sysinternals-source
The publicly available source code lovingly archived at or before the SysInternals acquisition announcement.
https://github.com/xcud/sysinternals-source
#windows #internals #tools
The publicly available source code lovingly archived at or before the SysInternals acquisition announcement.
https://github.com/xcud/sysinternals-source
#windows #internals #tools
GitHub
GitHub - xcud/sysinternals-source
Contribute to xcud/sysinternals-source development by creating an account on GitHub.
Iris WinDbg Extension
Iris WinDbg extension performs detection of common Windows process mitigations (32 and 64 bits).
https://github.com/fdiskyou/iris
#windows #debugging #internals #windbg
Iris WinDbg extension performs detection of common Windows process mitigations (32 and 64 bits).
https://github.com/fdiskyou/iris
#windows #debugging #internals #windbg
GitHub
fdiskyou/iris
WinDbg extension to display Windows process mitigations - fdiskyou/iris
Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
The goals of this post is to familiarize operators with the capability that Mimidrv provides, put forth some documentation to be used as a reference, introduce those who haven’t had much time working with the kernel to some core concepts, and provide defensive recommendations for mitigating driver-based threats.
> https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
#mimikatz #windows #internals
The goals of this post is to familiarize operators with the capability that Mimidrv provides, put forth some documentation to be used as a reference, introduce those who haven’t had much time working with the kernel to some core concepts, and provide defensive recommendations for mitigating driver-based threats.
> https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
#mimikatz #windows #internals
Medium
Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
Mimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows…
Diff windows kernel structures per OS 👽
> https://ntdiff.github.io/
#tools #windows #internals #kernel
> https://ntdiff.github.io/
#tools #windows #internals #kernel
Code Integrity in the Kernel
There are cases where you need to reliably identify a process before you allow it to take certain actions. Verifying its Authenticode signature is a trusted way to do that. The user mode dll wintrust provides an API specifically for this purpose.
[...]
https://medium.com/cybereason/code-integrity-in-the-kernel-66b3f5cce5f
#windows #kernel #reverse #internals
There are cases where you need to reliably identify a process before you allow it to take certain actions. Verifying its Authenticode signature is a trusted way to do that. The user mode dll wintrust provides an API specifically for this purpose.
[...]
https://medium.com/cybereason/code-integrity-in-the-kernel-66b3f5cce5f
#windows #kernel #reverse #internals
Medium
Code Integrity in the Kernel
A Look Into ci.dll
IceBox
Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It's based on project Winbagility.
https://github.com/thalium/icebox
#windows #debug #reverse #internals
Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It's based on project Winbagility.
https://github.com/thalium/icebox
#windows #debug #reverse #internals
GitHub
GitHub - thalium/icebox: Virtual Machine Introspection, Tracing & Debugging
Virtual Machine Introspection, Tracing & Debugging - GitHub - thalium/icebox: Virtual Machine Introspection, Tracing & Debugging
auto_re
IDA PRO auto-renaming plugin with tagging support
https://github.com/a1ext/auto_re
#windows #reverse #ida #internals #tools
IDA PRO auto-renaming plugin with tagging support
https://github.com/a1ext/auto_re
#windows #reverse #ida #internals #tools
GitHub
GitHub - a1ext/auto_re: IDA PRO auto-renaming plugin with tagging support
IDA PRO auto-renaming plugin with tagging support. Contribute to a1ext/auto_re development by creating an account on GitHub.
Using Memory Artifacts As Shellcode Emulation Environment (ft. Unicorn Framework)
https://darungrim.com/research/2020-06-04-UsingMemoryArtifactsAsShellcodeEmulationEnvironment.html
https://github.com/ohjeongwook/ShellCodeEmulator
#windows #shellcoding #internals
https://darungrim.com/research/2020-06-04-UsingMemoryArtifactsAsShellcodeEmulationEnvironment.html
https://github.com/ohjeongwook/ShellCodeEmulator
#windows #shellcoding #internals
Darungrim
Using Memory Artifacts As Shellcode Emulation Environment (ft. Unicorn Framework)
Shellcode is one of the major components for the modern malware. It was originally invented to exploit vulnerabilities and run code on the target process. Re...
