Astharot15

52 posts

Astharot15

Astharot15

@AstharotRTO

Only a learner

Katılım Aralık 2025
116 Takip Edilen21 Takipçiler
Astharot15 retweetledi
📕「マルウエアの教科書」著者 | 吉川孝志 | 増補改訂版🌟発売中
プロセス生成時にコマンドラインや環境変数が新プロセスのメモリへ自動コピーされるWindowsの正規処理そのものをペイロードの配置先に使い、WriteProcessMemoryやVirtualAllocExといった書き込みAPIを一切呼ばずに別プロセスへシェルコードを届けるPoC「P³(Process-Parameter-Poisoning)」が公開されました。4種類のEDR製品で検証したところ全てで注入に成功し、警告は発生しなかったとの報告です。ただし、配置後にメモリ保護を実行可能へ変更する処理と、主スレッドの命令ポインタを書き換えるSetThreadContextの呼び出しは残っており、書き込みAPIを使わないだけで検知の手掛かりが消えるわけではない点に注意が要ります。 【要点の整理】 ・CreateProcessWに渡すコマンドライン・環境変数・STARTUPINFOWのlpReservedの3種をペイロードの配置先として使用。これらは新プロセスのPEB内のRTL_USER_PROCESS_PARAMETERSへ正規の生成処理としてコピーされるため、明示的なリモートメモリ書き込みなしにデータを配置できる仕組み。 ・生成後にNtQueryInformationProcessとNtReadVirtualMemoryExでPEBと起動パラメータの位置を読み取り、NtProtectVirtualMemoryで実行可能へ変更したうえで、主スレッドの命令ポインタをNtGetContextThreadで読み取りNtSetContextThreadで書き換え。サスペンド状態でのプロセス生成もSuspendThread/ResumeThreadも使わない実装。当初はDirty Vanity方式を試したが、内部でNtWriteVirtualMemoryを呼ぶためEDRが反応し採用を見送った経緯。 ・起動パラメータはNULL終端文字列のため任意のバイナリをそのまま運べない制約がある。公開PoCはNULLバイトを含まない第1段階を生成し、対象プロセス内で第2段階を復号・展開して制約を回避する構成。 ・4製品での検証結果は検出・ブロック・修復モード設定下でのPoC評価であり、実攻撃の観測報告ではない。公開後に同じ着想が2020年にmodexpによって提示済みだったことが追記されており、初出の原理ではなく、同じ着想を再実装し体系化したうえでEDR回避を検証した公開研究という位置づけ。 ・検知候補としては、プロセスパラメータ領域の実行可能化とSetThreadContextの連鎖、別プロセスのPEB読み取り、異常に長い・高エントロピーなコマンドラインや環境変数。特定のAPI名だけを見るのではなく、起動パラメータが実行コードに転用され制御が移る一連の挙動を捉える設計が有効との指摘。 ペイロードの配置をWindowsの通常のパラメータコピーへ移すことで書き込みAPIの監視をすり抜ける一方、メモリ保護変更とスレッドコンテキスト変更には依然として痕跡が残ります。 詳細は以下を参照: sensepost.com/blog/2026/proc… github.com/Orange-Cyberde… (※可能な範囲でファクトチェックは実施済なものの、元記事の精度依存や速報・要約の性質上漏れもありうるため、正確な情報は一次情報を直接参照のこと)
日本語
0
4
30
2.4K
Astharot15
Astharot15@AstharotRTO·
@ipurple There are writable directories in system32
English
1
0
0
67
Panos Gkatziroulis 🦄
More SIGMA & Sysmon Rules have been added to the Discord. If you work in the same domain and want to receive early access to Playbooks & Detection Rules, join our Discord! ⏰ Duration: 24H 📩 Invite: discord.gg/7yjuG7xQ
Panos Gkatziroulis 🦄 tweet media
English
1
2
14
2.6K
Panos Gkatziroulis 🦄
🎙️ For the past 2–3 years, almost every new lateral‑movement technique I’ve seen leans on COM Hijacking. 🧐 Is this just my observation, or are others noticing the same pattern? Another COM Hijack for Chrome and MSedge github.com/Astharot15/COM…
English
2
28
120
5.7K
Astharot15
Astharot15@AstharotRTO·
Im publishing a malware that I have created, it is a COM hijack, the clsid targets chrome a edge. It is pretty reliable, it has been working on my vm for 6 months while I was using it and 0 crashes. Take a look. github.com/Astharot15/COM…
English
0
14
64
4.1K
_SiCk
_SiCk@encrypted_past·
Delete Twitter and blog and fuck off into obscurity? I will obide by the results of the this poll.
English
5
1
5
363
Austin Hudson
Austin Hudson@ilove2pwn_·
Haven't posted in 3 years, but I'll be giving a presentation on "Orchestrating Modern Implants with LLVM" in September in Spain. Discuses limitations of bin2bin and the path toward more flexible capability delivery, instrumentation and moving towards (IMO) true metamorphism
Austin Hudson tweet media
English
10
24
157
11.8K
Smukx.E
Smukx.E@5mukx·
oof ... After consecutive days, Done proper UI Designs and major architecture change for network Malleability + along with stealthy bofs.... Just taking some break today =)
Smukx.E tweet media
Smukx.E@5mukx

