Bypassing Frida: Advance Frida Detection Bypass

https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-1-cc7c1dfbad9d


https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-2-e3466a141a4c


https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-3-339aa1202c48


https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-4-c258e8f5aa64

VM Detection Tricks, Part 1: Physical memory resource maps

In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.

https://labs.nettitude.com/blog/vm-detection-tricks-part-1-physical-memory-resource-maps

Decompilation Debugging

https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code

Сustom shellcode compiler for Binary Ninja

https://scc.binary.ninja/index.html

IDA Pro 9.3 KeyGen


pip install + privilege escalation on Win (ShellExecuteW(..., "runas", ...) + generation of JSON license and signature + copying idapro.hexlic to %APPDATA%\Hex-Rays\Ida Pro\idapro.hexlic + of course editing the registry HKCU\SOFTWARE\Hex-Rays\IDA\Licenses\ + patching IDA binaries

On *nix/mac - it searches for libida.so, libida32.so, .dylib in the current directory and patches them

@reverseengine

🟢 7️⃣ Page Permissions

هر صفحه حافظه:

Read

Write

Execute

مثال:

Code → RX

Data → RW

📌 مهم: چون Debugger و loader با این پرمیژن‌ ها کار میکنن



🟢 7️⃣ Page Permissions

Each memory page:

Read

Write

Execute

Example:

Code → RX

Data → RW

📌 Important: Because Debugger and loader work with these permissions

@reverseengine

🟢 8️⃣ User Mode vs Kernel Mode

CPU
دو حالت داره:

User Mode
برنامه‌های معمولی
دسترسی محدود

Kernel Mode
خود سیستم‌عامل
دسترسی کامل

برنامه مستقیم نمیتونه کارهای حساس انجام بده باید syscall بزنه

📌  RE:

میفهمید چرا بعضی دستورها خطا میدن




🟢 8️⃣ User Mode vs Kernel Mode

CPU has two modes:

User Mode

Normal programs
Limited access


Kernel Mode

The operating system itself
Full access

A program cannot do sensitive work directly, it must make a syscall

📌 RE:

Do you understand why some commands give errors?

@reverseengine

بخش پونزدهم بافر اورفلو

ابزارها و فازینگ یا fuzzing برای یافتن باگ

معرفی ابزارهای اصلی فازینگ و روش ساخت یک harness ساده که بافر اورفلوها رو پیدا کنه

توضیح:
fuzzing

یعنی دادن ورودی های خودکار و نامنظم به برنامه برای پیدا کردن کرش یا رفتار غیرعادی

ابزارهای معروف شامل AFL libFuzzer honggfuzz و radamsa هستند

AddressSanitizer

کمک میکنه خطاهای حافظه رو با گزارش دقیق نشون بده

فایل harness
این فایل یک برنامه ساده میسازه که ورودی رو از stdin میخونه و روی بافر محلی کپی میکنه تا برای fuzz مناسب باشه
هدف اینه که fuzzers بتونه ورودی های مختلف رو ارسال کنه و ASan یا کرش رو بگیره

فایل file8_harness.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
    char buf[64];
    size_t n = fread(buf, 1, sizeof(buf), stdin);
    /* ensure null termination for printing */
    if (n >= sizeof(buf)) n = sizeof(buf)-1;
    buf[n] = '\\0';
    /* intentionally unsafe copy to demonstrate overflow during fuzzing */
    char target[32];
    strcpy(target, buf);
    printf("ok got %zu bytes\\n", n);
    return 0;
}

دستورات برای کامپایل با AddressSanitizer
با ASan وقتی overflow اتقاق میوفته

دستورات

gcc -g -O1 -fsanitize=address -fno-omit-frame-pointer file8_harness.c -o file8_asan
./file8_asan < some_input

استفاده AFL
AFL
نیاز به یک binary instrumented شده داره و دایرکتوری seed برای ورودی های اولیه
اول نسخه ای با afl-gcc یا afl-clang بسازید بعد fuzz رو اجرا کنید

