Binary Exploitation Notes

Stack
Heap
Kernel
Browser Exploitation

https://ir0nstone.gitbook.io/notes
credit : Andrej Ljubic

Process injection techniques $
(꩜)ListPlanting ->( Mitre )
(꩜)Process Doppelganging ->( Mitre)
(꩜)Process Hollowing ->( GitHub)
(꩜)Extra Window Memory Injection -> ( Mitre )
(꩜)TLS callback ->( GitHub)
(꩜)APC injection -> ( earlybird )
(꩜) Thread Hijacking ->( GitHub )

(꩜) Transacted Hollowing (hasherezade)
(꩜) Process Ghosting (hasherezade)
(꩜) DLL hollowing (hasherezade)
(꩜) ChimeraPE (hasherezade)
(꩜) Process Overwriting (hasherezade)
(꩜) Process Chameleon (YouTube)

+Demo by hasherezade

------------------_---------------
Others:
Mockingjay


+ thread namecalling:
https://github.com/hasherezade/thread_namecalling.git



https://news.1rj.ru/str/Source_byte

#malware_dev #process_injection

Process Enumeration methods $
[+] Hunting RWX trick
[+] EnumWindowsProcesses Callback
[+] Toolhelp api
[+] WTS API
[+] NTQuerySystemInformation

