Understanding SDDL Syntax
https://uwconnect.uw.edu/it?id=kb_article_view&sysparm_article=KB0034194
@reverseengine
https://uwconnect.uw.edu/it?id=kb_article_view&sysparm_article=KB0034194
@reverseengine
❤1
A kernel Exploit for Pixel7/8 Pro with Android 14
https://github.com/0x36/Pixel_GPU_Exploit
@reverseengine
https://github.com/0x36/Pixel_GPU_Exploit
@reverseengine
GitHub
GitHub - 0x36/Pixel_GPU_Exploit: Android 14 kernel exploit for Pixel7/8 Pro
Android 14 kernel exploit for Pixel7/8 Pro. Contribute to 0x36/Pixel_GPU_Exploit development by creating an account on GitHub.
❤2
Debugging Windows Internal with x64dbg
https://www.youtube.com/live/AKcADaAaOT8?si=cLY4BLvDXvnjA7FR
@reverseengine
https://www.youtube.com/live/AKcADaAaOT8?si=cLY4BLvDXvnjA7FR
@reverseengine
YouTube
Debugging Windows Internals with x64dbg!
Join me with my guest Duncan Ogilvie, developer of x64dbg, as he shows us around the tool and shares some Windows debugging techniques. x64dbg is the only actively maintained userland debugger outside of WinDbg, and aims to be much more intuitive and easy…
❤1
The Complexity of Reversing Flutter Applications
https://www.fortiguard.com/events/5403/nullcon-berlin-2024-the-complexity-of-reversing-flutter-applications
@reverseengine
https://www.fortiguard.com/events/5403/nullcon-berlin-2024-the-complexity-of-reversing-flutter-applications
@reverseengine
FortiGuard Labs
Publications | FortiGuard Labs
Flutter is a cross-platform application development platform. With the same codebase, developers write and compile native applications for Android,...
❤2
Analysing Windows Malware on Apple Mac M1/M2 ( Windows 11 ARM ) - Part I
x86/x64 emulation internals on Windows 11 ARM
https://int0xcc.svbtle.com/apple-m2-or-windows-arm-for-malware-analysis
@reverseengine
x86/x64 emulation internals on Windows 11 ARM
https://int0xcc.svbtle.com/apple-m2-or-windows-arm-for-malware-analysis
@reverseengine
Raashid Bhat on Svbtle
Analysing Windows Malware on Apple Mac M1/M2 ( Windows 11 ARM )...
x86/x64 emulation internals on Windows 11 ARM # Introduction # Since the introduction of Intel processors for the MacBooks, malware analysis on Mac has become quite popular, and it has become the hardware of choice for malware analysts. With the...
❤2
Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment
https://rootkits.xyz/blog/2017/06/kernel-setting-up
@reverseengine
https://rootkits.xyz/blog/2017/06/kernel-setting-up
@reverseengine
rootkit
Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment - rootkit
Intro Recently, I had the pleasure to attend the training on Windows Kernel Exploitation at nullcon by the HackSysTeam. The training was well executed, and I got the intro into the world of kernel. But, as you know, nobody could teach you internals about…
❤2
io_uring Is Back, This Time as a Rootkit
https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security
@reverseengine
https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security
@reverseengine
ARMO
io_uring Rootkit Bypasses Linux Security Tools - ARMO
ARMO reveals how io_uring enables rootkits to bypass major Linux security tools like Falco, and Defender. Learn about the Curing rootkit and detection strategies.
❤1
KernelMode Rootkits: Part 1, SSDT Hooks
https://www.adlice.com/kernelmode-rootkits-part-1-ssdt-hooks
@reverseengine
https://www.adlice.com/kernelmode-rootkits-part-1-ssdt-hooks
@reverseengine
Adlice Software
KernelMode Rootkits, Part 1 | SSDT hooks • Adlice Software
KernelMode Rootkits explained. This is the first part of this rootkit writing tutorial and it covers SSDT/Shadow hooks.