دستورات AFL

# ساخت با afl
afl-clang-fast -g file8_harness.c -o file8_afl

# آماده سازی دایرکتوری seed
mkdir in
echo "test" > in/seed1

# اجرای afl
afl-fuzz -i in -o out -- ./file8_afl

نکته درباره libFuzzer و clang
برای libFuzzer باید harness با تابع LLVMFuzzerTestOneInput باشه و با clang و -fsanitize=fuzzer ساخته بشه
این روش برای پروژه هایی که library oriented اند مناسب تره

نکته درباره radamsa
radamsa

میتونه seed های تصادفی تولید کنه و با pipe به برنامه ارسال کنه


مثال

radamsa in/seed1 | ./file8_asan

Part 15 Buffer Overflow

Tools and Fuzzing to Find Bugs

Introduction to the main fuzzing tools and how to build a simple harness that finds buffer overflows

Explanation:
Fuzzing

means giving automatic and irregular inputs to the program to find crashes or unusual behavior

Popular tools include AFL libFuzzer honggfuzz and radamsa

AddressSanitizer

Helps show memory errors with detailed reporting

Harness file
This file creates a simple program that reads input from stdin and copies it to a local buffer suitable for fuzzing
The goal is to allow fuzzers to send various inputs and get ASan or crashes

File file8_harness.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {
    char buf[64];
    size_t n = fread(buf, 1, sizeof(buf), stdin);
    /* ensure null termination for printing */
    if (n >= sizeof(buf)) n = sizeof(buf)-1;
    buf[n] = '\\0';
    /* intentionally unsafe copy to demonstrate overflow during fuzzing */
    char target[32];
    strcpy(target, buf);
    printf("ok got %zu bytes\\n", n);
    return 0;
}

Commands to compile with AddressSanitizer
With ASan when overflow occurs

Commands

gcc -g -O1 -fsanitize=address -fno-omit-frame-pointer file8_harness.c -o file8_asan
./file8_asan < some_input

Using AFL
AFL
requires an instrumented binary and a seed directory for initial inputs
First build with afl-gcc or afl-clang then run fuzz

AFL Commands

# Build with afl

afl-clang-fast -g file8_harness.c -o file8_afl

# Prepare seed directory

mkdir in
echo "test" > in/seed1

# Run afl

afl-fuzz -i in -o out -- ./file8_afl

Note about libFuzzer and clang
For libFuzzer you need harness with function LLVMFuzzerTestOneInput and build with clang and -fsanitize=fuzzer
This method is more suitable for library oriented projects

Note about radamsa
radamsa

Can generate random seeds and send them to the program via pipe

Example

radamsa in/seed1 | ./file8_asan

@reverseengine

Ghidra Plugin Development for Vulnerability Research

https://www.somersetrecon.com/blog/2019/ghidra-plugin-development-for-vulnerability-research-part-1

@reverseengine

User-Friendly Fuzzing with Sienna Locomotive

https://blog.trailofbits.com/2019/04/08/user-friendly-fuzzing-with-sienna-locomotive

@reverseengine

ROP Gadget

وقتی NX جلوی اجرای Shellcode رو گرفت اکسپلویترها فهمیدن یه چیز مهم وجود داره:

داخل هر برنامه و کتابخونه کلی کد آماده هست.

آیا میشه همین کدهای آماده رو به شکل دلخواه اجرا کرد؟

بله و به این میگن ROP

Gadget?

Gadget
یه تیکه کد خیلی کوچیکه که از قبل داخل باینری وجود داره اخرش معمولا ret داره
مثلا:

Copy code

pop rdi
ret

یا:
Copy code

mov rax, rdi
ret

این‌ها به تنهایی کار بزرگی نمیکنن ولی وقتی پشت سر هم قرار بگیرن تبدیل میشن به یه برنامه کامل

چرا ret مهمه؟

چون ret ادرس بعدی رو از استک برمیداره و میره اجراش میکنه
یعنی اگر استک رو کنترل کنید میتونید تعیین کنی بعد از هر gadget کجا بره

در نتیجه:
RIP → gadget اول

ret → gadget دوم

ret → gadget سوم

و همینطور ادامه پیدا میکنه

CPU
عملاً داره برنامه‌ای رو اجرا میکنه که شما از روی استک نوشتید

ROP Chain?

