Assembly for Hackers from Reza Rashidi

Table of contents
Syntax
Comments
Assembly Language Statements
Syntax of Assembly Language Statements
Example: Hello World Program in Assembly
Compiling and Linking
Sections
Processor Registers
System Calls
Strings
String Instructions
Repetition Prefixes
Numbers
BCD Representation
Instructions:
Conditions
CMP Instruction
Conditional Jump Instructions (Signed Data)
Conditional Jump Instructions (Unsigned Data)
Special Conditional Jump Instructions
Addressing Modes
MOV Instruction
File Handling
Example: Reading from a File
Stack and Memory
Stack and Memory
Tools for Analysis
Code Injection Attack
DLL Injection
APC Injection
Valid Accounts
System Binary Proxy Execution: Rundll32
Reflective code loading
Modify Registry
Process Injection
Mark-Of-The-Web (MOTW) Bypass
Access Token Manipulation
Hijack Execution Flow
Resources

https://redteamrecipe.com/assembly-for-hackers

#assembly
#reverse

Hello everyone,

I've made a somehow big update in the HyperDbg. Now, it utilizes a dedicated HOST IDT and HOST GDT, different than the Windows IDT/GDT. This update will address a specific category of bypasses for HyperDbg, although there are still many bypasses to address. This change influences the handling of interrupts, especially NMIs for halting cores in VMX root-mode. lt may introduce instability issues in various systems, potentially leading to crashes. If you're using HyperDbg, please switch to the 'dev' branch and re-build and test it to help us identify any problems. Currently, it works well on my 12th Gen machine, but I'm uncertain if it's universally stable. If you encounter any crashes or BSODs, please notify me before the release of v0.9 (the next version). The best way to test it is using events (EPT hooks) with a high rate of execution (e.g., using !epthook on nt!ExAllocatePoolWithTag and meanwhile pause the debuggee).

The 'dev' branch:
https://github.com/HyperDbg/HyperDbg/tree/dev

GitHub built artifact for those who can't build:
https://github.com/HyperDbg/HyperDbg/actions/runs/9384856535

fuzzer-internals from One of my lovely friends
https://blog.reodus.com/posts/fuzzer-internals-part1/

#fuzzer
#internals

Malware Development, Analysis and DFIR Series PART III
credit : Nithin Chenthur Prabhu

Delve into Windows Memory Internals! Explore virtual address spaces, process internals and memory models for a deeper understanding of memory forensics & malware analysis!

https://azr43lkn1ght.github.io/Malware Development, Analysis and DFIR Series

SWAPPALA and Reflective DLL
credit : Kyle Avery

https://oldboy21.github.io/posts/2024/06/sleaping-issues-swappala-and-reflective-dll-friends-forever/

چند تا write-up درباره باگ‌هایی که از کرنل Linux/Windows/macOS گزارش دادم و چگونه فازر کردنشون
رو تو وبلاگم 👇 اینجا نوشتم. پست جدیدم رو هم به زودی همینجا مینویسم.
R00tkitSMM -> میثم فیروزی


https://r00tkitsmm.github.io/?s=09

Year : 2024
Pages : 401 Edition : null
#programming
#RUST

Into the Rabbit Hole – Offensive DNS Tunneling Rootkits
Dns Tunneling

#Tunneling #exfiltration #DNS #Rootkit

A Detailed Analysis of The Last Version of REvil Ransomware
Prepared by: Vlad Pasca
Senior Malware and Threat Analyst

Table of contents
Executive summary 2
Analysis and findings 2
Thread activity – sub_1282EA7 function 37
Thread activity – sub_1287677 function 37
Thread activity – sub_1284468 function 41
Thread activity – sub_12841D3 function 44
Running with the -smode parameter 48
Running with the -silent parameter 51
Running with the -path parameter 51
Running with the -nolan parameter 51
Running with the -nolocal parameter 51
Running with the -fast parameter 51
Running with the -full parameter 51
Indicators of Compromise 51
Appendix 52

#REvil #malware_analysis

OffensiveNotion C2

OffensiveNotion combines the capabilities of a post-exploitation agent with the power and comfort of the Notion notetaking application. The agent sends data to and receives commands from your Notion page. Your C2 traffic blends right in as the agent receives instructions and posts results via the Notion developer API. And when your blue team looks for evidence of shenanigans, none will be the wiser.

