• Windows Kernel Ps Callbacks Experiments

    I won’t be sharing any 0day here (well, maybe a “nday” if you haven’t been looking into ring0 that much). The fact is, there’s not much public information about this subject (attacks against the Windows Kernel Ps callbacks). To play a little bit with these kernel callbacks, I “wrote” (yes, in commas) a pseudo-EDR proof-of-concept (that uses these Ps callbacks). This post tells the story of some of these ring0 experiments.

  • Dynamic Binary Instrumentation Primer

    Dynamic Binary Instrumentation (DBI) is a method of analyzing the behavior of a binary application at runtime through the injection of instrumentation code - Uninformed 2007

  • Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101

    Finding bugs is hard, reverse engineering is hard. Constraint solvers are the heart of many program analysis techniques, and can aid Fuzzing, and software verification.

  • kcshell: assembly/disassembly shell

    I lacked something as metasm_shell and nasm_shell that allowed me to translate between assembly instructions and opcodes, and at the same time allow me to switch between x86 and x64. Since I was already playing with the triforce Keystone, Capstone and Unicorn Python bindings, in a different project, I decided to write a small interactive assembly/disassembly shell for various architectures powered by Keystone/Capstone.

  • hunting (l)users using WinAPI calls only

    During Red Team engagements it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user (no matter how, always “assume compromise”) in a Windows Domain and we want to spread laterally.

  • Cracking Orcus RAT

    After my previous post here, I got a message from an anonymous source asking me if I would like to have a look at another piece of malware written in managed code (that was also on the news recently). More precisely at the Orcus RAT.

  • Cracking HawkEye Keylogger Reborn

    I had never heard of HawkEye Keylogger until I’ve read the following blog post from Trustwave. I’ve found the amount of features quite interesting and I was curious to have a closer look at the source code.