Introduction to Windows kernel drivers for red team tools development
(credits @Idov31)
Part 1: https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html
Part 2: https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html
Part 3: https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html
#windows #kernel #redteam #malware #infosec #cybersecurity
π£0xor0ne
π@malwr
(credits @Idov31)
Part 1: https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html
Part 2: https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html
Part 3: https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html
#windows #kernel #redteam #malware #infosec #cybersecurity
π£0xor0ne
π@malwr
π₯1
Part 3.2 on my blog analyzing a recent #Android #malware sample. https://n0psn0ps.github.io/2023/04/13/android-malware-analysis-series-ato.apk-part-3.2/
#re #reverseengineering
π£n0ps3
π@malwr
#re #reverseengineering
π£n0ps3
π@malwr
n0ps
Android Malware Analysis Series - ATO.apk - Part 3.2
Permanent dark(er) theme for Poole
Check it out! WinDbg has just released out of preview, out of the Windows store and (what I worked on) with Time Travel Debugging support for ARM64. http://aka.ms/windbg
π£TheJCAB
π@malwr
π£TheJCAB
π@malwr
Docs
Install WinDbg - Windows drivers
Start here for an overview on the Windows debugger and installing WinDbg.
π1
Revizor automatically detects microarchitectural leakage in CPUs, speeding up discovery of vulnerabilities that previously required persistent hacking and painstaking manual labor. This new tool helps the industry protect customers from risk: https://msft.it/6013gHEGd
π£MSFTResearch
π@malwr
π£MSFTResearch
π@malwr
Microsoft Research
Hunting speculative information leaks with Revizor - Microsoft Research
Spectre and Meltdown are two security vulnerabilities that affect the vast majority of CPUs in use today. CPUs, or central processing units, act as the brains of a computer, directing the functions of its other components. By targeting a feature of the CPUβ¦
Celebrating the 10th anniversary of releasing Noriben!
https://github.com/Rurik/Noriben
What started as a way to make filemon/regmon/procmon analysis easier for work mentoring has turned into an awesome automated tool I've used for large-scale ransomware analysis, and more.
π£bbaskin
π@malwr
https://github.com/Rurik/Noriben
What started as a way to make filemon/regmon/procmon analysis easier for work mentoring has turned into an awesome automated tool I've used for large-scale ransomware analysis, and more.
π£bbaskin
π@malwr
GitHub
GitHub - Rurik/Noriben: Noriben - Portable, Simple, Malware Analysis Sandbox
Noriben - Portable, Simple, Malware Analysis Sandbox - Rurik/Noriben
IOCs available...
Threat actors strive to cause Tax Day headaches https://rodtrent.com/j7j
#MicrosoftSentinel #MicrosoftDefender #M365D #Cybersecurity #MicrosoftSecurity #Security #MicrosoftThreatIntelligence
π£rodtrent
π@malwr
Threat actors strive to cause Tax Day headaches https://rodtrent.com/j7j
#MicrosoftSentinel #MicrosoftDefender #M365D #Cybersecurity #MicrosoftSecurity #Security #MicrosoftThreatIntelligence
π£rodtrent
π@malwr
π1
LIEF v0.13.0 is out:
https://lief-project.github.io/blog/2023-04-09-lief-0-13-0/
π£LIEF_project
π@malwr
https://lief-project.github.io/blog/2023-04-09-lief-0-13-0/
π£LIEF_project
π@malwr
Elevating your user-mode debugger into a Protected Process level, by ClΓ©ment Labro (@itm4n):
https://itm4n.github.io/debugging-protected-processes/
π£SEKTOR7net
π@malwr
https://itm4n.github.io/debugging-protected-processes/
π£SEKTOR7net
π@malwr
itm4nβs blog
Debugging Protected Processes
Whenever I need to debug a protected process, I usually disable the protection in the Kernel so that I can attach a User-mode debugger. This has always served me well until it sort of backfired.
π1
Happy Friday everyone! Want a ProcMon for macOS? Ever wish you had your own Endpoint Security client you could task? Want to peer behind the macOS EDR curtain? Have a go and let us know what you think!
https://github.com/redcanaryco/mac-monitor
π£PartyD0lphin
π@malwr
https://github.com/redcanaryco/mac-monitor
π£PartyD0lphin
π@malwr
GitHub
GitHub - redcanaryco/mac-monitor: Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOSβ¦
Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, dis...
π1
Setting Up QEMU Kernel-Mode Debugging using EXDI:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-qemu-kernel-mode-debugging-using-exdi
π£gerhart_x
π@malwr
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-qemu-kernel-mode-debugging-using-exdi
π£gerhart_x
π@malwr
Docs
Setting Up QEMU Kernel-Mode Debugging Using EXDI - Windows drivers
Debugging Tools for Windows supports debugging QEMU using EXDI. This topic describes how to setup QEMU kernel debugging using EXDI.
PatchlessCLRLoader - A fork of InlineExecute-Assembly to load .NET assembly and direct the output to mailslot https://github.com/VoldeSec/PatchlessCLRLoader #redteam
π£netbiosX
π@malwr
π£netbiosX
π@malwr
GitHub
GitHub - VoldeSec/PatchlessCLRLoader: .NET assembly loader with patchless AMSI and ETW bypass
.NET assembly loader with patchless AMSI and ETW bypass - VoldeSec/PatchlessCLRLoader
Discovering and #exploiting McAfee COM-objects by @Denis_Skvortcov
https://the-deniss.github.io/posts/2021/05/17/discovering-and-exploiting-mcafee-com-objects.html
π£SinSinology
π@malwr
https://the-deniss.github.io/posts/2021/05/17/discovering-and-exploiting-mcafee-com-objects.html
π£SinSinology
π@malwr
Introduction to offensive security (guide by @0xTriboulet)
https://steve-s.gitbook.io/0xtriboulet/
#offensivesecurity
π£0xor0ne
π@malwr
https://steve-s.gitbook.io/0xtriboulet/
#offensivesecurity
π£0xor0ne
π@malwr