Advanced Root Detection & Bypass Techniques
https://8ksec.io/advanced-root-detection-bypass-techniques
@reverseengine
https://8ksec.io/advanced-root-detection-bypass-techniques
@reverseengine
8kSec
Frida Part 5: Root Detection Bypass | 8kSec
Learn advanced root detection techniques on Android and practical methods to bypass them using Frida. Covers common detection libraries and evasion strategies.
Leveraging Raw Disk Reads to Bypass EDR
https://medium.com/workday-engineering/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d
@reverseengine
https://medium.com/workday-engineering/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d
@reverseengine
Medium
Leveraging Raw Disk Reads to Bypass EDR
Drivers are a common part of every Windows environment, and many of them provide low-level functionality. This blog details how to connect…
NX
چیه و چرا Shellcode مستقیم معمولا اجرا نمیشه
درباره shellcode
کد رو داخل استک ریختید
RIP رو فرستادید روی استک
کد اجرا میشد
ولی الان معمولا این کار جواب نمیده
دلیلش یک مکانیزم امنیتی مهمه:
NX = Non-Executable
NX دقیقا چه کار میکنه؟
NX
میگه:
بعضی بخش های حافظه فقط برای داده هستن نه برای اجرای کد
یعنی:
استک → فقط داده
هیپ → فقط داده
اجرای دستور → ممنوع
اگر CPU تلاش کنه از این بخش ها دستور اجرا کنه → برنامه فورا کرش میکنه
چه اتفاقی میوفته؟
فرض کنید:
Shellcode رو داخل بافر ریختید
RIP رو کردید آدرس همون بافر
روی سیستم NX:
executable : نیست CPU این بخش
segmentation fault
یعنی:
کنترل RIP رو دارید ولی اجرای کد هنوز ندارید
و این دقیقا همون جاییه که خیلی از exploit های مبتدی شکست میخورن
پس چرا NX اضافه شد؟
چون Shellcode injection خیلی رایج شده بود
NX
اومد که این سناریو رو ببنده:
با NX این زنجیره قطع میشه
اکسپلویترها چه کار کردن؟
وقتی اجرای کد جدید ممنوع شد ایده ی جدید شکل گرفت:
کد جدید اجرا نکنید از کدهای موجود استفاده کنید
و این شد:
Return Oriented Programming (ROP)
یعنی:
اجرای gadget های داخل باینری و libc
بدون اجرای کد تزریق شده
کاملا سازگار با NX
یک اشتباه رایج
NX ≠ ضد اکسپلویت
NX فقط:
اجرای کد تزریقی رو میبنده
ولی:
جلوی ROP رو نمیگیره
جلوی ret2libc رو نمیگیره
جلوی chain کردن gadget ها رو نمیگیره
برای همین هنوز exploit ممکنه فقط روشش عوض شده
NX
باعث میشه بخشهایی از حافظه مثل استک و هیپ قابل اجرای کد نباشن
یعنی دیگه نمیتونید به سادگی Shellcode تزریق کنید و اجراش کنید
همین باعث شد تکنیکهای پیشرفته تر مثل ROP به وجود بیان
پس NX اکسپلویت اخر نبود فقط روشش رو عوض کرد
NX
What is and why direct shellcode is usually not executed
About shellcode
Put the code on the stack
Push RIP onto the stack
The code was executed
But now this usually does not work
The reason is an important security mechanism:
NX = Non-Executable
What exactly does NX do?
NX
says:
Some memory sections are for data only, not for code execution
That is:
Stack → Data only
Heap → Data only
Instruction execution → Forbidden
If the CPU tries to execute an instruction from these sections → the program crashes immediately
What happens?
Suppose:
You put the shellcode into the buffer
You did the RIP to the address of the same buffer
On a system with NX:
The executable is not the CPU of this section
Segmentation fault
That is:
You have control of the RIP but you don't have the code execution yet
And this is exactly where many beginner exploits fail
So why was NX added?
Because shellcode injection had become so common
NX
was introduced to close this scenario:
With NX, this chain is broken
What did the exploiters do?
