tfll37 retweetledi
tfll37
14 posts

tfll37
@dingototh
Part of: RaptX Rev, obfuscation, LLMs
Katılım Mart 2017
255 Takip Edilen14 Takipçiler
tfll37 retweetledi

Windowsユーザーモードのセキュリティ研究ブログが2020年から2025年にかけて計12記事を無料公開しています。隠れたコード実行・プロセスタンパリング・コードインジェクションを攻撃→検知の順で3部構成にまとめた「Concealed-Code-Execution」シリーズを軸に、Sysmon回避・プロセスクローン・メモリ上のPE再構築など、攻撃手法とその検知痕跡を並べて追える構成です。
Windowsの内部構造を攻撃と検知の両面から扱う資料は、マルウェア解析でもEDRの検知ロジックを読む場合でも参照先として有用です。
【要点の整理】
・中核は「Concealed-Code-Execution」3部作(2022年8月)。Part-1がプロセスタンパリング(Process-Hollowing・Herpaderping・Ghosting等の分類と比較)、Part-2がコードインジェクション(APC・Thread-Hijacking・DLL注入等の手法別整理)、Part-3が検知(Part-1/2で扱った手法ごとに、どのAPIコール・メモリ属性・イベントログが観測可能かを分析)という攻撃と検知を対にした構成。
・「Sysmon-14.0のFileBlockExecutable回避」(2022年9月)はSysmonの実行ブロック機能の前提を分析し、前提が崩れる条件を示した研究。「プロセスクローンの完全ガイド」(2023年4月)はWindowsのプロセス複製機構を網羅的に解説。「PE再構築」(2024年4月)はメモリ上のイメージからディスク上のPEを復元する手法を扱い、マルウェアのダンプ解析に直結する内容。
・IFEO(Image-File-Execution-Options)によるプロセス起動時の介入(2021年2月)、Transactional-NTFSを使ったサンドボックス構築(2020年1月)、プロセス停止手法の比較とバイパス(2021年5月)、AFDソケットのフォレンジック可視化(2025年5月)、Restart-Manager痕跡の解析ツール(2024年9月)、BSODの設計思想分析(2024年8月)も公開されている構成。
詳細は以下を参照:
diversenok.github.io
(※可能な範囲でファクトチェックは実施済なものの、元記事の精度依存や速報・要約の性質上漏れもありうるため、正確な情報は一次情報を直接参照のこと)
日本語

@z3ro2504 What a bs thing. If you have access to the process by creating it with OpenProcess, what's the actual point of poisoning the args if you can do *anything* within that process code/data? I guess you do it just to keep a job and pretend to do anything useful. AI should replace you.
GIF
English

Excited to share our research on Process Parameter Poisoning with Max Hirschberger! We detail a novel process injection technique using parameters as an attack surface & released p3-loader (PoC).
sensepost.com/blog/2026/proc…
github.com/Orange-Cyberde…
#Malware #WindowsIntetnals
English

@z3ro2504 Changing thread contexts without susp is alsmost 100% to cause crashes or locks in the wild(sus af) Also WHAT are scenarios for just some random context free threads that are hanging or specifically spawned such threads that also look sus. A lot of sidestepping in this article...
English

My Reverse Engineering of the Intel NPU Windows Driver
Hopefully this helps to those thinking of beginning with the npu_kmd.sys
tfll37.github.io/posts/Reverse-…
#ReverseEngineering #Windows #WindowsDrivers #Intel
English
tfll37 retweetledi

Is your software is running in a simulation?
Trust me, sometimes you really, really care.
There used to be a really simple, single-instruction trick in x86 assembly, affectionally known as “the Red Pill”.
SIDT is an (unprivileged!) instruction that tells you where the Interrupt Descriptor Table lives in memory. On bare metal, the IDT sits pretty low.
Early VMware placed its virtualized IDT in a very high address, to avoid the guest colliding with the host. Very easy check, IDT high = you’re in a simulation!
Most consider SIDT to be an actual flaw of x86 architecture design. In computer science terms, it fails the Popek-Goldberg test. Intel engineers didn’t anticipate the security risk in the 80s.
The single instruction redpill doesn’t work anymore, hypervisors are way better now. We’ve got extra ring levels, multiple cores, KASLR, you can also trap + lie. But it was fun while it lasted!
Of course, modern “red pills” are very advanced; anyone who’s worked in reverse engineering, malware, anti-cheat, DRM, (maybe timekeeping too?) is intimately familiar with VM detection. I’m curious if there are any other fields that very strictly check for emulation.



English

@ale_sp_brazil Nice, it would be cool to see u do writeups or articles regarding DXGK(DirectX Graphics Kernel) and malicious context creation in drivers that register callbacks with dxgkrnl.sys(Microsoft's DirectX Graphics Kernel module)/not traditional WDM/compute accelerators,callback hooking
English

Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03)
Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation:
exploitreversing.com/2026/04/28/exp…
Key features of this edition:
[+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow.
[+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM.
[+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM.
[+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup.
This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.
I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!
I would like to thank Ilfak Guilfanov (@ilfak) and Hex-Rays SA (@HexRaysSA) for their constant and uninterrupted support, which has been vital in helping me produce this series.
The following articles will continue the miniseries about iOS and Chrome, which are my areas of research.
Enjoy the reading and have an excellent day.
#exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

English

The new menu music for #BlackOpsColdWar sounds like it was made for @drdisrespect and the champions club...
English

We are currently investigating reports of login issues. Apologies for any inconvenience caused. #BlizzCS
English

We're currently investigating an issue affecting our authentication servers, which may result in failed or slow login attempts. #BlizzCS
English


