Christian W

Hacking is boring. Wanna know what's fun? Browsing MSDN documentation at 2 o'clock in the morning, looking for APIs to potentially abuse in malware. It'll also probably never go in the wild and it'll go unappreciated for several months or even years. That's where the fun is

PS: This was on Windows 10.0.19043, but I couldn't reproduce on Windows 11. It returns like "FiLe CoRrUpTeD" or something like that. techcommunity.microsoft.com/t5/windows-os-…

I assume this has something to do with the cert not being included during hash generation for signing. So the underlying logic probably excluded the "DataDirectory[4].Size" amount of bytes starting from the cert offset when the call checks the modified dll - but could be wrong.

Fun Win10 bug(?): LoadEnclaveImage (supposedly) requires a signed/valid image. However, if I modified the size of DataDirectory[4].Size in SgrmEnclave_secure.dll to include any add'l data I wanted to append to the cert, it would bypass the validation check and get loaded. 1/?

Happy to get this out the door: cloud.google.com/blog/topics/th… Big thanks to @onfvp @jinx_soda @nicastronaut and the other named and unnamed authors. A few highlights ⬇️

Bonus unhinged Paint 3D visualization:

Man, the feeling of finally solving a big blocker in a project after 5 days of thinking/tinkering >>>

@checkymander Generate memes from operator errors

If you had an AI assistant for your c2 platform, what kind of things would you expect it to be able to do?

I'm exited to release GraphStrike, a project I completed during my internship at @RedSiege. Route all of your Cobalt Strike HTTPS traffic through graph.microsoft.com. Tool: github.com/RedSiege/Graph… Dev blog: redsiege.com/blog/2024/01/g… #redteam #infosec #Malware #Microsoft

@vxunderground @nikhil_mitt .

Our friend @nikhil_mitt hooked us up with MORE stuff to giveaway for the holiday season. We've got 3 vouchers for the CARTP (Azure Red Teaming course). He's the real MVP. Thank you so much 🙏 Comment below for a chance to win Course details: alteredsecurity.com/azureadlab

@vxunderground @mrgretzky .

Our friend @mrgretzky hooked us up with 12 Evilginx Mastery courses - making it the 12 days of Evilginx Xmas:) Course details: academy.breakdev.org/evilginx-maste… Comment below for a chance to win.

@vxunderground @MalDevAcademy @mrd0x

Hello, are you a nerd who likes malware? Us too! Our sponsor @MalDevAcademy has hooked us up with 3 lifetime licenses to their courses. Thank you to @mrd0x for the gifts! Leave a comment below for a chance to win!

@_Wra7h It was down a few days ago, and then came back up the same day.

Is pinvoke[.]net dead or just down?

@techspence Used it for a little bit and it was neat but the 10MB helloworld.exe it produced really highlighted that it wasn’t great for postex actions on target.

Do people actually _enjoy_ writing code in Go? 😅

- MATLAB Coder doesn't like loadlibrary()/calllib(). Instead I had to use "coder.cinclude(<header>)" and "coder.ceval(<api>, <arg1>, <arg2>, ...)" in order to leverage Windows APIs. Example: hThread = coder.ceval('CreateThread', [], 0x0, hAlloc, [], 0x0, []); 3/?

So more MATLAB stuff. I managed to get this loader working as a standalone executable and learned a few things during the process that I thought I'd share. 1/?

@PerS1541026 I wasn't worried too much about the thread handle at the time. Though I did just test/update the gist to call CloseHandle.

@_Wra7h Yeah, forget cleanup 😀

Matlab shellcode loader. ew.