(In)direct Syscalls: A journey from high to low

RedOps | Red Team Village | DEF CON 31

syllabus:

01: Introduction and Abstract
02: Prerequistes
03: Chapter 1 | Windows NT Basics
04: Chapter 2 | Windows OS System Calls
05: Chapter 2 | LAB Exercise Playbook
06: Chapter 3 | Concept of Direct Syscalls
07: Chapter 4 | Win32 APIs
08: Chapter 4 | LAB Exercise Playbook
09: Chapter 5 | Native APIs
10: Chapter 5 | LAB Exercise Playbook
11: Chapter 6 | Direct Syscalls
12: Chapter 6 | LAB Exercise Playbook
13: Chapter 7 | Indirect Syscalls
14: Chapter 7 | LAB Exercise Playbook

All the theory and playbooks for the exercises can be found in the wiki, which together with the prepared POCs is the heart of this project. The POCs for the exercises can be found here on the main page.
https://github.com/VirtualAlllocEx/DEFCON-31-Syscalls-Workshop.git

#redteam #malware_dev

TokenAssignor

This tool tries to steal token from a specified process and execute a token assigned process. Most of methods require administrative privileges.
Currently, 4 methods are implemented:

   • To execute a token assigned process with CreateProcessAsUser API, set -m option to 0;
   • When set -m option to 1, this tool tries to create a suspended process and update the primary token to a stolen token. This method cannot be used for changing Session ID due to kernel restriction;
   • If set -m option is set to 2, creates a new token assigned process with Secondary Logon Service;
   • If set -m option is set to 3, creates a new token assigned process with PPID spoofing method.

Fascinating C code: TCP sockets & HTTP file downloads using only ntdll exports (NtCreateFile & NtDeviceIoControlFile syscalls). Bypasses Winsock for low-level Windows networking.


https://www.x86matthew.com/view_post?id=ntsockets

#Windows
#Programming

یادگیری زبان Rust احتمالا یکی از کارایی هست که خیلی هامون دوست داریم انجام بدیم. بعضی ها هم ممکنه انجامش داده باشن و لذت ش رو برده باشن.

سایت corrode.dev مقاله های جذابی منتشر میکنه در مورد Rust

این مقاله یه لیست جذاب داره از منابعی که شما میتونید برای یادگیری Rust ازش استفاده کنید.

در مورد یادگیری زبان جدید هم یه تجربه خوب شاید این باشه که سعی کنید گاه و بیگاه در مورد زبان مورد نظرتون مطالعه پراکنده داشته باشید، این مطالعه درک شما رو نسبت به مفاهیم و جذابیت های زبان بیشتر میکنه و به شما شوق بیشتری میده که یادش بگیرید.

Learning Material for Idiomatic Rust
https://corrode.dev/blog/idiomatic-rust-resources/

@gocasts

#rust

Windows Registry Forensics Learning Path ( 2022 )

https://www.infosecinstitute.com/skills/learning-paths/windows-registry-forensics/


following file just include videos & pdf ( thanks " ᏗᏰᏂᎥᏝᏗᏕᏂ ֆɨռɢɦ 🇮🇳 " for sharing the file )

Windows Kernel Resources: Development, Exploitation, and Analysis
credit :Tetsuo

A collection of resources for Windows kernel development, exploitation, analysis, and security. Suitable for beginners to experts, this compilation covers a wide range of topics including driver development, reverse engineering, vulnerability research, and Windows internals.

https://x.com/7etsuo/status/1816285806547591371

#twitter_article



will post this article here very nice collection , enough for 3 years of studing😂😭

CrowdStrike Thread Actor Database

The Security Principle Every Attacker Needs to Follow
Credit : Elad Shamir

I decided to focus on “Identity-Driven Offensive Tradecraft”, in this post, I will explain what I mean by that and why it is so central to attack paths and red team operations. 

https://posts.specterops.io/the-security-principle-every-attacker-needs-to-follow-905cc94ddfc6

THREAD NAME-CALLING – USING THREAD NAME FOR OFFENSE

https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/

[ GitHub ]


Also check:
1- Atom Bombing technique 2016
2- Pool Party 2023
3-“Windows Process Injection in 2019” by Amit Klein and Itzik Kotler

Inside the Python

DLL Hijacking Overview.pdf

[ 1 ] From a Windows driver to a fully functionnal driver.
In this blogpost we'll go through the history of EDR's, how they used to work, how they work now and how we can build a fully functionnal one. Last step is a chall, bypass MyDumbEDR.

https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/



[ 2 ] internal mecanisms of EDR's :

https://www.youtube.com/watch?v=yacpjV6kWpM&t=387s


[ 3 ] MyDumbEDR ( written in C )

https://github.com/sensepost/mydumbedr


———
@islemolecule_source

series on virtualization technologies and internals of various solutions (QEMU, Xen and VMWare)
Credit: @LordNoteworthy

[ 0 ] Intro: virtualization internals part 1 intro to virtualization
[ 1 ] VMWare: Virtualization Internals Part 2 - VMWare and Full Virtualization using Binary Translation
[ 2 ] Xen: Virtualization Internals Part 3 - Xen and Paravirtualization
[ 4 ] QEMU: Virtualization Internals Part 4 - QEMU

——-

related posts :
[ 0 ] Writing a simple 16 bit VM in less than 125 lines of C
[ 1 ] Write your Own Virtual Machine
[ 2 ] notes on vm and qemu escape exploit
[ 3 ] notes on VMware escape exploits by version
[ 4 ] Unpack VMProtect



#VM , #cve_analysis , #VM_internals
—-
https://news.1rj.ru/str/Source_byte

APT1

aka: Brown Fox, Byzantine Candor, COMMENT PANDA, Comment Crew, Comment Group, G0006, GIF89a, Group 3, PLA Unit 61398, ShadyRAT, TG-8223

PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks


* Download samples *

#APT #APT1 #PAPER