Blog
How write?
YouTube
---------------------------------------------------------
Related:
Ox-c2
Implementing C2 and it's agent in rust
Helfrix_C2
Basic C2 Server and Agent, Rust Programming
Visit blog!
---------------------------------------------------------
LiNk
From and for our Chinese friends
Rust C2框架LINK分析
link is a command and control framework written in rust
https://github.com/postrequest/link

learn rust?

Enjoy!


#Rust #C2 #maldev

What is Loader Lock?
credit : Elliot

In Windows, every DLL starts by executing its initialization function known as DllMain. This function runs while internal loader synchronization objects, including loader lock, are held. So, you must be especially careful not to violate a lock hierarchy in your DllMain; otherwise, a deadlock may occur.

https://elliotonsecurity.com/what-is-loader-lock/

windows-vs-linux-loader-architecture
credit : Elliot

The intentions of this document are to:

- Compare the Windows, Linux, and sometimes MacOS loaders

- Provide perspective on architectural and ecosystem differences as well as how they coincide with the loader

- Including experiments on how flexible or rigid they are with what can safely be done during module initialization (with the loader's internal locks held)

- Formally document how a modern Windows loader supports concurrency

- Current open source Windows implementations, including Wine and ReactOS, perform locking similar to the legacy Windows loader (they presently don't support the "parallel loading" ability present in a modern Windows loader)

- Educate, satisfy curiosity, and help fellow reverse engineers

https://github.com/ElliotKillick/windows-vs-linux-loader-architecture

Step By Step Process To Make Trojan Horse

For Your Clear Understanding I Posted This Article Sequence Wise Like What Is The Work Of This Trojan And How This Trojan Work And The Main Thing The Algorithm Of The Source Code Lets We Discuss One By One In Next Lines.

Trojan

#trojan

Exploit Development:

Playing ROP’em COP’em Robots with WriteProcessMemory()
77 minute read

https://connormcgarr.github.io/ROP2/

#exp

Техника process Injection на винде, без использования опасных функций (WriteProcessMemory, VirtualAllocEx, ...)

https://undev.ninja/nina-x64-process-injection/

POC

https://github.com/NtRaiseHardError/NINA

Explain pe file format from ARteam

#pe

An Introduction to Bypassing User Mode EDR Hooks
Credit: Marcus Hutchins

Whilst this article is designed to stand on its own, if you’re interested, you can find my previous articles on these topics here, here, here and here. Surprisingly, despite all this research being over a decade old, it’s still completely relevant today. The more things change, the more they stay the same, I guess?

https://malwaretech.com/2023/12/an-introduction-to-bypassing-user-mode-edr-hooks.html


#Hooking #edr
#malware_dev

Introduction global hook and its cases
https://www.programmerall.com/article/21622234988/

hook, refers to a technique used to advance the use of api intercept and process windows messages. Such as a keyboard hook, the Trojans have a lot of this stuff, monitor your keyboard.

Related:
[+] GoHook, Go global keyboard and mouse listener hook

[+] Implementing Global Injection and Hooking in Windows



#Hooking
#malware_dev

Patch candidate for Oracle VirtualBox VirtIOCore Buffer Overflow Local Privilege Escalation Vulnerability (Pwn2Own Vancouver 2024 VM Escape exploit)

There was an insufficient check for numbers of in/out data segment denoscriptors supplied by Guest OS into Virtio devices. Check added in virtioCoreR3VirtqAvailBufGet IO processing loop ensures that data sent in by the guest through virtio kernel device modules cannot exceed storage availability in hypervisor memory. Exploit by overflowing buffers in pVirtqBuf-aSegsIn/aSegsOut

@thezdi @OnlyTheDuck @alisaesage