cr3ghost

Alexandre Borges has published over 700 pages of free security, malware and vulnerability research. A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085. No paywall. No course. Just research. Free as in beer. exploitreversing.com Author: @ale_sp_brazil #ReverseEngineering #MalwareAnalysis #InfoSec

UEFI bootkits are no longer theoretical. BlackLotus. HybridPetya. CosmicStrand as demonstrated by the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" by @matrosov Researchers demonstrated the same class of technique against VBS enclaves, the most isolated execution environment Windows offers. Hooked GetVariable(). Intercepted BlLdrLoadImage(). Injected into hvax64.exe before VBS initialised. Owned the VM-exit handler at ring -1. Read and wrote VTL1 enclave memory directly from the hypervisor. If your threat model stops at ring-0, it stops too early. Full PoC included. tulach.cc/using-vbs-encl… tulach.cc/from-firmware-… Author: @tulachsam #Malware #Infosec #ReverseEngineering

@5mukx @github @Microsoft @MsftSecIntel The biggest issue I have with this is that if they take you down and @HackingLZ then everyone else is next. This will create a bad precedent if we don’t fight back together as a community.

Honestly, what is this ? I got a response from @github support team. So here after legal Security Research and PoC's is not allowed on GitHub ? I'm Completely got disappointment by @github and @Microsoft @MsftSecIntel . In what ways i distribute and share malware. Can anyone tell me if there is a mistake from my side, did i share 0 days, vulnerabilities, direct binaries or full exploit chain that harm users ? NONE ? is posting Legal source codes and tools that are made of public PoCs are wrong ? there are thousand of full chain real expoits that bypasses EDRs, C2s that evades security solutions, phishing kits that bypasses MFA of Microsoft out there in @github , if that is legal then why cant this simple publically made poc can't be in the github ? I have replied regarding my statements, please don't disappoint younger legal windows security researchers like this. I have some little hope on @github @Microsoft @MsftSecIntel . I have a little hope. So Please don't make me loose on @github & @Microsoft & @MsftSecIntel . Ticket ID: #4440743 Will be waiting for your kind response. Thank you. x.com/5mukx/status/2… #github #microsoft #security #research

@5mukx @github @Microsoft @MsftSecIntel Good point. Maybe this is to divert from the MSRC injustice they did for banning the security researcher who dropped 0 days

@cr3ghost @github @Microsoft @MsftSecIntel I'm not a bot, i have hosting these repos for more than 4 years. how can this be an ransomware poc as private repo ? if that's is true then they can do that earlier right ? Why now ?

@jonasLyk Good to see you back. Hope you are doing well. Nice work too!

coping with c github.com/jonaslykkegaar…

Credits to @aionescu for the amazing FREE content and training on the website. World-class researchers: windows-internals.com/category/windo…

Most people learn security research by reading finished writeups. This one shows the actual process. The messy, organic, step-by-step reality of reversing an unknown Windows mitigation from scratch. WinDbg. IDA. Hex Rays. Guard page violations. Trap flags. Zero prior knowledge of the target. If you want to learn how to actually approach unknown Windows internals, start here. windows-internals.com/an-exercise-in… Author: @yarden_shafir #ReverseEngineering #WindowsInternals #InfoSec

@HackingLZ Microsoft does a great job at helping the security industry by staying more vulnerable.

The lolbin gods delivered

@vxunderground at this point the CEO of Microsoft is probably on autopilot or should we say copilot 🤣

Microsoft introduces Microsoft Scout, also known as Autopilot. Scout is always on and has file system and application access "based on your corporate policy". Best news for Threat Actors in a long time microsoft.com/en-us/microsof…

I believe I was trying to say it’s a “malware technique.”, obviously it’s not doing anything malicious but you could easily add functionality to do that in the user-mode component. Most game cheats use malware-like techniques. It helps non-technical individuals understand similarities.

@cr3ghost So what data is being destroyed or stolen by the "malware". 👀

This is the type of malware game hackers build to bypass kernel anti-cheat. The same techniques can be used by malware authors to evade EDRs. A UEFI bootkit that injects into Microsoft's own Hyper-V at ring -1 before the OS even loads (easier than building a custom hypervisor from scratch). Four phase bootloader. Hypervisor VM-exit interception. EPT page shadowing. MSR virtualization. EFI memory map ghosting. TPM measurement spoofing. Reads like malware. Because it is. Videos and full technical breakdown in the link. Author: gsmll.github.io/hypervenom/wri… #ReverseEngineering #Malware #AntiCheat

@BackEngineerLab published one of the first public Hyper-V hyperjacking frameworks back in 2021. Module injection and VM-exit hooking for both AMD and Intel. A lot of the techniques being discussed here trace back to that work. blog: back.engineering/blog/20/04/202… GitHub: github.com/backengineerin… Author: @_xeroxz

Free resources is the best way to learn.

Alexandre Borges has published over 700 pages of free security, malware and vulnerability research. A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085. No paywall. No course. Just research. Free as in beer. exploitreversing.com Author: @ale_sp_brazil #ReverseEngineering #MalwareAnalysis #InfoSec

@IAMERICAbooted @jonasLyk i was probably in high school when this legend was hacking. I wanted to sell my 0-exploits too but someone told be it is cyber weapon and it’s illegal. So instead I just use in game cheats.