When new code execution was banned, a new idea was born:
Don't run new code, use existing code
And this is what happened:
Return Oriented Programming (ROP)
That is:
Executing gadgets inside binaries and libc
Without executing injected code
Completely compatible with NX
A common mistake
NX ≠ anti-exploit
NX only:
Stops execution of injected code
But:
It doesn't prevent ROP
It doesn't prevent ret2libc
It doesn't prevent chaining of gadgets
That's why exploits are still possible, just the method has changed
NX
Makes parts of memory like the stack and heap inaccessible to code
That means you can't simply inject shellcode and execute it
That's what gave rise to more modern techniques like ROP
So NX wasn't the last exploit, it just changed the method
@reverseengine
چیه و چرا Shellcode مستقیم معمولا اجرا نمیشه
درباره shellcode
کد رو داخل استک ریختید
RIP رو فرستادید روی استک
کد اجرا میشد
ولی الان معمولا این کار جواب نمیده
دلیلش یک مکانیزم امنیتی مهمه:
NX = Non-Executable
NX دقیقا چه کار میکنه؟
NX
میگه:
بعضی بخش های حافظه فقط برای داده هستن نه برای اجرای کد
یعنی:
استک → فقط داده
هیپ → فقط داده
اجرای دستور → ممنوع
اگر CPU تلاش کنه از این بخش ها دستور اجرا کنه → برنامه فورا کرش میکنه
چه اتفاقی میوفته؟
فرض کنید:
Shellcode رو داخل بافر ریختید
RIP رو کردید آدرس همون بافر
روی سیستم NX:
executable : نیست CPU این بخش
segmentation fault
یعنی:
کنترل RIP رو دارید ولی اجرای کد هنوز ندارید
و این دقیقا همون جاییه که خیلی از exploit های مبتدی شکست میخورن
پس چرا NX اضافه شد؟
چون Shellcode injection خیلی رایج شده بود
NX
اومد که این سناریو رو ببنده:
Copy code
input → overflow → shellcode → jump → execute
با NX این زنجیره قطع میشه
اکسپلویترها چه کار کردن؟
وقتی اجرای کد جدید ممنوع شد ایده ی جدید شکل گرفت:
کد جدید اجرا نکنید از کدهای موجود استفاده کنید
و این شد:
Return Oriented Programming (ROP)
یعنی:
اجرای gadget های داخل باینری و libc
بدون اجرای کد تزریق شده
کاملا سازگار با NX
یک اشتباه رایج
NX ≠ ضد اکسپلویت
NX فقط:
اجرای کد تزریقی رو میبنده
ولی:
جلوی ROP رو نمیگیره
جلوی ret2libc رو نمیگیره
جلوی chain کردن gadget ها رو نمیگیره
برای همین هنوز exploit ممکنه فقط روشش عوض شده
NX
باعث میشه بخشهایی از حافظه مثل استک و هیپ قابل اجرای کد نباشن
یعنی دیگه نمیتونید به سادگی Shellcode تزریق کنید و اجراش کنید
همین باعث شد تکنیکهای پیشرفته تر مثل ROP به وجود بیان
پس NX اکسپلویت اخر نبود فقط روشش رو عوض کرد
NX
What is and why direct shellcode is usually not executed
About shellcode
Put the code on the stack
Push RIP onto the stack
The code was executed
But now this usually does not work
The reason is an important security mechanism:
NX = Non-Executable
What exactly does NX do?
NX
says:
Some memory sections are for data only, not for code execution
That is:
Stack → Data only
Heap → Data only
Instruction execution → Forbidden
If the CPU tries to execute an instruction from these sections → the program crashes immediately
What happens?
Suppose:
You put the shellcode into the buffer
You did the RIP to the address of the same buffer
On a system with NX:
The executable is not the CPU of this section
Segmentation fault
That is:
You have control of the RIP but you don't have the code execution yet
And this is exactly where many beginner exploits fail
So why was NX added?
Because shellcode injection had become so common
NX
was introduced to close this scenario:
Copy code
input → overflow → shellcode → jump → execute
With NX, this chain is broken
What did the exploiters do?