❤3
رمزنگاری/انکدینگ رشته ها String Encryption
برنامه ها رشتههای متنی مثل پیامها، URLها، کلیدها رو توی فایل بهصورت رمز یا انکد نگه میدارن و فقط موقع اجرا بازشون میکنن تا کسی با نگاه کردن توی باینری پیداشون نکنه
توضیح:
دیدید یه باینری اصلا رشتهای نداره؟ احتمالا سازنده ش رشتهها رو قفل کرده یعنی مثلا «hello» تو فایل نیست چون یه تابع موقع اجرا میاد و بازش میکنه این کار براشون میتونه یه جور حفاظتی باشه یا تلاش برای مخفی کاری
مثال:
تو دیس اسمبلر میبینید هیچ رشته خوانایی نیست اما یه تابع هست که چند باره حافظه رو میسازه و داده ها رو تبدیل میکنه احتمالا رشتهها در runtime ساخته میشن
دیتکشن
نبودن رشتههای خوانا در بخش .rdata/.rodata
توابعی که مکررا حافظه allo/free میکنن و روی بافر ها عملیات بیت/بایت انجام میدن
بی نظمی بالای بخش داده ها
میتیگیشن (مدافع/برنامهنویس)
مدافع: monitor فراخوانی هایی که رشته ها رو در runtime میسازن و بررسی الگوهای غیرعادی
توسعهدهنده: از لاگینگ و کانفیگ امن استفاده کنید تا نیاز به رمزنگاری بی دلیل رشته ها کم بشه
String Encryption
Programs store text strings (such as messages, URLs, keys) in a file as a password or encoding and only open them at runtime so that no one can find them by looking in the binary
Explanation:
Did you see that a binary doesn't have a string at all? The creator probably locked the strings, meaning "hello" is not in the file because a function comes in and opens it at runtime. This could be a form of protection or an attempt at hiding.
Example:
In the disassembler, you see no readable strings, but there is a function that creates memory and converts data several times. The strings are probably created at runtime.
Detection
No readable strings in the .rdata/.rodata section
Functions that repeatedly allocate/free memory and perform bit/byte operations on buffers
High entropy in the data section
Mitigation (Defender/Programmer)
Defender: Monitor calls that create strings at runtime and check for unusual patterns
Developer: Use secure logging and configuration to reduce the need for unnecessary string encryption
@reverseengine
برنامه ها رشتههای متنی مثل پیامها، URLها، کلیدها رو توی فایل بهصورت رمز یا انکد نگه میدارن و فقط موقع اجرا بازشون میکنن تا کسی با نگاه کردن توی باینری پیداشون نکنه
توضیح:
دیدید یه باینری اصلا رشتهای نداره؟ احتمالا سازنده ش رشتهها رو قفل کرده یعنی مثلا «hello» تو فایل نیست چون یه تابع موقع اجرا میاد و بازش میکنه این کار براشون میتونه یه جور حفاظتی باشه یا تلاش برای مخفی کاری
مثال:
تو دیس اسمبلر میبینید هیچ رشته خوانایی نیست اما یه تابع هست که چند باره حافظه رو میسازه و داده ها رو تبدیل میکنه احتمالا رشتهها در runtime ساخته میشن
دیتکشن
نبودن رشتههای خوانا در بخش .rdata/.rodata
توابعی که مکررا حافظه allo/free میکنن و روی بافر ها عملیات بیت/بایت انجام میدن
بی نظمی بالای بخش داده ها
میتیگیشن (مدافع/برنامهنویس)
مدافع: monitor فراخوانی هایی که رشته ها رو در runtime میسازن و بررسی الگوهای غیرعادی
توسعهدهنده: از لاگینگ و کانفیگ امن استفاده کنید تا نیاز به رمزنگاری بی دلیل رشته ها کم بشه
String Encryption
Programs store text strings (such as messages, URLs, keys) in a file as a password or encoding and only open them at runtime so that no one can find them by looking in the binary
Explanation:
Did you see that a binary doesn't have a string at all? The creator probably locked the strings, meaning "hello" is not in the file because a function comes in and opens it at runtime. This could be a form of protection or an attempt at hiding.
Example:
In the disassembler, you see no readable strings, but there is a function that creates memory and converts data several times. The strings are probably created at runtime.
Detection
No readable strings in the .rdata/.rodata section
Functions that repeatedly allocate/free memory and perform bit/byte operations on buffers
High entropy in the data section
Mitigation (Defender/Programmer)
Defender: Monitor calls that create strings at runtime and check for unusual patterns
Developer: Use secure logging and configuration to reduce the need for unnecessary string encryption
@reverseengine
❤3