[+] Others

~~~~
Related:
Advanced-Process-Injection-Workshop[ GitHub ]






https://news.1rj.ru/str/Source_byte


#malware_dev #process_enumration

Exploiting an io_uring Vulnerability in Ubuntu

This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months, making it an easy 0day vector in Ubuntu during that time.

https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/

#cve_analysis , #linux_internals , #CVE-2024-0582

Tool Interface Standard (TIS)
Executable and Linking Format (ELF)
Specification
#elf #book

Parent pid spoofing Techniques $

[+] Via Createprocess ( iredteam )
[+] PPID Spoofing via WMI
[+] NtCreateUserProcess
[+] Pid spoofing (Methods)


-Real Example by security in bits

https://news.1rj.ru/str/Source_byte


#malware_dev #spoofing

series on virtualization technologies and internals of various solutions (QEMU, Xen and VMWare)
Credit: @LordNoteworthy

[ 0 ] Intro: virtualization internals part 1 intro to virtualization
[ 1 ] VMWare: Virtualization Internals Part 2 - VMWare and Full Virtualization using Binary Translation
[ 2 ] Xen: Virtualization Internals Part 3 - Xen and Paravirtualization
[ 4 ] QEMU: Virtualization Internals Part 4 - QEMU

——-

related posts :
[ 0 ] Writing a simple 16 bit VM in less than 125 lines of C
[ 1 ] Write your Own Virtual Machine
[ 2 ] notes on vm and qemu escape exploit
[ 3 ] notes on VMware escape exploits by version
[ 4 ] Unpack VMProtect



#VM , #cve_analysis , #VM_internals
—-
https://news.1rj.ru/str/Source_byte

LSASS Memory Dumps are Stealthier than Ever Before

Dumping is implemented by interfacing with various external tools:

comsvcs
comsvcs_stealth
dllinject
procdump
procdump_embedded
dumpert
dumpertdll
ppldump
ppldump_embedded
mirrordump
mirrordump_embedded
wer
EDRSandBlast
nanodump
rdrleakdiag
silentprocessexit
sqldumper

[+] MiniDumpWriteDump (Vitaminizing MiniDump)
[+] Comsvcs.dll
[+] Direct syscall [GitHub]
[+] Nano dump [info]
[+] Dump with trusted process


Look at all of them 1
Look at All of them 2
T1003.001 - OS Credential Dumping: LSASS Memory
Lsass for everyone [advanced]

WINDOWS SECRETS EXTRACTION: A SUMMARY by synacktiv


https://news.1rj.ru/str/Source_byte


#malware_dev #lsass

WINDOWS SECRETS EXTRACTION: A SUMMARY by synacktiv
#lsass
#paper

LockbitSupp:

SoheilSec :
توسعه بدافزار C2
توسعه بدافزار یکی از مهارتهایی است که برای شبیه سازی حملات APT بسیار مهم و کاربردی است

طبق MITRE attack و cyber kill chain یکی مراحل C2 است.

https://attack.mitre.org/tactics/TA0011

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

برای توسعه بدافزار ابتدا نیازمند یادگیری یک زبان برنامه نویسی هستید، زبانی نیاز دارید که بتوانید توسط آن با win32 API کار کنید

زبان های پیشنهادی

c++

python

rust

کتاب ها:



https://news.1rj.ru/str/Peneter_Media/451

https://news.1rj.ru/str/Peneter_Media/452

https://news.1rj.ru/str/Peneter_Media/453

https://news.1rj.ru/str/Peneter_Media/454

دوره های توسعه بدافزار:

https://institute.sektor7.net/red-team-operator-malware-development-essentials

https://institute.sektor7.net/rto-maldev-intermediate

https://maldevacademy.com/

https://www.udemy.com/course/offensive-rust/

https://www.udemy.com/course/offensive-csharp/



قدم بدی نیازمند یادگیری win32 API هستید تا بتوانید

Process Manipulation, Memory Manipulation, Networking, DLL Injection

همچنین انواع تکنیک های injection یاد بگیرید:

DLL Injection, Process Hollowing, Reflective DLL Injection, Thread Injection, AtomBombing, APC Injection

لینک زیر ببینید:

https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop

c2 نیازمند یک protocol communication هست

http/https, DNS, ICMP

نیازمند یادگیری کار با Encryption

AES, XOR, RC4, RSA, ECC, ChaCha20



منابع توسعه بدافزار c2

https://pre.empt.blog/
https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/
https://0xrick.github.io/misc/c2/
https://github.com/CodeXTF2/maldev-links
https://0xrick.github.io/misc/c2/
https://captmeelo.com/
https://www.vx-underground.org/#E:/root

بهترین c2 ها:

https://www.thec2matrix.com/
https://github.com/EmpireProject/Empire
https://github.com/HavocFramework/Havoc
https://github.com/cobbr/Covenant
https://github.com/Ne0nd0g/merlin
https://github.com/its-a-feature/Mythic
https://github.com/byt3bl33d3r/SILENTTRINITY
https://github.com/nettitude/PoshC2
https://github.com/BishopFox/sliver

https://github.com/rapid7/metasploit-framework

تکنیک های دور زدن می تونید از بلاگ ها و ریپوهای زیر دنبال کنید

https://github.com/boku7
https://trickster0.github.io/
https://github.com/S4ntiagoP
https://github.com/Cracked5pider
https://casvancooten.com/
https://github.com/chvancooten
https://mr.un1k0d3r.world/
https://und3rf10w.github.io/
https://github.com/waldo-irc
https://www.arashparsa.com/
https://passthehashbrowns.github.io/
https://www.wsast.co.uk/
https://gist.github.com/odzhan
https://modexp.wordpress.com/
https://fool.ish.wtf/
https://github.com/realoriginal
https://suspicious.actor/
https://github.com/moloch–
https://github.com/am0nsec
https://amonsec.net/about/
https://github.com/rasta-mouse
https://rastamouse.me/
https://github.com/xpn
https://blog.xpnsec.com/
https://github.com/sneakid
https://www.solomonsklash.io/
https://github.com/kyleavery

بعد از اینکه c2 خودتان را توسعه دهید تازه باید به دنبال دیباگ کردن و همچنین دور زدن Anti Virus و EDR باشید برای اینکار نیازمند تکنیک و ابزار Debugger هستید:

IDA Pro,OllyDbg and x64dbg,WinDbg,Ghidra,Immunity Debugger

https://news.1rj.ru/str/Peneter_Media/455

https://news.1rj.ru/str/Peneter_Media/456

https://news.1rj.ru/str/Peneter_Media/457

