quarkslab

A hands-on look at Microsoft’s Independent Guest Virtual Machine (IGVM) format inside OpenHCL’s `openhcl.bin`. We unpack the fixed header, variable headers, data layout, and how IGVM measurement supports Confidential Computing with SEV-SNP and TDX. 🔗blog.quarkslab.com/the-igvm-file-…

Paramiko is a pure-Python implementation of SSHv2. Recently, we worked with the Paramiko team on a security audit sponsored by @OSTIFofficial 🙏 Read a summary of our findings and find the full report here: blog.quarkslab.com/paramiko-secur…

My new blog post is released. It explains in detail how applications (App Registrations, Service Principals, MI) and their permissions really work, why they can introduce several subtle paths for privilege escalation, and presents my open-source tool designed to uncover them.

Do you know how Entra ID applications work? What about the security mess they can bring and what they can quietly break? New blog post on Entra ID application permissions, the audit nightmare they create, and QAZPT, our OSS tool built to make sense of it: blog.quarkslab.com/auditing-appli…

Obfuscation vs The Optimizer: A Battle in LLVM Middle End. @yates82 shows us how the continuous improvement of the LLVM optimizer defeats naive code obfuscation, and how the obfuscator can fight back. An eternal fight in which all victories are ephemeral blog.quarkslab.com/obfuscation-vs…

🤔Ever wondered how your favorite tools work under the hood? During our work on SightHouse, we dug into BSIM, Ghidra's Binary function SIMilarity engine. Many tools have been built around it, yet its internals remained undocumented. Until now 👇 blog.quarkslab.com/bsim-explained…

🚗 We traced a car’s life from China to Poland. By analyzing a BYD Telematic Control Unit, Romain Marchand reconstructed its journey and identified a real-world event from GPS logs alone. Embedded forensics + OSINT = real stories hidden in data. 👉 blog.quarkslab.com/tearing-down-a…

Recently @quarkslab published a solution of a CTF using TritonDSE and QBDI where they analyzed a VM protected binary, and I thought "Shit, I want to analyze something too...". And this weekend I did an analysis of another crackme with a custom VM but this time using Triton! 🧵

After @Coiffeur0x90 found 3 LPEs in Intego antivirus for macOS, @kaluche_ had to check the Windows version too. Spoiler: it was vulnerable. Here's the full write up of a symlink attack to achieve Local Privilege Escalation👇 blog.quarkslab.com/milking-the-la…

Tired of reversing the same libc for the 100th time? 👀 Meet SightHouse, our open-source tool that automatically detects third-party library functions in binaries. High-confidence function mapping. Works with any disassembler. By @Mad5quirrel & Sami. 🔗 blog.quarkslab.com/sighthouse-aut…

The dragon has a VM. Of course it does. Our latest blog walks through the analysis of a complex C++ binary hiding behind a virtual machine, themed as a classic RPG fight. QBDI & TritonDSE are your weapons of choice. The dragon doesn't stand a chance. 🐉 blog.quarkslab.com/qbdi-vs-triton…

Rule 1️⃣ : "In WAF we (should not) trust" Your WAF is doing its best. That's just not enough 😮‍💨 A deep dive into Web Application Firewall bypass techniques, discovering why blocked ⛔ doesn't always mean safe. blog.quarkslab.com/in-waf-we-shou…

"Intego X9: Never trust my updates" Read @Coiffeur0x90's research showing how XPC interprocess communications and the update mechanism of the Intego antivirus for MacOS can be abused for local privilege escalation. blog.quarkslab.com/intego_lpe_mac…

"How does it even work?" The question that keeps hackers' hearts pumping, blood pressure rising, and curiosity growing. This is @virtualabs's reverse engineering journey into a cheap smartwatch that measures at least one of those. blog.quarkslab.com/nerd-life-week…

SPONSOR 📣 Today, we are very happy to announce the @quarkslab Gold level sponsoring 😍 📄 @quarkslab provides to companies Security Audit capabilities, Consulting expertise powered by its cutting edge R&D and Qshield, its comprehensive security suite 1/2

One bit flip to corrupt it all: Exploitation of an old Linux kernel vulnerability using PageJack, a modern technique to create Use After Free bugs. Here @AzazheI shows you how blog.quarkslab.com/pagejack-in-ac…

@quarkslab @kaluche_ We were not careful enough and run into that NDA when reporting Avast bugs. To their credit Gendigital ended up being absolutely reasonable about it and greenlit the full disclosure. The truly shameful part is Bugcrowd default policy with the NDA. Very hostile.

🤯 Quarkslab spent five months trying to report vulns to security vendor Avira/Gen Digital but hit a deadlock because Gen Digital would only accept reports through their bug bounty platform (which required an NDA), so Quarkslab eventually just emailed the report and published after 90 days. This timeline explains the madness blog.quarkslab.com/avira-deserial…

If you glitch one, can you glitch many? Extracting automotive firmware is a challenge. @Phil_BARR3TT explains how he bypassed the IDCODE protection in several variants of the RH850 MCU family using both voltage glitching and side-channel analysis ⚡️🚗 blog.quarkslab.com/bypassing-debu…

Reverse engineers often spend a lot of time deciphering third-party firmware libraries. At RE//verse 2026 (Fri, 5 PM), Benoit & Sami will introduce SightHouse, an open-source tool to automatically identify third-party functions and speed up analysis. Join us!