-
I hate you COM – Pitfalls of COM object activation
Background This is not a Windows COM 101, readers are expected to have a decent understanding of COM and CLR hosting internals Dotnet unamanged-api is not a stranger to Offssec tool developers, it enables developers to tinker with managed processes and the CLR itself from within a native process(say c/c++). You can see the whole…
-
Gotta Catch ‘Em all! Catching Your Favorite C2 In Memory Using Stack & Thread Telemetry.
TLDR We focus on two issues seen in the stack (in the context of stack spoofing) A Custom Stack Tracer Analyzing a Commercial C2 Framework loved by Adversaries In this section we are going to discuss about a commercial C2 framework which is heavily abused by threat actors. This tool often gets cracked and sold…
-
Tale of Code Integrity & Driver Loads
Hello fellow haxers! 🙂 The objective of this post is very simple – Understand how Core Isolation user setting affects the execution flow of driver loading. Enjoy reading. Feel free to ping me if i have made any mistakes in the post! VBS& HVCI HVCI,DriverBlockList and Driver Load When driver blocklist is enabled, system prevents…
-
The Lazy Guide To Reverse RPC
This post is not going to cover in depth details of RPC implementation,for that read the resources mentioned in the Further Reading section. Also RPC programming is not in the scope of this post. We will only discuss concepts needed to reverse RPC client and a server. You might encounter RPC calls in malware code…
-
Breakpoints, Heavens Gate and Stack
Recap In previous post we implemented return address spoofing with the help of H/W breakpoints by manipulating ESP, as our program resumes following the execution of the exception handler, ntdll function call stub is executed. In this post we will be taking a more covert route of executing an nt function via Heaven gate. Windows…
-
Stack Manipulation via Hardware breakpoint & Direct Syscall Execution
x86 Stack Primer In this section we will quickly go over x86 stack working. The scenario is main() calls function A(), then A() calls B(). Lets see how this affects the stack. The above image is very generic in nature and calling convention is not taken into consideration. Process Overview Spoofing return address Below image…
-
Windows Filtering Platform Callout Driver – Traffic Redirector POC
Motivation Cisco Talos published a report on a browser hijacker driver named “RedDriver”, sharing the link here, it mentions that the malicious driver abuse Windows Filtering Platform/WFP to control the network traffic. I managed to get the sample from VT and loaded it in IDA just to take a look at the code implementation. Even…
-
Incorporate Windows ETW in your code using Krabsetw
Introduction In this post we are going to discuss about how we can perform ETW tracing using krabsetw ETW library. We will not be discussing ETW basics here, for that I would recommend readers to check out following posts: using krabsetw library let the fun begins Trace types The ETW has mainly two sets of…
-
The Stack, The Windows & The Adventures
Introduction This post is a \”how-to\” for writing Win32 code for performing a stackwalk on both x86 and x64 architectures and along the way we will learn the theory behind some of the concepts associated with the stack. In fact this is a quick note created for myself when I started working on designing a…
-
The Stack Series: The X64 Stack
Overview of x64 stack static RSP caller/callee saved registers According to x64 convention Non Volatile registers are expected to be saved and restored by the function that uses them. On the other hand, as the name suggests the Volatile register states are expected to change through out the execution of any function. Volatile Registers RAX…