https://news.1rj.ru/str/Peneter_Media/458

برای دور زدن:

https://news.1rj.ru/str/Peneter_Media/444

https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass

https://medium.com/offensive-security-walk-throughs/three-techniques-for-bypassing-edr-3b4101002951

https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/

https://cydef.ca/blog/av-vs-edr-an-introduction-to-antivirus-bypass/

انتشار مقاله:

https://www.soheilsec.com/توسعه-بدافزار-c2/
سهیل هاشمی
کارشناسی ارشد شبکه | کارشناس ارشد امنیت شبکه



#c2 #malware_dev #AV

Today is girls day in Iran .

Happy girls' day to all women subscribers :)

Write Packer your own packer/protector
[+] How to write packer for windows
[+] Create a packer by frank2
[+] write packer with python and how it loads
[+] Writing a Packer From Scratch in Nim
[+] Writing a simple self-injecting packer
[+] Developing PE file packer step-by-step. Step 1-...

-Curated list executable packing
-unavailing custom Packer


https://news.1rj.ru/str/Source_byte


#packer #reverse

#Blackhat
us-14-Mesbahi-One-Packer-To-Rule-Them-All-WP

#packer #reverse

یه دوره‌ای مهندس کاظمی عزیز معرفی کردن بهم که میاد از صفر یه بوت لودر و کرنل و عملا سیستم عامل مینویسه و میره جلو

واقعا جذابه دورش بنظرم:
https://p30download.ir/fa/entry/96910/


#internals
#OS
#Programming
#course

Like a roadmap, but in the form of links and books (in the process of being added)


Links:
‾‾‾‾‾‾‾‾‾

The most clear explanation about memory, segments, broadcasts, etc. in Russian
acm.bsu.by/wiki/Unix2019b/Memory_organization_on_x86-64
acm.bsu.by/wiki/C2017/Architecture_x86-64
habr.com/ru/company/intel/blog/238091

Basic threads from Vasma about cracking, ideas and everything everything everything
wasm.in/blogs/category/issledovanie-programm.19
wasm.in/blogs/category/sekrety-win32.17
wasm.in/blogs/category/uroki-iczeliona.2
wasm.in/blogs/category/virusologija.25/
https://wasm.in/forums/wasm-nt-kernel.17/

Greatest Dr. Xiang Fu with tutorials on malware analysis
fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html

All about anti-debugging
anti-debug.checkpoint.com

Collection of must-read articles on reverse engineering from Hacker
xakep.ru/2017/10/18/reverse-malware-must-read
xakep.ru/2006/11/27/35410

Notes from Yosifovich on Windows jokes
scorpiosoftware.net/category/windows-internals

Manuals for crack prog
manhunter.ru/underground
reversing.do.am/load

Forensics research
dfir.ru

Raymond Chen's blog about Windows jokes
devblogs.microsoft.com/oldnewthing

A lot of useful information about windows system programming in Russian, including
kaimi.io
kaimi.io/tag/assembler
kaimi.io/2012/09/pe-packer-step-by-step-1

Reverse/PE/anti-analysis labs
malwareunicorn.org/#/workshops

Modern Malware Techniques
danusminimus.github.io

Labs for writing cheats for games
gamehacking.academy

An endless amount of reverse/malware content, search by changing the id in the URL
samsclass.info/126/proj/PMA1.htm
samsclass.info/126/proj/PMA2.htm

Repository of the Institute of Informatics of Poland, low-level prog, reverse
ics.p.lodz.pl/~dpuchala/LowLevelProgr

[windows] kernel internals
matteomalvica.com/minutes/windows_kernel

lena151's cracking tutorials
you can find on the Internet, sequential manuals for cracking prog, although essentially without explanation, made in the form of flash interactive pictures

Reverse course
https://0xinfection.github.io/reversing/

underground base heh
https://web.archive.org/web/20200519101558/https://krober.biz/?p=3413#more-3413

Books:
‾‾‾‾‾‾‾‾

What Makes It Page?: The Windows 7 (x64) Virtual Memory Manager - Enrico Martignetti

Reverse Engineering for Beginners - Denis Yurichev

Windows Kernel Programming (Working with the Windows kernel) - Pavel Yosifovich

Windows Internals Book 7th edition (Windows Internals) - Mark Russinovich

Windows 10 System Programming, Part 1 - Pavel Yosifovich

Windows 10 System Programming, Part 2 - Pavel Yosifovich

Troubleshooting with the Windows Sysinternals Tools - Mark Russinovich

Advanced Windows Debugging - Mario Hewardt

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software - Andrew Honig and Michael Sikorski

C++ programming technology. Win32 API applications - Nikolay Litvinenko
System programming in WINAPI - Yu.V. Marapulets

Programming for Windows 95 - Charles Petzold

Win32 API. Effective application development - Yuriy Shchupak

Windows for professionals. Building efficient WIN32 applications with 64-bit Windows in mind - Jeffrey Richter

Windows via C/C++. Programming in Visual C++ - Jeffrey Richter, Christophe Nazar

Windows System Programming - Hart Johnson

System programming in Window - Alexander Pobegailo

Microsoft Windows 3.1 operating system for a programmer - Alexander Frolov, Grigory Frolov https://www.frolov-lib.ru/

Graphics Programming for Windows - Fen Yuan

Using Microsoft Windows Driver Model - They Walter

Organization of input-output. Drivers WDM 2011 - Roshchin A.V.

Literally must do things aka reverse roadmap

reverse/low-level failure/cracking conference
https://youtube.com/@wasmio?si=MaOxUpFKkMuNrAoI

dr fu reverse notes
http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html


anti-debug.checkpoint.com

SANS digital forensics courses
https://www.sans.org/cyber-security-skills-roadmap/

All related articles from the hacker
https://xakep.ru/2017/10/18/reverse-malware-must-read/

Notes on Kraks
https://www.manhunter.ru/underground/


Books:
Windows Internals - Pavel Yosifovich, David A. Solomon
Windows Kernel Programming - Pavel Yosifovich