tfll37

14 posts

tfll37 banner
tfll37

tfll37

@dingototh

Part of: RaptX Rev, obfuscation, LLMs

Katılım Mart 2017
255 Takip Edilen14 Takipçiler
tfll37 retweetledi
mk0
mk0@fancymalware·
I started digging into npm packages auth logic a few days ago and got my first critical CVEs ^^ #event-573678" target="_blank" rel="nofollow noopener">github.com/parse-communit…
English
1
1
8
377
tfll37 retweetledi
📕「マルウエアの教科書」著者 | 吉川孝志 | 増補改訂版🌟発売中
Windowsユーザーモードのセキュリティ研究ブログが2020年から2025年にかけて計12記事を無料公開しています。隠れたコード実行・プロセスタンパリング・コードインジェクションを攻撃→検知の順で3部構成にまとめた「Concealed-Code-Execution」シリーズを軸に、Sysmon回避・プロセスクローン・メモリ上のPE再構築など、攻撃手法とその検知痕跡を並べて追える構成です。 Windowsの内部構造を攻撃と検知の両面から扱う資料は、マルウェア解析でもEDRの検知ロジックを読む場合でも参照先として有用です。 【要点の整理】 ・中核は「Concealed-Code-Execution」3部作(2022年8月)。Part-1がプロセスタンパリング(Process-Hollowing・Herpaderping・Ghosting等の分類と比較)、Part-2がコードインジェクション(APC・Thread-Hijacking・DLL注入等の手法別整理)、Part-3が検知(Part-1/2で扱った手法ごとに、どのAPIコール・メモリ属性・イベントログが観測可能かを分析)という攻撃と検知を対にした構成。 ・「Sysmon-14.0のFileBlockExecutable回避」(2022年9月)はSysmonの実行ブロック機能の前提を分析し、前提が崩れる条件を示した研究。「プロセスクローンの完全ガイド」(2023年4月)はWindowsのプロセス複製機構を網羅的に解説。「PE再構築」(2024年4月)はメモリ上のイメージからディスク上のPEを復元する手法を扱い、マルウェアのダンプ解析に直結する内容。 ・IFEO(Image-File-Execution-Options)によるプロセス起動時の介入(2021年2月)、Transactional-NTFSを使ったサンドボックス構築(2020年1月)、プロセス停止手法の比較とバイパス(2021年5月)、AFDソケットのフォレンジック可視化(2025年5月)、Restart-Manager痕跡の解析ツール(2024年9月)、BSODの設計思想分析(2024年8月)も公開されている構成。 詳細は以下を参照: diversenok.github.io (※可能な範囲でファクトチェックは実施済なものの、元記事の精度依存や速報・要約の性質上漏れもありうるため、正確な情報は一次情報を直接参照のこと)
日本語
0
27
140
7.8K
tfll37
tfll37@dingototh·
@PELock @z3ro2504 Was going to write more on how fkn noisy this is, but ur post made me realise they're not evading shit cuz they already have it systemed lmao. Ig they EDR-killing just cuz it sounds cool
English
1
0
1
52
PELock
PELock@PELock·
@z3ro2504 What a bs thing. If you have access to the process by creating it with OpenProcess, what's the actual point of poisoning the args if you can do *anything* within that process code/data? I guess you do it just to keep a job and pretend to do anything useful. AI should replace you.
GIF
English
2
1
2
177
tfll37
tfll37@dingototh·
@z3ro2504 Changing thread contexts without susp is alsmost 100% to cause crashes or locks in the wild(sus af) Also WHAT are scenarios for just some random context free threads that are hanging or specifically spawned such threads that also look sus. A lot of sidestepping in this article...
English
0
0
0
53
tfll37 retweetledi
LaurieWired
LaurieWired@lauriewired·
Is your software is running in a simulation? Trust me, sometimes you really, really care. There used to be a really simple, single-instruction trick in x86 assembly, affectionally known as “the Red Pill”. SIDT is an (unprivileged!) instruction that tells you where the Interrupt Descriptor Table lives in memory. On bare metal, the IDT sits pretty low. Early VMware placed its virtualized IDT in a very high address, to avoid the guest colliding with the host. Very easy check, IDT high = you’re in a simulation! Most consider SIDT to be an actual flaw of x86 architecture design. In computer science terms, it fails the Popek-Goldberg test. Intel engineers didn’t anticipate the security risk in the 80s. The single instruction redpill doesn’t work anymore, hypervisors are way better now. We’ve got extra ring levels, multiple cores, KASLR, you can also trap + lie. But it was fun while it lasted! Of course, modern “red pills” are very advanced; anyone who’s worked in reverse engineering, malware, anti-cheat, DRM, (maybe timekeeping too?) is intimately familiar with VM detection. I’m curious if there are any other fields that very strictly check for emulation.
LaurieWired tweet mediaLaurieWired tweet mediaLaurieWired tweet media
English
45
110
1.5K
78.8K
tfll37
tfll37@dingototh·
@ale_sp_brazil Nice, it would be cool to see u do writeups or articles regarding DXGK(DirectX Graphics Kernel) and malicious context creation in drivers that register callbacks with dxgkrnl.sys(Microsoft's DirectX Graphics Kernel module)/not traditional WDM/compute accelerators,callback hooking
English
0
1
1
67
Alexandre Borges
Alexandre Borges@ale_sp_brazil·
Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03) Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation: exploitreversing.com/2026/04/28/exp… Key features of this edition: [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow. [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM. [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM. [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup. This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets. I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback! I would like to thank Ilfak Guilfanov (@ilfak) and Hex-Rays SA (@HexRaysSA) for their constant and uninterrupted support, which has been vital in helping me produce this series. The following articles will continue the miniseries about iOS and Chrome, which are my areas of research. Enjoy the reading and have an excellent day. #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow
Alexandre Borges tweet media
English
3
59
192
10.4K
Blizzard CS EU
Blizzard CS EU@BlizzardCSEU_EN·
We are currently investigating reports of login issues. Apologies for any inconvenience caused. #BlizzCS
English
237
36
271
0
Blizzard CS EU
Blizzard CS EU@BlizzardCSEU_EN·
We're currently investigating an issue affecting our authentication servers, which may result in failed or slow login attempts. #BlizzCS
English
120
24
136
0