Abusing native Windows functions for shellcode execution
http://ropgadget.com/posts/abusing_win_functions.html
http://ropgadget.com/posts/abusing_win_functions.html
❤1
A Deep Dive Into Malicious Direct Syscall Detection
https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection
https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection
Palo Alto Networks Blog
A Deep Dive Into Malicious Direct Syscall Detection - Palo Alto Networks Blog
This blog explains how attackers use direct syscalls to overcome most EDR solutions, by first discussing the conventional Windows syscall flow and how most EDR solutions monitor those calls.
❤1
x64dbg plugin for simple spoofing of CPUID instruction behavior
https://github.com/jonatan1024/CpuidSpoofer
https://github.com/jonatan1024/CpuidSpoofer
GitHub
GitHub - jonatan1024/CpuidSpoofer: x64dbg plugin for simple spoofing of CPUID instruction behavior
x64dbg plugin for simple spoofing of CPUID instruction behavior - jonatan1024/CpuidSpoofer
❤1
fpicker: Fuzzing with Frida
https://insinuator.net/2021/03/fpicker-fuzzing-with-frida
https://github.com/ttdennis/fpicker
https://insinuator.net/2021/03/fpicker-fuzzing-with-frida
https://github.com/ttdennis/fpicker
GitHub
GitHub - ttdennis/fpicker: fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)
fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing) - ttdennis/fpicker
❤1
Bypassing Frida: Advance Frida Detection Bypass
https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-1-cc7c1dfbad9d
https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-2-e3466a141a4c
https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-3-339aa1202c48
https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-4-c258e8f5aa64
https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-1-cc7c1dfbad9d
https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-2-e3466a141a4c
https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-3-339aa1202c48
https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-4-c258e8f5aa64
Medium
Bypassing Frida: Advanced Frida Detection Bypass — Part 1
Hey dude.
❤1🔥1
VM Detection Tricks, Part 1: Physical memory resource maps
In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.
https://labs.nettitude.com/blog/vm-detection-tricks-part-1-physical-memory-resource-maps
In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.
https://labs.nettitude.com/blog/vm-detection-tricks-part-1-physical-memory-resource-maps
LRQA
VM Detection Tricks, Part 1: Physical memory resource maps
In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.
❤1
Decompilation Debugging
https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code
https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code
clearbluejar
Decompilation Debugging
Debugging an application can provide the insight needed troubleshoot a subtle bug in your software. Normally, when debugging, you have source code and data type information (aka symbols) to help navigate your application. In the world of Reverse Engineering…
❤1
❤1
IDA Pro 9.3 KeyGen.py
10.7 KB
IDA Pro 9.3 KeyGen
pip install + privilege escalation on Win (ShellExecuteW(..., "runas", ...) + generation of JSON license and signature + copying idapro.hexlic to %APPDATA%\Hex-Rays\Ida Pro\idapro.hexlic + of course editing the registry HKCU\SOFTWARE\Hex-Rays\IDA\Licenses\ + patching IDA binaries
On *nix/mac - it searches for libida.so, libida32.so, .dylib in the current directory and patches them
@reverseengine
pip install + privilege escalation on Win (ShellExecuteW(..., "runas", ...) + generation of JSON license and signature + copying idapro.hexlic to %APPDATA%\Hex-Rays\Ida Pro\idapro.hexlic + of course editing the registry HKCU\SOFTWARE\Hex-Rays\IDA\Licenses\ + patching IDA binaries
On *nix/mac - it searches for libida.so, libida32.so, .dylib in the current directory and patches them
@reverseengine
❤5
🟢 7️⃣ Page Permissions
هر صفحه حافظه:
📌 مهم: چون Debugger و loader با این پرمیژن ها کار میکنن
🟢 7️⃣ Page Permissions
Each memory page:
Example:
📌 Important: Because Debugger and loader work with these permissions
@reverseengine
هر صفحه حافظه:
Readمثال:
Write
Execute
Code → RX
Data → RW
📌 مهم: چون Debugger و loader با این پرمیژن ها کار میکنن
🟢 7️⃣ Page Permissions
Each memory page:
Read
Write
Execute
Example:
Code → RX
Data → RW
📌 Important: Because Debugger and loader work with these permissions
@reverseengine
❤1
🟢 8️⃣ User Mode vs Kernel Mode
CPU
دو حالت داره:
User Mode
برنامههای معمولی
دسترسی محدود
Kernel Mode
خود سیستمعامل
دسترسی کامل
برنامه مستقیم نمیتونه کارهای حساس انجام بده باید syscall بزنه
📌 RE:
میفهمید چرا بعضی دستورها خطا میدن
🟢 8️⃣ User Mode vs Kernel Mode
CPU has two modes:
User Mode
Normal programs
Limited access
Kernel Mode
The operating system itself
Full access
A program cannot do sensitive work directly, it must make a syscall
📌 RE:
Do you understand why some commands give errors?
