-
Love for Microsoft Component Object Model, RPC and AMSI attack surface
TLDR AMSI The Component How to identify a component? The components that implement COM interfaces need to be registered as Computer\HKEY_CLASSES_ROOT\CLSID\{<GUID>} in the Windows Registry. This is a convenient way to locate the dll/exe components, so that apis like CoCreateinstance() can go and fetch components by using GUID values from library, and instantiate the interface.…
-
Tale of Code Integrity & Driver Loads
Hello fellow haxers! 🙂 The objective of this post is very simple – Understand how Core Isolation user setting affects the execution flow of driver loading. Enjoy reading. Feel free to ping me if i have made any mistakes in the post! VBS& HVCI HVCI,DriverBlockList and Driver Load When driver blocklist is enabled, system prevents…
-
The Lazy Guide To Reverse RPC
This post is not going to cover in depth details of RPC implementation,for that read the resources mentioned in the Further Reading section. Also RPC programming is not in the scope of this post. We will only discuss concepts needed to reverse RPC client and a server. You might encounter RPC calls in malware code…
-
Analysing a Multi Stager : A case study of QBOT
motivation This is not going to be about QBOT analysis rather a quick \”how-to\” for analysing malwares that employ multiple stages in the infection chain. Recently, in my work, I got a sample (a mal pdf) for analysis, at the time I had no prior information and task was identification. Interestingly initial vector used to…