Clement Rouault

I am sharing my Windows-specific #Python codebase: github.com/hakril/PythonF…. It even has a documentation ! hakril.github.io/PythonForWindo…

Une deuxième rump acceptée ! Un peu d'attaque hardware avec das (@_gquere) : "Temu EMFI: hardware hacking on a budget"

Pour notre première rump acceptée, @angel_killah nous parlera de reverse de jeu d'arcade dans sa rump "A practical example of how arcade games cheat you"

We are releasing a new method to collect the SRUM Windows forensic artifacts : github.com/ExaTrack/SrumQ… @ExaTrack, we have discovered a new method to retrieve the database via a srumapi!SruQueryStatsEx. Thus, we share this method that we used for 2 years in our tools.

Discover a new linux backdoor hidden for 10 YEARS in a critical HTTP server, waiting for a "magic packet" to wake up. Undocumented TTP. Full report: blog.exatrack.com/Butoflex%20pas… #Malware #ThreatHunting #Cybersecurity @ExaTrack @LoginSecurite

🚀 Take your malware analysis skills to the next level with Exalyze Discover our unique capabilities to compare malware code with our entire database, identifying similar samples and uncovering hidden connections. 👉 exalyze.io @Exalyze_io

🚨 WARNING: A fake domain—cff-explorer[.]com—has been registered to distribute malware. It currently appears as the top Google result when searching for "CFF Explorer". The only legitimate domain is ntcore.com.

"A calculator app? Anyone could make that." Not true. A calculator should show you the result of the mathematical expression you entered. That's much, much harder than it sounds. What I'm about to tell you is the greatest calculator app development story ever told.

For the first time, our training "Bug Hunting in Hypervisors" is open to the public at @reconmtl ! Designed for security researchers,we will dive into VM escapes, hypervisor attack surfaces, and real-world exploitation. More info: recon.cx/2025/trainingB…

The second part of my #WinDbg deep-dive into the #Windows #bootloader is up: Get ready for a decades-old registry structure, unique sorting algorithms, and lots of corner cases. The result is a modern Rust replacement for Mark Russinovich's LoadOrder tool: colinfinck.de/posts/nt-load-…

Yes, PDF runs DOOM! th0mas.nl/downloads/doom… (PDFium only for now)

I wanted to know how WMI Win32_OperatingSystem.Caption get the correct Version number (ex: "Microsoft Windows 11 Pro"). Turns out it's a DLL export: winbrand!BrandingLoadString. And there is a patent for that : patentimages.storage.googleapis.com/94/ab/cb/7c1f5…

I just reached 600 stars on PythonForWindows ! \o/ github.com/hakril/PythonF…

3+ YEARS of stealth! We uncovered new tactics used by the perfctl malware, including a userland rootkit & an SSH backdoor (a single SPACE in /etc/passwd!). More insights: blog.exatrack.com/Perfctl-using-… #cybersecurity #threat_hunting #linux #infosec #perfctl #rootkit #ssh #exatrack

After 6 years, I made a blog thingy again. This time about MmScrubMemory. An innocuous looking function that has bitten my ass several times in the last several years. And if you're developing a hypervisor, it might've bitten yours, too. wbenny.github.io/2024-11-21-mms…

in today's 'no way, is it real?' we found out that Palo Alto's PAN-OS CVE-2024-0012 and CVE-2024-9474 were the equivalents of saying 'turn off auth and give me a shell'. Enjoy! labs.watchtowr.com/pots-and-pans-…

Pong, but it's VBS enclave tulach.cc/using-vbs-encl…

In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals. This one is about COM and interacting with remote objects using a custom python LRPC Client. STUBborn: Activate and call DCOM objects without proxy: blog.exatrack.com/STUBborn/

Kdrill, an open source tool to check if your kernel is rootkited🔥 A python tool to analyze memory dumps AND live kernel. No dep, py2/3, no symbols 💪 It rebuild on the fly kernel structs and check suspicious modifications (and if patchguard is running 👀) github.com/ExaTrack/Kdrill

After nearly 10 years of existence, years of use in production on 10k+ computers. The new PythonForWindows release is 1.0.0 \o/ This release adds three important things: official python 3 support, full Unicode support for py2/py3 & CI testing on GitHub ! github.com/hakril/PythonF…

Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder. tiraniddo.dev/2024/06/workin…