@reverseengine
CPU
دو حالت داره:
User Mode
برنامههای معمولی
دسترسی محدود
Kernel Mode
خود سیستمعامل
دسترسی کامل
برنامه مستقیم نمیتونه کارهای حساس انجام بده باید syscall بزنه
📌 RE:
میفهمید چرا بعضی دستورها خطا میدن
🟢 8️⃣ User Mode vs Kernel Mode
CPU has two modes:
User Mode
Normal programs
Limited access
Kernel Mode
The operating system itself
Full access
A program cannot do sensitive work directly, it must make a syscall
📌 RE:
Do you understand why some commands give errors?
@reverseengine
❤2
بخش پونزدهم بافر اورفلو
ابزارها و فازینگ یا fuzzing برای یافتن باگ
معرفی ابزارهای اصلی فازینگ و روش ساخت یک harness ساده که بافر اورفلوها رو پیدا کنه
توضیح:
fuzzing
یعنی دادن ورودی های خودکار و نامنظم به برنامه برای پیدا کردن کرش یا رفتار غیرعادی
ابزارهای معروف شامل AFL libFuzzer honggfuzz و radamsa هستند
AddressSanitizer
کمک میکنه خطاهای حافظه رو با گزارش دقیق نشون بده
فایل harness
این فایل یک برنامه ساده میسازه که ورودی رو از stdin میخونه و روی بافر محلی کپی میکنه تا برای fuzz مناسب باشه
هدف اینه که fuzzers بتونه ورودی های مختلف رو ارسال کنه و ASan یا کرش رو بگیره
فایل file8_harness.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void) {
char buf[64];
size_t n = fread(buf, 1, sizeof(buf), stdin);
/* ensure null termination for printing */
if (n >= sizeof(buf)) n = sizeof(buf)-1;
buf[n] = '\\0';
/* intentionally unsafe copy to demonstrate overflow during fuzzing */
char target[32];
strcpy(target, buf);
printf("ok got %zu bytes\\n", n);
return 0;
}
دستورات برای کامپایل با AddressSanitizer
با ASan وقتی overflow اتقاق میوفته
دستورات
gcc -g -O1 -fsanitize=address -fno-omit-frame-pointer file8_harness.c -o file8_asan
./file8_asan < some_input
استفاده AFL
AFL
نیاز به یک binary instrumented شده داره و دایرکتوری seed برای ورودی های اولیه
اول نسخه ای با afl-gcc یا afl-clang بسازید بعد fuzz رو اجرا کنید
دستورات AFL
# ساخت با afl
afl-clang-fast -g file8_harness.c -o file8_afl
# آماده سازی دایرکتوری seed
mkdir in
echo "test" > in/seed1
# اجرای afl
afl-fuzz -i in -o out -- ./file8_afl
نکته درباره libFuzzer و clang
برای libFuzzer باید harness با تابع LLVMFuzzerTestOneInput باشه و با clang و -fsanitize=fuzzer ساخته بشه
این روش برای پروژه هایی که library oriented اند مناسب تره
نکته درباره radamsa
radamsa
میتونه seed های تصادفی تولید کنه و با pipe به برنامه ارسال کنه
مثال
radamsa in/seed1 | ./file8_asan
Part 15 Buffer Overflow
Tools and Fuzzing to Find Bugs
Introduction to the main fuzzing tools and how to build a simple harness that finds buffer overflows
Explanation:
Fuzzing
means giving automatic and irregular inputs to the program to find crashes or unusual behavior
Popular tools include AFL libFuzzer honggfuzz and radamsa
AddressSanitizer
Helps show memory errors with detailed reporting
Harness file
This file creates a simple program that reads input from stdin and copies it to a local buffer suitable for fuzzing
The goal is to allow fuzzers to send various inputs and get ASan or crashes
File file8_harness.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void) {
char buf[64];
size_t n = fread(buf, 1, sizeof(buf), stdin);
/* ensure null termination for printing */
if (n >= sizeof(buf)) n = sizeof(buf)-1;
buf[n] = '\\0';
/* intentionally unsafe copy to demonstrate overflow during fuzzing */
char target[32];
strcpy(target, buf);
printf("ok got %zu bytes\\n", n);
return 0;
}
Commands to compile with AddressSanitizer
With ASan when overflow occurs
Commands
gcc -g -O1 -fsanitize=address -fno-omit-frame-pointer file8_harness.c -o file8_asan
./file8_asan < some_input
Using AFL
AFL
requires an instrumented binary and a seed directory for initial inputs
First build with afl-gcc or afl-clang then run fuzz
AFL Commands
# Build with afl
afl-clang-fast -g file8_harness.c -o file8_afl
# Prepare seed directory
mkdir in
echo "test" > in/seed1
# Run afl
afl-fuzz -i in -o out -- ./file8_afl
Note about libFuzzer and clang
For libFuzzer you need harness with function LLVMFuzzerTestOneInput and build with clang and -fsanitize=fuzzer
This method is more suitable for library oriented projects
Note about radamsa
radamsa
Can generate random seeds and send them to the program via pipe
Example
radamsa in/seed1 | ./file8_asan
@reverseengine
❤1👍1