SmokeLoader creates a new thread during initialization to continuously monitor the system's process list. If a debugger is detected, it is closed.

SmokeLoader also checks window names; if a debugger is found, it is closed.

When the target program is an EXE and the value indicating the delivery method in the configuration file is less than 3, the payload execution method is largely the same as that of a DLL, but there are slight differences in calling the program's entry point.

In this case, HijackLoader first modifies the ImageBase in the payload's OptionalHeader and the ImageBaseAddress in the PEB, assigning them the base address of the actual payload.

Then, it clears the HijackLoader data through the ESAL module and calls the payload's entry point.

When the payload is a DLL, HijackLoader loads a target DLL based on the configuration or uses the default msi.dll, whose address space is used to write the payload to be delivered. HijackLoader then, depending on the installed antivirus software, corrupts the payload's IMAGE_SECTION_HEADER as needed to interfere with the antivirus program's detection.

The TinycallProxy module is used to indirectly call target functions. HijackLoader overwrites the TinycallProxy module into the code segment of a DLL, passing the target function and parameters to the TinycallProxy module, which then invokes the target function.

When calling sensitive functions such as CoInitialize and CoCreateInstance, this module invokes TinycallProxy to prevent stack backtracking.
Contact: @Rolllli

No matter how robust a system and its security measures are, they are ultimately controlled by humans, and humans are the root of vulnerabilities.

No technical skills are required; anyone with at least an elementary school education and an intelligence no below average can launch a hacking attack.

* Weak password mass intrusion

Integrating web routing

Some scenarios for extending routing rules:

The asset is a public domain name address with strong authentication. Any route path will redirect to the account, but account is an overridden class and doesn't exist.

Although the routing is uncontrollable, the bundled JS file is obtained.

This address actually corresponds to the EtwpEventWirteFull function, but this function is not visible in x64dbg. We can check it in Ida, which I won't show you here; you can look it up yourself.

So we can patch this function to achieve the effect of bypassing Etw. We can directly replace its call instruction with a nop instruction. The call instruction is 1 byte, and if it's followed by an address, the address is 4 bytes. This means that if we want to replace the call instruction, we definitely need at least 5 bytes. The opcode for the nop instruction is 90.
Contact: @Rolllli

An intuitive graphical user interface with many seamlessly integrated penetration testing tools, allowing for both automated and manual penetration testing.

Quickly enumerates pages within web applications, used by professional web application security researchers and bug bounty hunters. Its functionality can be enhanced by installing add-ons called BApps.

Documented and fast attack speed.

Burp Suite is a comprehensive web application security tool covering many known vulnerabilities in web applications. It can enumerate and analyze the application's attack surface and find and exploit security vulnerabilities.

Synchronous loading typically involves embedding or linking external JavaScript files directly within the HTML document using the <script> tag. In this method, the browser waits for the JavaScript file to load and execute before continuing to parse the rest of the HTML document.

Asynchronous loading of JavaScript can be achieved using the async or defer attribute within the <script> tag. Asynchronous loading allows the browser to continue parsing the HTML without waiting for the JavaScript file to load and execute.
Contact: @Rolllli