pizza planet

obfus.h is a macro-only library that obfuscates C code at compile time, designed for use with Tiny C (tcc) on Windows. - Function call obfuscation and control flow code mutation - Anti-debugging and anti-decompilation techniques built in - Strings hidden and dynamically constructed at runtime - Fake signatures and math virtualization for added confusion Explore it here: https://t.co/YJAU0aw93V

Update: the AUR compromise appears to be ongoing After the initial incident affecting 1,500+ packages, another wave of malicious AUR packages has been discovered. This time the attackers reportedly used code obfuscation to better conceal the malicious behavior. Affected packages included Node.js packages, Firefox-related packages, LibreWolf extensions, NeoVim plugins and others. If you’re using #Arch Linux and install software from AUR, I’d review recently updated packages and keep an eye on this story. https://t.co/4eD3Ola9DH

More than 400 packages in the Arch User Repository (AUR) have been found to contain malware in a major supply chain attack. According to security researchers at Sonatype, attackers took over abandoned AUR packages by posing as trusted maintainers. They modified the packages to download a malicious npm dependency called atomic-lockfile, which contained code designed to steal information and maintain access to infected systems. Arch Linux’s official repositories were not affected. The attack impacted only the AUR, a community-maintained collection of package build scripts. Arch maintainers have removed the malicious packages and blocked the accounts involved. The number of affected packages grew to more than 400 before the campaign was discovered. Sources: Sonatype researchers and Arch Linux community reports.

In windows, APCs(Asynchronous procedure calls) is a mechanism in which a function executes in the context of the specific thread. It's not an independent execution entity like a thread. void CALLBACK MyCompletionRoutine(...) { printf("Read completed!\n"); } ReadFileEx(..., MyCompletionRoutine); //Async I/O // Later SleepEx(INFINITE, TRUE); // Alertable wait Here, the completion routine runs even before SleepEx returns. Thread | |-- ReadFileEx() | |-- SleepEx(INFINITE, TRUE) | (alertable wait) | |<-- I/O completes |<-- Windows queues User APC | |-- MyCompletionRoutine() <-- APC executes | |-- SleepEx returns WAIT_IO_COMPLETION | |-- Continue execution That's how the below sequence is possible if you have proper rights to open the process handle to suspend. Btw security software can easily catch this because you're suspending a process and allocating memory etc.

Quick Linux tip: Most people use tree to visualize a directory structure. What many don't know is that it can also display file permissions, owners, groups, and sizes. $ tree -pugh -L 3 Here is what each option mean: -p - file permissions -u - owner -g - group -h - human-readable sizes -L - limit the depth of the directory tree This is especially useful when auditing file permissions, troubleshooting access issues, or documenting a project's directory structure.

I pulled a random sample from MalwareBazaar last week and it turned out to be a WannaCry dropper with a trick I have seen in several post-2017 variants: garbage bytes prepended before the MZ header. CFF Explorer, Detect It Easy, and most sandbox parsers silently fail when the file does not start at offset 0 with MZ. Trim the bytes in HxD and everything loads fine. Inside: a three-layer nested dropper chain using FindResource, LoadResource, WriteFile, and CreateProcess. The final payload is a 32-bit PE with an encrypted ZIP in the resource section. The classic WannaCry structure with the original hardcoded password still intact. What struck me most: VirusTotal behavioral telemetry was sparse. Low TTP coverage from sandboxes is not a clean bill of health. It is a sign the sample is evading behavioral inspection. Full static analysis walkthrough, including the IDA Pro dropping function analysis: https://t.co/rK3Rp1bHGF #CyberSecurity #MalwareAnalysis #ReverseEngineering #DFIR