RSP
Windows does not have a red zone
Is a frame always created?
No
Cases where a Stack Frame is not created:
The function is very simple Leaf Function
If the function does not call any other function
And does not use callee-saved registers
And does not have any local variables
The compiler will omit the Frame
Example:
int add(int a, int b) {
return a + b;
}
Name of this technique:
Frame Omission Optimization
@reverseengine
❤4