When new code execution was banned, a new idea was born:
Don't run new code, use existing code
And this is what happened:
Return Oriented Programming (ROP)
That is:
Executing gadgets inside binaries and libc
Without executing injected code
Completely compatible with NX
A common mistake
NX ≠ anti-exploit
NX only:
Stops execution of injected code
But:
It doesn't prevent ROP
It doesn't prevent ret2libc
It doesn't prevent chaining of gadgets
That's why exploits are still possible, just the method has changed
NX
Makes parts of memory like the stack and heap inaccessible to code
That means you can't simply inject shellcode and execute it
That's what gave rise to more modern techniques like ROP
So NX wasn't the last exploit, it just changed the method
@reverseengine
🤔2
🟢 3️⃣ Context Switch
وقتی CPU بین Process/Thread ها جا به جا میشه:
رجیسترها ذخیره میشن
رجیسترهای اجرای جدید اپلود میشن
چرا؟ چون اجرای برنامه ممکنه ناپیوسته دیده بشه
🟢 3️⃣ Context Switch
When the CPU switches between Process/Thread:
Registers are saved
New execution registers are loaded
Why? Because program execution may appear discontinuous
@reverseengine
وقتی CPU بین Process/Thread ها جا به جا میشه:
رجیسترها ذخیره میشن
رجیسترهای اجرای جدید اپلود میشن
چرا؟ چون اجرای برنامه ممکنه ناپیوسته دیده بشه
🟢 3️⃣ Context Switch
When the CPU switches between Process/Thread:
Registers are saved
New execution registers are loaded
Why? Because program execution may appear discontinuous
@reverseengine
🟢 4️⃣ Memory Layout چیدمان حافظه Process
هر Process معمولا این بخش ها رو داره:
Code (text) → دستورالعملها
Data → متغیرهای ثابت
Heap → حافظه داینامیک
Stack → متغیرهای تابع
Mapped DLLs → کتابخانهها
RE:
وقتی در debugger حافظه رو میبینید این بخش ها رو تشخیص میدید
🟢 4️⃣ Memory Layout Process Memory Layout
Each Process usually has these sections:
Copy code
Code (text) → Instructions
Data → Constant variables
Heap → Dynamic memory
Stack → Function variables
Mapped DLLs → Libraries
RE:
When you look at memory in the debugger, you will recognize these sections
@reverseengine
هر Process معمولا این بخش ها رو داره:
Copy code
Code (text) → دستورالعملها
Data → متغیرهای ثابت
Heap → حافظه داینامیک
Stack → متغیرهای تابع
Mapped DLLs → کتابخانهها
RE:
وقتی در debugger حافظه رو میبینید این بخش ها رو تشخیص میدید
🟢 4️⃣ Memory Layout Process Memory Layout
Each Process usually has these sections:
Copy code
Code (text) → Instructions
Data → Constant variables
Heap → Dynamic memory
Stack → Function variables
Mapped DLLs → Libraries
RE:
When you look at memory in the debugger, you will recognize these sections
@reverseengine
🔥2
🟢 5️⃣ Virtual Memory
سیستم عامل به هر Process یک Virtual Address Space میده
یعنی:
برنامه فکر میکنه حافظه پیوسته داره
ولی OS اونو به صفحات واقعی RAM map میکنه
مزایا:
جداسازی Process ها
امنیت
کنترل دسترسی
کاربرد RE:
آدرس هایی که میبینید virtual هستند
🟢 5️⃣ Virtual Memory
The operating system gives each process a Virtual Address Space
That is: The program thinks it has contiguous memory
But the OS maps it to real RAM pages
Advantages:
Process isolation
Security
Access control
RE usage: The addresses you see are virtual
@reverseengine
سیستم عامل به هر Process یک Virtual Address Space میده
یعنی:
برنامه فکر میکنه حافظه پیوسته داره
ولی OS اونو به صفحات واقعی RAM map میکنه
مزایا:
جداسازی Process ها
امنیت
کنترل دسترسی
کاربرد RE:
آدرس هایی که میبینید virtual هستند
🟢 5️⃣ Virtual Memory
The operating system gives each process a Virtual Address Space
That is: The program thinks it has contiguous memory
But the OS maps it to real RAM pages
Advantages:
Process isolation
Security
Access control
RE usage: The addresses you see are virtual
@reverseengine
🔥1
🟢 6️⃣ Paging
حافظه به Page تقسیم میشه مثلا 4KB
Page Table
مشخص میکنه:
این page به کجای RAM وصله