I just wasted 7 hours debugging for one BOF. I found a lot of bugs along the way, fixed them, but still couldn't achieve what i was targeted for. I was just scrolling on Pinterest when I found this quote. Again, I sat back to finish this stuff, lol ! Let's see how this goes...

English
1
2
57
5.1K
Astharot15
Astharot15@AstharotRTO·
I changed my mind recently and I think I am going to publish most of the projects I am doing. I am also doing some research on drivers and kernel protections (SLAT, HLAT, KDP, kCFG, HVCI) so if I find something interesting I will publish a blog post.
English
0
0
0
48
Astharot15
Astharot15@AstharotRTO·
Keylogger - It is the code I talked about in my blog astharot15.github.io/posts/keylogge…, It is only a CTF challenge so it doesn't do too much, if you want to use it modify OnReadCompletion function, but I am pretty sure that it is caught by EDRs (not by basic AVs, of course).
English
1
0
1
49
Astharot15
Astharot15@AstharotRTO·
I have made my private GitHub repo called "DriverStuff" public. I have been learning for a few months about Windows drivers and I kept that repo private because I thought it was kinda basic. I still think it is, but I figured why not just share it anyway. +
English
1
0
3
669
Astharot15 retweetledi
Astharot15 retweetledi
dbugs
dbugs@ptdbugs·
DCOMIllusionist — fileless lateral movement via DCOM and .NET deserialization At the x33fcon conference, Synacktiv introduced a tool for stealthy remote code execution on Windows hosts with administrative privileges. The tool leverages .NET DCOM servers that automatically deserialize incoming objects, enabling command execution or DLL loading entirely in memory without writing files to disk. It’s useful for post‑exploitation activities and moving between sessions within a domain. Features: • Execute commands via "--exec" and "--ps-exec" with session selection ("--session") • Load a DLL and invoke a class method directly in memory via "--load-dll", "--dll-class", "--dll-method" • Create HTTP requests under another session’s context ("--curl") for NTLM relay attacks • Generate and execute "ysoserial" payloads ("--yso-b64") • Manage local and remote registry modifications ("--local-registry-only", "--remote-registry-only") • Display a list of remote interactive and active sessions on the target device ("--list-sessions") • Test network connectivity to the target from the attacker’s host ("--test-network") Tool: github.com/synacktiv/DCOM… #dbugs_tools
English
0
10
31
1.6K
Connor McGarr
Connor McGarr@33y0re·
Arbitrary read/write -> arbitrary kernel-mode API calls with HVCI and Kernel CFG enabled :) - in this case a POC to invoke ZwOpenProcess on the System process in VTL 0. I will blog on this soon!
Connor McGarr tweet media
English
7
76
326
0