Windows SDK Data
Windows API listing in JSON format - generated from SDK headers + SDK API documentation for SAL notations. You can use it for fuzzing, writing Windbg extensions, PyKD script to dump parameters or writing Frida script that understands parameters.
https://github.com/ohjeongwook/windows_sdk_data
#json #frida #windbg #internals
Windows API listing in JSON format - generated from SDK headers + SDK API documentation for SAL notations. You can use it for fuzzing, writing Windbg extensions, PyKD script to dump parameters or writing Frida script that understands parameters.
https://github.com/ohjeongwook/windows_sdk_data
#json #frida #windbg #internals
GitHub
GitHub - ohjeongwook/windows_sdk_data: Windows API listing in JSON format - generated from SDK headers + SDK API documentation
Windows API listing in JSON format - generated from SDK headers + SDK API documentation - ohjeongwook/windows_sdk_data
Apple Lightning
Here's my little article about (almost) everything I know about Apple Lightning and related technologies: Tristar, Hydra, HiFive, SDQ, IDBUS and etc. But first a tiny warning...
Read this article on your own risk! The information in this artcile is based on a lot of AppleInternal materials (leaked datasheets, schematics, source codes) I read in a diagonal direction. And of course on my own research too. I have to warn you, the reader, that I have never done such a research before. Thus, this write-up might use incorrect or just weird terms and turn out partially or completely wrong!
https://nyansatan.github.io/lightning/
#apple #internals #macos
Here's my little article about (almost) everything I know about Apple Lightning and related technologies: Tristar, Hydra, HiFive, SDQ, IDBUS and etc. But first a tiny warning...
Read this article on your own risk! The information in this artcile is based on a lot of AppleInternal materials (leaked datasheets, schematics, source codes) I read in a diagonal direction. And of course on my own research too. I have to warn you, the reader, that I have never done such a research before. Thus, this write-up might use incorrect or just weird terms and turn out partially or completely wrong!
https://nyansatan.github.io/lightning/
#apple #internals #macos
Windows Debugger API — The End of Versioned Structures
Some time ago I was introduced to the Windows debugger API and found it incredibly useful for projects that focus on forensics or analysis of data on a machine. This API allows us to open a dump file taken on any windows machine and read information from it using the symbols that match the specific modules contained in the dump.
https://medium.com/swlh/windows-debugger-api-the-end-of-versioned-structures-ac4acaa351bd
#windows #internals #debug
Some time ago I was introduced to the Windows debugger API and found it incredibly useful for projects that focus on forensics or analysis of data on a machine. This API allows us to open a dump file taken on any windows machine and read information from it using the symbols that match the specific modules contained in the dump.
https://medium.com/swlh/windows-debugger-api-the-end-of-versioned-structures-ac4acaa351bd
#windows #internals #debug
Medium
Windows Debugger API — The End of Versioned Structures
Some time ago I was introduced to the Windows debugger API and found it incredibly useful for projects that focus on forensics or analysis…
Debugging into .NET
.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly however appears to be pretty consistent.
https://blog.xpnsec.com/debugging-into-net/
#windows #dotnet #redteaming #internals
.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly however appears to be pretty consistent.
https://blog.xpnsec.com/debugging-into-net/
#windows #dotnet #redteaming #internals
XPN InfoSec Blog
@_xpn_ - Debugging into .NET
.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly…
Hiding PE Imports
You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking mighty clean I must say. Time to send it downrange. Upload completes and you can see it on the file system.
https://roblehesa.com/posts/hiding-pe-imports/
#windows #internals #redteaming #malware #evasion
You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking mighty clean I must say. Time to send it downrange. Upload completes and you can see it on the file system.
https://roblehesa.com/posts/hiding-pe-imports/
#windows #internals #redteaming #malware #evasion
Roblehesa
Hiding PE Imports
You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking…
Hands off my service account!
Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due to the powerful impersonation privileges that are granted by default to services by the operating system.
https://decoder.cloud/2020/11/05/hands-off-my-service-account/
#windows #internals
Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due to the powerful impersonation privileges that are granted by default to services by the operating system.
https://decoder.cloud/2020/11/05/hands-off-my-service-account/
#windows #internals
Decoder's Blog
Hands off my service account!
Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due …