-
Gotta Catch ‘Em all! Catching Your Favorite C2 In Memory Using Stack & Thread Telemetry.
TLDR We focus on two issues seen in the stack (in the context of stack spoofing) A Custom Stack Tracer Analyzing a Commercial C2 Framework loved by Adversaries In this section we are going to discuss about a commercial C2 framework which is heavily abused by threat actors. This tool often gets cracked and sold…
-
Tale of Code Integrity & Driver Loads
Hello fellow haxers! 🙂 The objective of this post is very simple – Understand how Core Isolation user setting affects the execution flow of driver loading. Enjoy reading. Feel free to ping me if i have made any mistakes in the post! VBS& HVCI HVCI,DriverBlockList and Driver Load When driver blocklist is enabled, system prevents…
-
Breakpoints, Heavens Gate and Stack
Recap In previous post we implemented return address spoofing with the help of H/W breakpoints by manipulating ESP, as our program resumes following the execution of the exception handler, ntdll function call stub is executed. In this post we will be taking a more covert route of executing an nt function via Heaven gate. Windows…
-
Stack Manipulation via Hardware breakpoint & Direct Syscall Execution
x86 Stack Primer In this section we will quickly go over x86 stack working. The scenario is main() calls function A(), then A() calls B(). Lets see how this affects the stack. The above image is very generic in nature and calling convention is not taken into consideration. Process Overview Spoofing return address Below image…
-
Analysing a Multi Stager : A case study of QBOT
motivation This is not going to be about QBOT analysis rather a quick \”how-to\” for analysing malwares that employ multiple stages in the infection chain. Recently, in my work, I got a sample (a mal pdf) for analysis, at the time I had no prior information and task was identification. Interestingly initial vector used to…
-
The Stack Series: Return Address Spoofing on x64
introduction The stack of a process has the potential to give away the true nature of the running program in the memory. Hence it is one of the monitored entities by the security solutions. When a program executes any interesting functions like InternetConnectA, security systems may initiate a stack check to find out if there…
-
Memory Hiding Technique Series: Ekko – The basics
Introduction In previous Austin Hudson\’s CONTEXT structure to keep track of all the values in processor specific registers and segments, as mentioned before it can store additional data like debug control, exception handling etc. Using CONTEXT structure it is very easy to manipulate the values in the processor registers thereby controlling the flow of execution.…
-
Memory Hiding Technique Series: Gargoyle
introduction As reflective loading has become the staple vector for staging malware, adversaries rely on in-memory payloads for ensuring both operational security and evasion in the post exploitation phase and to counter such effort we have quite a few robust tools like Moneta and PE-sieve for scanning memories to catch active beacons/agents hidden inside running…
-
Tale of Hosting .NET in unmanaged code Part 0x3: HavocFramework
recap We are wrapping up the \”Tale of Hosting .Net\” series by covering the implementation details of InlineAssembly-Execute feature in C5pider. Here in this post we are reiterating everything we saw in the earlier posts part-2, so make sure you read it because going forward we do not go in depth rather we are going…
-
Tale of Hosting .NET in unmanaged code-Â PART/0x2 | InMemory Execution.
background In the previous post, we implemented a basic host program that could load up the CLR and execute an assembly. The issue with that approach is loading of the .NET assembly, we loaded the assembly from the disk and required passing of additional information like type and method name. In this post we will…