Worawit Wang

Good morning! Just published a deep dive into PatchGuard internals: how it works, key internal functions, context init, and possible bypasses. r0keb.github.io/posts/PatchGua…

What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution? We explored process injection using nothing but thread context. Full write-up + PoCs: blog.fndsec.net/2025/05/16/the…

The detailed version of our #WorstFit attack is available now! 🔥 Check it out! 👉 blog.orange.tw/posts/2025-01-… cc: @_splitline_

The award-winning Qualys Threat Research Unit (TRU) has discovered a critical vulnerability in OpenSSH, designated CVE-2024-6387 and aptly named "regreSSHion." This Remote Code Execution bug grants full root access, posing a significant exploitation risk. blog.qualys.com/vulnerabilitie…

Exploiting CVE-2024-20656, a Local Privilege Escalation in the VSStandardCollectorService150 Service mdsec.co.uk/2024/01/cve-20… - new research from @filip_dragovic

We're revealing details of an obscure debugging feature in the Apple A12-A16 SoC’s that bypasses all of the hard-to-hack hardware-based memory protections on new iPhones. Its not used by the firmware and we don't know how the attackers found out about it. securelist.com/operation-tria…

The new Cookieless variant (CVE-2023-36560) has been added to soroush.me/blog/2023/08/c… @mwulftange 😇

New write-up on an Intel Ice Lake CPU vulnerability, we can effectively corrupt the RoB with redundant prefixes! 🔥 An updated microcode is available today for all affected products, cloud providers should patch ASAP. lock.cmpxchg8b.com/reptar.html

@x1aoxia0xiao The error message means no formatting library. I only tested on Debian sid/trixie with default packages, g++ version is 13.2.0.

@sleepya_ I installed gcc13.1.0 and cmake15.x on ubuntu20.04 according to README.md, but when I run the py file, it will report that the format file cannot be found.

Initial public #blutter tool for #reversing flutter app by compiling/using Dart runtime github.com/worawit/blutter Now, support only Android target. It should still be useful even it is lack of analysis feature.

@x1aoxia0xiao I've never tried that version. But it should have no problem.

@sleepya_ Hello, can this tool be used for flutter applications version 2.19.6?

Dropping #Downfall, exploiting speculative forwarding of 'Gather' instruction to steal data from hardware registers. #MeltdownSequel - Practical to exploit (POC/Demo) - Defeat all isolation boundaries (OS, VM, SGX) - Bypass all Meltdown/MDS mitigations. downfall.page

#HITB2023HKT COMMSEC: B(l)utter – Reversing Flutter Applications by using Dart Runtime - Worawit Wangwarunyoo - conference.hitb.org/hitbsecconf202…

A new blog post on Intel VT-rp! Part 1 is about how HLAT prevents the remapping attack, taking Windows as an example platform. tandasat.github.io/blog/2023/07/0… Sample hypervisor code: github.com/tandasat/Hello…

First big result from our new CPU research project, a use-after-free in AMD Zen2 processors! 🔥 AMD have just released updated microcode for affected systems, please update! lock.cmpxchg8b.com/zenbleed.html

For anyone that has ran this PoC, consider your data stolen. This is what eventually runs on your host after a few stages. If you wanna analyse it, don't use a web browser or your IP will get blacklisted. #CVE_2023_35829 #backdoor

Introducing DavRelayUp - A port of #KrbRelayUp with modifications to allow for NTLM relay from WebDAV to LDAP and abuse #RBCD in order achieve #LPE in domain-joined windows workstations where LDAP signing is not enforced. Demo in second tweet. github.com/Dec0ne/DavRela…

The approach does not work when Intel VT-rp (HLAT) is used. The code is at github.com/worawit/malk

My approach to call a kernel function and process creation callback against Windows HVCI datafarm-cybersecurity.medium.com/code-execution…. In short, I modified page table of SSDT. Then, change the jump target to another kernel function. For the callback, I used procmon driver functions and SEH.

Today we're publishing new techniques for recovering NTLM hashes from encrypted credentials protected by Windows Defender Credential Guard. These techniques also work on victims logged on before the server was compromised. research.ifcr.dk/pass-the-chall…