ARMRef (ARMv8.5 assembly reference app)
π£_evilpenguin
Sadly no Android support
π€KrieghofGames
π@malwr
π£_evilpenguin
Sadly no Android support
π€KrieghofGames
π@malwr
GitHub
GitHub - evilpenguin/ARMRef: ARM Assembly Reference Manual for iOS, iPadOS, and macOS.
ARM Assembly Reference Manual for iOS, iPadOS, and macOS. - GitHub - evilpenguin/ARMRef: ARM Assembly Reference Manual for iOS, iPadOS, and macOS.
The analyzer automates the process of exploring EFI files. After the analysis, well-known protocols, interrupts, etc. are found.
https://github.com/DSecurity/efiSeek
π@malwr
https://github.com/DSecurity/efiSeek
π@malwr
GitHub
GitHub - DSecurity/efiSeek: Ghidra analyzer for UEFI firmware.
Ghidra analyzer for UEFI firmware. Contribute to DSecurity/efiSeek development by creating an account on GitHub.
A buggy behavior located into CreateFile allows to hide malware from users and AV scanners. Microsoft will not fix it:
https://github.com/dalvarezperez/CreateFile_based_rootkit
#CreateFile #malware #rootkit #antivirus
βΉοΈ Sent from one of our members
π@malwr
https://github.com/dalvarezperez/CreateFile_based_rootkit
#CreateFile #malware #rootkit #antivirus
βΉοΈ Sent from one of our members
π@malwr
GitHub
GitHub - dalvarezperez/CreateFile_based_rootkit
Contribute to dalvarezperez/CreateFile_based_rootkit development by creating an account on GitHub.
Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC
π£digicat
Can i have the name or twitter handle of the owner of this blog they do an amazing job
π€hilo25
https://twitter.com/modexpblog
π€digicat
π@malwr
π£digicat
Can i have the name or twitter handle of the owner of this blog they do an amazing job
π€hilo25
https://twitter.com/modexpblog
π€digicat
π@malwr
modexp
Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC
Introduction Edit Controls Writing CP-1252 Compatible Code Initialization Set RAX to 0 Set RAX to 1 Set RAX to -1 Load and Store Data Two Byte Instructions Prefix Codes Generating Shellcode Injectiβ¦
Another method of bypassing ETW and Process Injection via ETW registration entries.
π£bm11100
π@malwr
π£bm11100
π@malwr
modexp
Another method of bypassing ETW and Process Injection via ETW registration entries.
Contents Introduction Registering Providers Locating the Registration Table Parsing the Registration Table Code Redirection Disable Tracing Further Research 1. Introduction This post briefly descriβ¦
Fuzzing sockets in Teeworlds game
π£logicaltrust-net
Never thought I'd see teeworlds here lol
π€MegaManSec2
π@malwr
π£logicaltrust-net
Never thought I'd see teeworlds here lol
π€MegaManSec2
π@malwr
Security Audits, Penetration Tests - LogicalTrust
LogicalTrust - [EN] A-Z: Introducing SocketInjectingFuzzer and its first target - Teeworlds
The idea behind Socket Injecting Fuzzer is simple - fuzz applications working in the client-server architecture by mutating real data packets that are exchanged by them in real usage scenarios. Implementation is also simple because it is based on hookingβ¦
[PDF ThaiCERT publishes "Threat Group Cards: A Threat Actor Encyclopedia" version 2.0 - Added 115 threat groups and many other updates - portal coming soon](https://www.dropbox.com/s/ds0ra0c8odwsv3m/Threat%20Group%20Cards.pdf?dl=0)
π£digicat
π@malwr
π£digicat
π@malwr
Dropbox
Threat Group Cards.pdf
Shared with Dropbox
An offensive guide to the Authorization Code grant - Comprehensive and digestible enumeration of security concerns in the OAuth 2.0 Authorization Code flow
π£digicat
π@malwr
π£digicat
π@malwr
NCC Group Research Blog
An offensive guide to the Authorization Code grant
OAuth is the widely used standard for access delegation, enabling many of the βSign in with Xβ buttons and βConnect your Calendarβ features of modern Internet software. OAutβ¦
Microsoft launches free Memory Forensics and Rootkit Detection service for Linux systems
π£dreamygeek
Perhaps read the official blog post before you all get your pitch forks out over the free service thats intended to make hard to find, in memory malware incredibly expensive to keep using for attackers without risk of exposure.
