Lost in Transaction: Process Doppelgänging
Tal Liberman
Eugene Kogan
https://docs.google.com/viewerng/viewer?url=https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
hasherezade's PoC for doppleganging:
LINK
Tal Liberman
Eugene Kogan
https://docs.google.com/viewerng/viewer?url=https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
hasherezade's PoC for doppleganging:
LINK
❤2😁2👍1🔥1
Organized list of my malware development resources
https://github.com/rootkit-io/awesome-malware-development
#malware_dev
https://github.com/rootkit-io/awesome-malware-development
#malware_dev
🔥4👍1
Event Tracing for Windows (ETW): Your Friendly Neighborhood IPC Mechanism
https://www.preludesecurity.com/blog/event-tracing-for-windows-etw-your-friendly-neighborhood-ipc-mechanism
credit : @jsecurity101
https://www.preludesecurity.com/blog/event-tracing-for-windows-etw-your-friendly-neighborhood-ipc-mechanism
credit : @jsecurity101
❤5👍1🤡1
Forwarded from .
Linux internals
https://youtube.com/playlist?list=PLSIUOFhnxEiC3YTdxwqZqgEY5imVL8U8J&si=kVQOBW8ZFk33yYM-
https://youtube.com/playlist?list=PLOEpetqiDZSrfM_HYPe9l6RC782Ttul2H&si=9nk4B_uVAbL2VtSK
https://youtube.com/playlist?list=PLsI2APLEA9Eq6z8zUlOJrqmc5KBwLTV4A&si=oW0Nqinw5PgTw27q
https://youtube.com/playlist?list=PLSIUOFhnxEiC3YTdxwqZqgEY5imVL8U8J&si=kVQOBW8ZFk33yYM-
https://youtube.com/playlist?list=PLOEpetqiDZSrfM_HYPe9l6RC782Ttul2H&si=9nk4B_uVAbL2VtSK
https://youtube.com/playlist?list=PLsI2APLEA9Eq6z8zUlOJrqmc5KBwLTV4A&si=oW0Nqinw5PgTw27q
🔥6👍2
Inspired Shell Obfuscatio
https://github.com/CyberSecurityN00b/shellfeck
https://github.com/CyberSecurityN00b/shellfeck
👍2🔥2
Forwarded from vx-underground
"Can a .txt file be malicious?"
Short answer: No
Long answer: Anything is possible through the power of Windows HKEY_CLASSES_ROOT
Short answer: No
Long answer: Anything is possible through the power of Windows HKEY_CLASSES_ROOT
😁4👍3👏1
Forwarded from vx-underground
vx-underground
"Can a .txt file be malicious?" Short answer: No Long answer: Anything is possible through the power of Windows HKEY_CLASSES_ROOT
tl;dr modify shell open command (default) to malicious payload with subsequent invocation of text editor + parameters. The .txt file won't be malicious, but the thing responsible for opening them will be
¯\_(ツ)_/¯
¯\_(ツ)_/¯
👏3👍2🤷1
vx-underground
"Can a .txt file be malicious?" Short answer: No Long answer: Anything is possible through the power of Windows HKEY_CLASSES_ROOT
In the simplest terms possible, this registry hive contains the necessary information for Windows to know what to do when you ask it to do something, like to view the contents of a drive, or open a certain type of file, etc.
HKEY_CLASSES_ROOT\.avi
HKEY_CLASSES_ROOT\.bmp
HKEY_CLASSES_ROOT\.exe
HKEY_CLASSES_ROOT\.html
HKEY_CLASSES_ROOT\.pdf
HKEY_CLASSES_ROOT\AudioCD
HKEY_CLASSES_ROOT\dllfile
...
Each of these keys stores information on what Windows should do when you double-click or double-tap a file with that extension in File Explorer. It might include the list of programs found in the "Open with..." section when right-clicking/tapping a file, and the path to each application listed.
For example, when you open a file called draft.rtf, WordPad might open it. The registry data that makes that happen is stored in the HKEY_CLASSES_ROOT\.rtf key, which defines WordPad as the program that should open the RTF file.
Ref: link
#malware_dev
HKEY_CLASSES_ROOT\.avi
HKEY_CLASSES_ROOT\.bmp
HKEY_CLASSES_ROOT\.exe
HKEY_CLASSES_ROOT\.html
HKEY_CLASSES_ROOT\.pdf
HKEY_CLASSES_ROOT\AudioCD
HKEY_CLASSES_ROOT\dllfile
...
Each of these keys stores information on what Windows should do when you double-click or double-tap a file with that extension in File Explorer. It might include the list of programs found in the "Open with..." section when right-clicking/tapping a file, and the path to each application listed.
For example, when you open a file called draft.rtf, WordPad might open it. The registry data that makes that happen is stored in the HKEY_CLASSES_ROOT\.rtf key, which defines WordPad as the program that should open the RTF file.
Ref: link
#malware_dev
Lifewire
What Is HKEY_CLASSES_ROOT?
HKEY_CLASSES_ROOT, or HKCR, is the registry hive that stores data about what programs open files with specific file extensions.
👍6