ROP Chain

یعنی یه لیست از آدرس gadget ها که روی استک میذارید

مثلا مفهومش اینه:
Copy code

offset
addr(pop rdi)
value("/bin/sh")
addr(system)

یعنی:

مقدار ارگومان ست میشه بعد تابع اجرا میشه
بدون اینکه حتی یک بایت کد جدید اجرا کرده باشید

چرا ROP اینقدر قدرتمنده؟

چون:
NX رو دور میزنه

از کد trusted استفاده میکنه تقریبا روی هر برنامه‌ای قابل انجامه پایه‌ی خیلی از exploitهای واقعی دنیاست
بیشتر حملات مدرن عملا یه نوع ROP هستن

یک نکته خیلی مهم که تازه‌ کارها نمیفهمن


ROP

یعنی کد ننویسید جریان اجرای CPU رو با قطعات آماده بسازید

شما دارید CPU رو گول میزنید که فکر کنه این مسیر طبیعی برنامست





ROP Gadget

When NX stopped Shellcode execution, the exploiters realized something important:

There is a whole bunch of ready-made code inside every program and library.

Can this ready-made code be executed in any way you want?

Yes, and this is called a ROP

Gadget?

Gadget
A very small piece of code that is already inside the binary, usually with ret at the end

For example:

Copy code

pop rdi
ret

or:

Copy code

mov rax, rdi
ret

These don't do much on their own, but when they are put together, they become a complete program

Why is ret important?

Because ret takes the next address from the stack and executes it
That is, if you control the stack, you can determine where it goes after each gadget

As a result:

RIP → first gadget

ret → second gadget

ret → third gadget

And so on

The CPU
is actually executing the program that you wrote from the stack

ROP Chain?

ROP Chain

That is, a list of gadget addresses that you put on the stack

For example, its meaning is:
Copy code

offset
addr(pop rdi)
value("/bin/sh")
addr(system)

That is:

The value of the argument is set, then the function is executed
Without you executing a single new byte of code

Why is ROP so powerful?

Because:
Bypasses NX

Uses trusted code Can be executed on almost any program Is the basis of many real world exploits

Most modern attacks are actually a type of ROP

A very important point that beginners don't understand

ROP

means don't write code Build the CPU execution flow with ready-made parts

You are tricking the CPU into thinking that this is the natural path of the program

@reverseengine

How to bypass Instagram SSL Pinning on Android (v78)

https://plainsec.org/how-to-bypass-instagram-ssl-pinning-on-android-v78

@reverseengine

Heap Exploitation series:

Understanding the Glibc Heap:

Free, Bins, Tcache

https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins

@reverseengine

Generate DLL proxy/sideload projects. Automatically parses PE export tables and generates ready-to-compile project for red team engagements

https://github.com/Whitecat18/LazyDLLSideload

@reverseengine

Someone published the source code of the GAPZ bootkit:

Bootkit: https://github.com/Darkabode/zerokit

Usermode Part: https://github.com/Darkabode/possessor

Server Controller Part: https://github.com/Darkabode/0ctrl


Some shared Code: https://github.com/Darkabode/0lib


Analysis GAPZ Bootkit: https://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf

@reverseengine

IDA Pro 9.2 Beta3 +Keygen

  Win x64
Linux x64
  Mac x64, arm


Download 2.4GB

  Link1
  Link2
  Link3

magnet:?xt=urn:btih:ce86306a417dd64fab8d26a4983a58412008a9e&dn=ida92


@reverseengine