"Project Freta was designed and built with survivor bias at its core."
God forbid microsoft and their academic researchers do a good thing here and get any credit.
Yeesh π
https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/
π€jdwashere
Soooo... Volatility in the cloud?
π€YXZs
mmm... a rootkit that detects rootkits
π€skyl4nk
π@malwr
π£dreamygeek
Perhaps read the official blog post before you all get your pitch forks out over the free service thats intended to make hard to find, in memory malware incredibly expensive to keep using for attackers without risk of exposure.
"Project Freta was designed and built with survivor bias at its core."
God forbid microsoft and their academic researchers do a good thing here and get any credit.
Yeesh π
https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/
π€jdwashere
Soooo... Volatility in the cloud?
π€YXZs
mmm... a rootkit that detects rootkits
π€skyl4nk
π@malwr
HelpMeGeek
Microsoft has launched a Free Memory Forensics and Rootkit Detection Service for Linux - HelpMeGeek
Microsoft has just launched a Free online service Project Freta aimed to discover forensic evidence on Linux systems. With this service you will be able to dig up hard-to-find rootkits and malware. The project is named after the Birthplace of Marie Curieβ¦
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
π£DllEntryPoint
π@malwr
π£DllEntryPoint
π@malwr
Unit 42
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
A new advanced malware, dubbed AcidBox, was discovered being used by an unknown threat actor against Russian organizations in 2017.
ThiefQuest Ransomware detects VM (possibly)
Set up a Mac VM on VMWare, tried running the ThiefQuest Ransomware. On the Activity Monitor, I Force Quit vmware-tools-daemon, hoping it won't detect it as a VM. But I guess I'm wrong. It's either the samples I've gotten are wrong, or the malware detects a VM.
https://preview.redd.it/qjsk2yyu0h951.png?width=1910&format=png&auto=webp&s=e5d5186bee11b35fdc5eaa1d7c06d577c4a3da32
π£LMJR500Army
It can still detect that it's in a VM even without the vmware-tools-daemon running. Common methods in this VMware kb article.
There are plenty of other anti-forensic methods for detecting a VM as well. Sometimes you need to be as tricky as the creators to get the malware to actually run when you are trying to examine it.
π€TheDarthSnarf
π@malwr
Set up a Mac VM on VMWare, tried running the ThiefQuest Ransomware. On the Activity Monitor, I Force Quit vmware-tools-daemon, hoping it won't detect it as a VM. But I guess I'm wrong. It's either the samples I've gotten are wrong, or the malware detects a VM.
https://preview.redd.it/qjsk2yyu0h951.png?width=1910&format=png&auto=webp&s=e5d5186bee11b35fdc5eaa1d7c06d577c4a3da32
π£LMJR500Army
It can still detect that it's in a VM even without the vmware-tools-daemon running. Common methods in this VMware kb article.
There are plenty of other anti-forensic methods for detecting a VM as well. Sometimes you need to be as tricky as the creators to get the malware to actually run when you are trying to examine it.
π€TheDarthSnarf
π@malwr
Digital forensics specialist's bookshelf: Top 11 books on digital forensics, incident response, and malware analysis
https://www.group-ib.com/blog/bookshelf
https://preview.redd.it/2bjsvygjyg951.png?width=1023&format=png&auto=webp&s=02c1aac3787d8620c8d8d0709c0c641bc035f27f
π£Igor_Mikhaylov
Is rootkits and bootkits an updated sequel to practical malware analysis or a specialized deep dive?
π€QuietForensics
I would add Applied Incident Response
https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268
π€sidi7
I donβt think #2 is with 508 anymore
π€bigt252002
π@malwr
https://www.group-ib.com/blog/bookshelf
https://preview.redd.it/2bjsvygjyg951.png?width=1023&format=png&auto=webp&s=02c1aac3787d8620c8d8d0709c0c641bc035f27f
π£Igor_Mikhaylov
Is rootkits and bootkits an updated sequel to practical malware analysis or a specialized deep dive?
π€QuietForensics
I would add Applied Incident Response
https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268
π€sidi7
I donβt think #2 is with 508 anymore
π€bigt252002
π@malwr