Mo'men Mahmoud

Hey everyone, I've just published a detailed end-to-end investigation for an APT29 emulation scenario based on a @CISAgov report about APT29 (SVR) TTPs, and it's finally ready! Article link: moe-3.gitbook.io/moex0-blog/art… Sigma rules repo: github.com/moex01/apt29-s…

During recent memory forensics research I've been doing on evading memory scanners, I was researching how to bypass Volatility's 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 plugin, and I developed a reflective PE loader for that. 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 searches for memory regions where the VAD (Virtual Address Descriptor) shows both 𝗪𝗥𝗜𝗧𝗘 and 𝗘𝗫𝗘𝗖𝗨𝗧𝗘 permissions, since legitimate applications rarely allocate 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 memory. This makes 𝗪+𝗫 a strong indicator of shellcode injection. But since VADs store the initial allocation protection set by 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗔𝗹𝗹𝗼𝗰, when 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 changes page permissions, only the underlying page table entries (PTEs) permissions are modified, while the VAD's 𝗔𝗹𝗹𝗼𝗰𝗮𝘁𝗶𝗼𝗻𝗣𝗿𝗼𝘁𝗲𝗰𝘁 field remains as originally set. To demonstrate this, I wrote a reflective loader that: 1. Allocates memory with 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (VAD records: RW) 2. Writes the PE image, resolves imports, applies relocations 3. Calls 𝗩𝗶𝗿𝘁𝘂𝗮𝗹𝗣𝗿𝗼𝘁𝗲𝗰𝘁 to set 𝗣𝗔𝗚𝗘_𝗘𝗫𝗘𝗖𝗨𝗧𝗘_𝗥𝗘𝗔𝗗 on the .𝘁𝗲𝘅𝘁 section The VAD still shows 𝗣𝗔𝗚𝗘_𝗥𝗘𝗔𝗗𝗪𝗥𝗜𝗧𝗘 (no execute), so 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 doesn't flag it. The code executes normally because the CPU uses the actual page permissions from the PTEs, not the VAD. This shows that in an investigation, relying on a single tool can lead to missed evidence and wrong conclusions. To detect this technique, dump private VAD regions (e.g., using Volatility's 𝘃𝗮𝗱𝗶𝗻𝗳𝗼 plugin with --𝗱𝘂𝗺𝗽) and scan for PE headers (𝗠𝗭/𝟬𝘅𝟰𝗗𝟱𝗔), which reveals injected code that 𝗠𝗮𝗹𝗳𝗶𝗻𝗱 misses. However, this approach requires filtering out legitimate PEs (e.g., Windows system DLLs), and this might take some time. In a follow-up post, I'll share a detection method I developed that reliably identifies reflectively loaded PEs regardless of VAD permissions. 𝗚𝗶𝘁𝗛𝘂𝗯: github.com/moex01/Malfind…

@ShanHolo @CISAgov Thanks @ShanHolo. I hope you enjoyed it. :)

@moex0_1 @CISAgov Great article!! congrats!!

Hey everyone, I've just published a detailed end-to-end investigation for an APT29 emulation scenario based on a @CISAgov report about APT29 (SVR) TTPs, and it's finally ready! Article link: moe-3.gitbook.io/moex0-blog/art… Sigma rules repo: github.com/moex01/apt29-s…

How the NSA (Equation Group) allegedly hacked into China's Polytechnical University 👀 I analysed intelligence reports from Chinese cyber firms (360, Pangu, CVERC) to aggregate TTPs attributed to Equation Group. 🔗inversecos.com/2025/02/an-ins…

@CISAgov Attack's diagram:

@ZeroOne68219467 @CISAgov Thank you. The graph was created using draw.io, and the icons from flaticon and fontawesome websites.

@moex0_1 @CISAgov Super nice diagrams 🙂 what tool do you use ?

Had a pleasure presenting Certified CyberDefender #CCD Training at #blackhat MEA for third time in a row along with my college @moex0_1 alhamdullah #BHMEA #2024

@mavric1337 Thanks @mavric1337!

good job moo

I just released my first blog about Kerberos Authentication. moe-3.gitbook.io/moex0-blog/sec…

@m19o__ الموضوع كان تقريبا مشابه معايا, بدأت بالMalware Analysis عشان كنت مهتم بيها, بس أغلب الناس اللي كنت بكلمها من التقال في المجال ردوا عليا رد "أنت لازم تدخل كSOC وتتحرك internally بسبب الsupply and demand".

@m19o__ أنا بردو كان عندي مشكلة في الموضوع ده وبغض النظر أن الرزق والشغل ده كده كده على ربنا مش في ايد البشر, بس بشوف أن من الأخذ بالأسباب أن الواحد بردو يشوف ايه الdemand اللي في السوق لأن في ناس بتبقى مستعجلة على الشغل بسبب ظروفها, فا يمكن ده وجهة نظره.

@binaryz0ne People starting dealing with it like Facebook. It was created only for professional work, but now, it's full of everything, just like Facebook. I see no difference between them now.

Linkedin = FB + Jobs ? Or does FB also have job postings?!! IDK

@vxunderground See you in 2024. 😶

We are doing the last giveaway of the year as vx-underground staff goes AFK for the remainder of the year (probably) You all get hugs and kisses:) See ya in 2024 - vx-underground staff

@vxunderground @whid_ninja Good luck everyone. 😁

Our friend @whid_ninja hooked us up with a Hardware Hacking Offensive Security training + exam. It comes with a bunch of super cool tools too =D *Winner must disclose their home address to receive the package in the mail Comment below to win:) Course: whid.ninja/store/product/…

@lauriewired @patrickwardle Good luck everyone!

Happy Holidays everyone! I'm giving away 5 copies of the Humble Tech Book Bundle: Hacking 2023 by No Starch Press! The bundle includes 19 excellent books, including some of my personal favorites such as: Art of Mac Malware by @patrickwardle Practical malware Analysis by @mikesiko and Andrew Honig Rootkits and Bootkits by @matrosov, @vxradius and @sergeybratus Leave a comment to enter!

@vxunderground @nikhil_mitt 🥰

Our friend @nikhil_mitt hooked us up with MORE stuff to giveaway for the holiday season. We've got 3 vouchers for the CARTP (Azure Red Teaming course). He's the real MVP. Thank you so much 🙏 Comment below for a chance to win Course details: alteredsecurity.com/azureadlab

@m19o__ فعلاً اللي بينبهر بحد عنده "دنيا" ده محتاج يراجع نفسه كويس. ربنا يجعلك من المتواضعين دايماً ويبعد عنك الكِبر وحظ النفس.

@TheMsterDoctor1 Send please, thanks.

Reverse Engineering and exploit development Download 100% Free For First 1000 User's.. Simply: 1. Follow (So I Will Dm) 📥 2. Like and Repost 3. Comment “ Send ” to receive your copies!! 📚

@vxunderground I'd love a vx-underground black Hoodie! 😁

Who wants vx-underground merch for Christmas? (It'll probably arrive way past Christmas due to increased volume in shipping, but whatever) Comment on this tweet with what you want and what size. We'll give away like, $800 in merch or something

@vxunderground Let's try again. 😌

Giveaway #6 Hey, are you a nerd wanting to get into malware analysis? Cool, because we're doing a giveaway of "The Art of Malware Analysis", a course aimed for beginners and intermediate individuals. We're giving away 10 vouchers. Comment below for a chance to win 🫡