This address actually corresponds to the
So we can patch this function to achieve the effect of bypassing
Contact: @Rolllli
EtwpEventWirteFull function, but this function is not visible in x64dbg. We can check it in Ida, which I won't show you here; you can look it up yourself.So we can patch this function to achieve the effect of bypassing
Etw. We can directly replace its call instruction with a nop instruction. The call instruction is 1 byte, and if it's followed by an address, the address is 4 bytes. This means that if we want to replace the call instruction, we definitely need at least 5 bytes. The opcode for the nop instruction is 90.Contact: @Rolllli
An intuitive graphical user interface with many seamlessly integrated penetration testing tools, allowing for both automated and manual penetration testing.
Quickly enumerates pages within web applications, used by professional web application security researchers and bug bounty hunters. Its functionality can be enhanced by installing add-ons called BApps.
Documented and fast attack speed.
Burp Suite is a comprehensive web application security tool covering many known vulnerabilities in web applications. It can enumerate and analyze the application's attack surface and find and exploit security vulnerabilities.
Quickly enumerates pages within web applications, used by professional web application security researchers and bug bounty hunters. Its functionality can be enhanced by installing add-ons called BApps.
Documented and fast attack speed.
Burp Suite is a comprehensive web application security tool covering many known vulnerabilities in web applications. It can enumerate and analyze the application's attack surface and find and exploit security vulnerabilities.
Synchronous loading typically involves embedding or linking external JavaScript files directly within the HTML document using the
Asynchronous loading of JavaScript can be achieved using the
Contact: @Rolllli
<script> tag. In this method, the browser waits for the JavaScript file to load and execute before continuing to parse the rest of the HTML document.Asynchronous loading of JavaScript can be achieved using the
async or defer attribute within the <script> tag. Asynchronous loading allows the browser to continue parsing the HTML without waiting for the JavaScript file to load and execute.Contact: @Rolllli
Remove unnecessary users or groups, retaining only those requiring the necessary permissions. Create token objects using GPO policies: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create Token Object.
Restrict who can create process-level tokens for local and network services via GPOs: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace Process-Level Tokens.
Restrict who can create process-level tokens for local and network services via GPOs: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace Process-Level Tokens.
For example, some management processes in virtual machines, such as vmtools.exe, can be blacklisted, while common office software, such as WeChat and Lark, can be considered whitelisted.
In any network using Kerberos authentication, a Service Provider Name (SPN) must be registered for the service under a machine account or user account (each service using Kerberos requires an SPN). Within the internal network, SPN scanning performs service discovery by querying the domain controller.
Here, we search for the MSSQL service.
Contact: @Rolllli
Setspn -q */* retrieves all services.Here, we search for the MSSQL service.
Setspn -q */* | findstr "MSSQL"Contact: @Rolllli
Decrypting Configuration Information (Config)
In V2.X and V3, Fodcha uses a parallel organization method for Config, while in V4 and V4.X, it uses a structured organization method for Config.
After reverse engineering, we wrote the following IDAPYTHON script to decrypt the configuration information.
The decrypted Config information is shown in the following table. It can be seen that the "surrender" Easter egg is still preserved in index 11. Additionally, it's worth noting that index 12 is the reporter server address.
@Rolllli
In V2.X and V3, Fodcha uses a parallel organization method for Config, while in V4 and V4.X, it uses a structured organization method for Config.
After reverse engineering, we wrote the following IDAPYTHON script to decrypt the configuration information.
The decrypted Config information is shown in the following table. It can be seen that the "surrender" Easter egg is still preserved in index 11. Additionally, it's worth noting that index 12 is the reporter server address.
@Rolllli