دسترسیش چیه R/W/X
کاربرد RE: وقتی صفحه execute نیست اجرای کد خطا میده
🟢 6️⃣ Paging
Memory is divided into Pages, for example 4KB
Page Table
Specifies:
Where is this page attached to in RAM
What is its access R/W/X
RE usage: When the page is not executed, executing the code gives an error
@reverseengine
حافظه به Page تقسیم میشه مثلا 4KB
Page Table
مشخص میکنه:
این page به کجای RAM وصله
دسترسیش چیه R/W/X
کاربرد RE: وقتی صفحه execute نیست اجرای کد خطا میده
🟢 6️⃣ Paging
Memory is divided into Pages, for example 4KB
Page Table
Specifies:
Where is this page attached to in RAM
What is its access R/W/X
RE usage: When the page is not executed, executing the code gives an error
@reverseengine
❤1
Windows Exploitation Techniques
https://projectzero.google/2025/12/windows-exploitation-techniques.html
@reverseengine
https://projectzero.google/2025/12/windows-exploitation-techniques.html
@reverseengine
projectzero.google
Windows Exploitation Techniques: Winning Race Conditions with Path Lookups - Project Zero
This post was originally written in 2016 for the Project Zero blog. However, in the end it was published separately in the journal PoC||GTFO issue #13 as wel...
❤1
ARM64 Reversing and Exploitation Blog Series
https://8ksec.io/arm-64-reversing-and-exploitation-series
@reverseengine
https://8ksec.io/arm-64-reversing-and-exploitation-series
@reverseengine
8kSec
ARM64 Reversing and Exploitation Series | 8kSec
❤1
easy-kernelmapper: map your driver with a batch
Intro https://www.unknowncheats.me/forum/anti-cheat-bypass/476567-easy-kernelmapper-map-driver-batch.html
Repo https://github.com/0dayatday0/BattleFN-cheat-analysis
Analysis https://github.com/0dayatday0/BattleFN-cheat-analysis/blob/main/cheat-analysis.pdf
@reverseengine
Intro https://www.unknowncheats.me/forum/anti-cheat-bypass/476567-easy-kernelmapper-map-driver-batch.html
Repo https://github.com/0dayatday0/BattleFN-cheat-analysis
Analysis https://github.com/0dayatday0/BattleFN-cheat-analysis/blob/main/cheat-analysis.pdf
@reverseengine
GitHub
GitHub - 0dayatday0/BattleFN-cheat-analysis
Contribute to 0dayatday0/BattleFN-cheat-analysis development by creating an account on GitHub.
❤1
Anti-virus artifacts Listing APIs hooked by: Avira, BitDefender, F-Secure, MalwareBytes, Norton, TrendMicro, and WebRoot
https://github.com/D3VI5H4/Antivirus-Artifacts
@reverseengine
https://github.com/D3VI5H4/Antivirus-Artifacts
@reverseengine
GitHub
GitHub - ethereal-vx/Antivirus-Artifacts: Anti-virus artifacts. Listing APIs hooked by: Avira, BitDefender, F-Secure, MalwareBytes…
Anti-virus artifacts. Listing APIs hooked by: Avira, BitDefender, F-Secure, MalwareBytes, Norton, TrendMicro, and WebRoot. - ethereal-vx/Antivirus-Artifacts
❤1
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html
@reverseengine
https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html
@reverseengine
security-research
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
❤1
❤1
How LLMs Feed Youe RE Habit
https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs
@reverseengine
https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs
@reverseengine
clearbluejar
How LLMs Feed Your RE Habit: Following the Use-After-Free Trail in CLFS
Dive into how LLMs and pyghidra-mcp accelerate reverse engineering by tracing a UAF vulnerability in CLFS through a patch diff.
❤1👏1
Modding And Distributing Mobile Apps with Frida
https://pit.bearblog.dev/modding-and-distributing-mobile-apps-with-frida
@reverseengine
https://pit.bearblog.dev/modding-and-distributing-mobile-apps-with-frida
@reverseengine
Pit's Proof Of Concept
Modding And Distributing Mobile Apps with Frida
Walkthrough of how to embed frida scripts in apps to distribute proper mods. Supports frida 17+.
❤1