Also, none of that is illegal. In fact many security researchers sell their bugs to brokers instead who then sell them to nation states. TBH, I've never understood why researchers submit to MS bug bounty because everyone knows they pay the least, have a lot of incompetence, and cause so much more work.

Microsoft ships vulnerable by default software... knowingly. Microsoft is not the victim here.

@NinjaParanoid @Octoberfest73 what experiences have you had with EDR vendors? I’m curious to know people’s interactions for reporting bugs or bypasses and their bounty programs. Are they okay with releasing blog posts to bypass them or are they same as anti-cheat vendors?

@Octoberfest73 Its good. I have done this before, but decided to not add it to brc4, since I have seen this getting flagged due to not have the basethreadinithunk and userthreadstart frame, by one specific EDR. You know who 😂

✅Call APIs requiring 5+ args ✅Store return values ✅Chain multiple spoofed calls for sleep obfuscation ✅Zero user code required during execution ✅CET/HSP/Shadow stack compliant Big things coming to the UDRL and Sleepmask Development course...

@cyb3rops do they even have a security team and if they do then why are they not part of the SDLC?

The fix for Meta's AI bot vulnerability was apparently: - remove the feature from the UI ❌ - leave the API endpoint accessible ✅ I wish I was joking.

Server-side authority works well for smaller player counts but at millions of concurrent players the latency and infrastructure cost becomes a real problem. Most studios cannot afford to run authoritative physics and position validation at that scale. Client-side is not ideal but it is a practical reality. The honest answer is both are needed and neither alone solves it.

Difference is installtion is MANDATORY for entertainment purpose and companies with the level of access anticheats give have historically been HORRIBLE with not abusing it. Look at Microsoft with its thousands of diagnostic data points they collect, then resell to 2000 ~ "partners" as well to government agencies. Its on by default and takes extensive OS changes in registry, on disk and on your network to stop. Kernel level anticheats also require mandatory low level access to your device as it scans memory, disk, modules, hooks, (some have been caught scanning browser history), scanning of network traffic, registry, bios, hardware info, TPM info, etc. That information is then commonly all sent back to anticheat companies servers. You *hope* they won't abuse this level of access and privilege but there is hundreds of millions of dollars as incentive and maybe 5% of that at risk from fines if their caught. Why wouldn't they abuse it. Any game without kernel level anticheat I can run within a sandboxIE instance and restrict its external access to other programs memory, files, registry, network, etc and still play the game fine. With limited concern of it "expanding" its access beyond the set limits. I also play games without kernel mode anticheat in a virtual machine with GPU pass through from my host operating system and get near the same frame rate with zero risk to my personal data. Kernel level anticheat is effectively s mandatory rootkit, from for profit companies just to try and enjoy gsmes. Anticheat companies should be focusing on player behavior patterns, limiting information sent from the sever, only sending information needed to each individual client when its needed, statistics and AI based detection mechanisms, etc. The reason being is all the server side, statistics and behavior based detections take much of the control out of the cheater and hack creators hands and limits their severity in the first place so they have exponentially less impact. Say for example bullet trajectories, spread and recoil is all sever side authoritive instead of client side authoritive. Then how exactly would a cheat maker have any control over those functions if its server sided and random. They wouldnt. If ESP requires player positions and player positions aren't sent till the enemy is visible or is soon to be visible near a corner then the effect of ESP is exponentially reduced as you don't have "global" player position awareness st all times. That helps defeat radar, esp, snapline, chams/skeletons, etc almost entirely (yoid have to respond in a split second to the info instead of having unlimited time to respond). The same with aimbot, if I'm tracking player mouse movements/camera movements, I'm monitoring for impossible micro adjustments in the sub 100ms range to stay on target and I'm comparing that information with a players statistics then "rage" hacking is effectively dead given you can't just have 360 degree aimbot coverage and instant reaction anymore with 80%+ headshot rate in sub 100ms times. This forces cheaters into more human gameplay and helps eliminate the disruptive nature of aimbots. If bullet trajectories are server sided then magic bullet is effectively dead. The list goes on and on but my point is kernel level anticheat is the past, the hacker will ALWAYS have the advantage on hardware they control and have 24/7 access to. We have 25 years of evidence for this. Statistics, AI based and sever sided processing and info control is the future as it takes the power away from hack makers and users. While simultaneously eliminating all the data risks and legsp liability linked with kernel level anticheats.

Gamers worry about kernel anti-cheats when any user-mode software (ring-3) can already read your passwords, browser history, log your keystrokes, record your camera, steal your files, and exfiltrate your data. Spyware has never needed the kernel. Kernel access is not what makes something spyware. Cheaters have been loading kernel drivers and hypervisors for years to hide from detection. A usermode anti-cheat has no way to detect something already operating below it. Loading at boot is necessary. If anti-cheat loads after a cheat driver is already in the kernel, it has already lost. Read: Why Anti-Cheat Software Utilize Kernel Drivers secret.club/2020/04/17/ker… Author: @vm_call from @the_secret_club #AntiCheat #GameSecurity

@nnwakelam #BugBountyTips 🤣

waiting for bounty payouts

@blackroomsec You can always uninstall Windows and go to Linux.

Please don't use this to do anything of the sort. And, when you find any vulnerabilities, which are definitely present, they'll throw you in jail.

@LowLevelTweets You should search for “MSRC scams security researchers”

Am I using this feature right?