Michael B.

AWStrace: Another Windows Strace attempt by me. Using a named pipe and shellcode inside the remote process, send registers back and pretty print the output.

Because of the recent Notepad++ situation here is another good source about WB. As opposed to just simple decryption/re-encryption, this also shows how to use the heap execute capability. cirosec.de/en/news/abusin…

@aionescu @witherornot1337 @HackingLZ @vxunderground I remember watching Alex's talk in 2020, and it was always on the back of my mind. I finally sat down around 2023 and worked out a simple PoC to use the decrypting/re-encrypting capabilities of it. Crazy to see it actually being used in the wild.

@witherornot1337 @HackingLZ @vxunderground @DownWithUpSec youtube.com/watch?v=gu_i6L… 🫠

THE CHINESE GOVERNMENT USED MICROSOFT WARBIRD APIS FOR OBFUSCATION > proof-of-concept by @DownWithUpSec in 2023 > 30 stars on GitHub > 62 likes on Xitter This is fucking FIRE research. Insanely slept on research. I am FLABBERGASTED.

@diversenok_zero Awesome, this is great to know. I kept thinking maybe I had a permissions problem. 😅

@DownWithUpSec That's a volatile (REG_FLAG_VOLATILE) key; i.e., it only exists in memory and does not persist changes to the hive file. There are a few more of these throughout the registry. You can detect them via NtQueryKey with KeyFlagsInformation.

Exporting registry data in the "hive" format seems to ignore the "BIOS" key under HKLM\HARDWARE\DESCRIPTION\System. You can export it directly, but exporting any parent will not contain the "BIOS" key and its values

"This thing I need is open source. Surely someone has audited this code?" 🙃

@sixtyvividtails Sadly not. Looks like all if your CPU doesn't support MPX (which newer ones won't) the MPX instructions will be treated as NOPs.

@DownWithUpSec Interesting if this api would still work if MPX is unsupported/disabled. Or, cutting to the chase, would the handler be able to catch the regular "bound" instruction executed from ring3 🤔

Something interesting I stumbled upon: In Windows, for Intel's MPX, a driver could use KeRegisterBoundCallback to handle/hook the BOUND #BR exception. This function will eventually get called from the IDT's KiBoundFault

😮New post on Windows Warbird encryption and decryption: downwithup.github.io/blog/post/2023…

Here's an old project that I polished up a bit: github.com/DownWithUp/WHP… Essentially the idea was to have some introspection into an OS at the hypervisor level. It was also a foray into the Windows Hypervisor Platform API.

Just a quick little post on how to use the the undocumented API NtPssCaptureVaSpaceBulk to gather a process' virtual memory in a single call. Read more here: downwithup.github.io/Blog/8.html

@EranShimony @MSRC I didn't even know this site existed...

Finding code execution in the kernel in a third-party that is the driver is made by a giant company that has no security awareness whatsoever, @MSRC sends me here: …cecenter-dev-westus.azurewebsites.net/en-us/wdsi/dri… How can I bypass this bloody captcha? Or should I just drop 4 zero-days?

So .msu files really are just .cab files? 😅

@hyp3rlinx Looks interesting! 3rd party contributions welcome?

Launched malvuln.com a week ago, all about vulnerabilities in Malware. Using the handle "malvuln"... feedback welcome.

What a shot taken from Melbourne Australia 🔭🪐

Windows Defender needs to be resource restricted. Seems like a good use for a job object.

@jonasLyk Could also be due to the fact that it creates a device and symbolic link (GLOBAL??). Just guesses though.

but why vhd that require admin privs to mount and Not iso?

Even when disabled, Windows Defender continues to squander computer resources. Highly annoying.

@omerk2511 I think playing around with callbacks is always something interesting and a good way to learn about internals.

Just turned 17. Well, time flies... My first goal for this year is to improve my kernel development skills. Does anybody have some cool project ideas? EDR-related stuff can be pretty interesting :)