Olivia
Online
Forrest Orr
@_ForrestOrr
Red Teamer, low level coding extremist and malware researcher. Windows exploit writer and bug hunter
Joined September 2017
529 Following
4.8K Followers
179 Posts
Pinned Tweet
I'm proud to release my first Google Chrome RCE derived from the most fascinating and mind bending exploit I have yet analyzed: CVE-2019-13720 Wizard Opium. This is a beautiful bug which I have crafted into an exploit bypassing ASLR, CFG and CET on Win10 https://t.co/RhMJ2nmVd4
@5mukx Isnt PatchGuard an essential thing to mention in an article like this? Do you plan to make a part 2 for this?
Does anyone know what mechanisms can be used to detect suspended (non-UWP) and frozen UWP app processes, and how to programmatically wake them up in a safe and persistent way where they don't just immediately freeze again?
Who to follow
x86matthew
@x86matthew
system emulation / reverse-engineering / binary analysis. @the_secret_club
Matt Hand
@matterpreter
Building @originhq | Author, Evading EDR @nostarch
Cody Thomas
@its_a_feature_
Mythic Developer (https://t.co/Uz4fOxIUbe) | @SpecterOps @[email protected] | @its-a-feature.bsky.social
@m417z @diversenok_zero NtPowerInformation worked for me. Of course, the UWP app goes back to being frozen the second the power handle is closed to it ie. when your own process dies. Still, a very nice trick.
@vxunderground 15 not 19 ;)
@sixtyvividtails I am talking here about a specific technique to obtain such a handle to a specific System process as a non admin user, normally this is globally impossible. What I wonder though is if this meets Microsoft criteria for a security boundary/elevation bug
Is the ability of a non admin user to obtain a full query handle to a System integrity process and unravel its ASLR considered a security boundary? I know a PROCESS_QUERY_INFORMATION handle on a PPL is considered a breach of a security boundary even if the owner is local admin. But what about this scenario as a non admin -> System?
A standard user is unable to obtain any process handle even with PROCESS_QUERY_LIMITED_INFO to any System integrity process regardless of which session it is in. It’s also unable to QI limited any process in another session regardless of integrity level. The process DACL in question locks all access (even query limited) to anyone but SYSTEM.
@trickster012 @sixtyvividtails @zodiacon @GabrielLandau These events do not trigger for process suspend or resume despite existing in EtwTi. They seem to be place holders.
I’m surprised to have recently learned that there does not seem to be a trivial way to receive notifications of suspended process launches in Windows via kernel proc notif callback, kernel ETW or EtwTi. Any ideas on how to do this? @zodiacon
@sixtyvividtails @zodiacon @GabrielLandau Checking the ring3 call stack from a ring0 kernel process creation callback seems like the only reliable way to do this that I can think of. Timing when the main thread is resumed woild be messy
@sixtyvividtails @zodiacon Brilliant insight thank you. So how is an application like Elastic populating its “created_suspended” bool field for its yara rules then? This field is criteria in various process hollowing rules from what I recall
@frodosobon @zodiacon If you NtQueryInformationThread the state of the single/main thread from a create process notification routine in the kernel, it will always return state 0 (initialized). Not running, waiting, suspended etc regardless of CREATE_SUSPENDED
@peterwintrsmith @shubakki I think the biggest weakness in Moneta though is false positives. A major feature that has always been needed is a JSON whitelist file where an operator or enterprise can design a profile of known false positives.
Over the years I’ve been flattered to see that my tool Moneta has picked up a following in the Infosec world and I am considering reviving the project. If you are a user of Moneta, what would you improve? Which features would you add? https://t.co/XmhwhUh4jH
@peterwintrsmith @shubakki I’m very glad to hear this, I’ve been shocked lately to see people using Moneta on YouTube videos about reverse engineering and forensics (since when does our little underground community have this big mainstream presence)?
@peterwintrsmith 2 and 3 are an interesting touch on Gargoyle/SleepMask techniques. The issue is that all I have are the original alloc permissions and the current ones. Malware tends to always alloc RW initially then change it, so it is of limited value to a sleeper shellcode detection
@peterwintrsmith @ilove2pwn_ This change is already present, as I take it you’re referring to the ability to clone a process and nuke its working set to make its new image memory contents like unmodified?
@peterwintrsmith You’re referring to addresses that have been whitelisted by CFG? For example a hollowed part of a .text section where malware wrote itself and then marked its entry point as whitelisted for CFG before launching a new thread there? Or something else?
Last Seen Users on Sotwe
Praveen Kumar
Seen from India
iloveblackgirls
Seen from Turkey
Laē Lăe Wiń 🌺
Seen from Thailand
Precious Stars
Seen from United States
arap Siken
Seen from Turkey
Hot
Seen from Netherlands
สวิงเมีย
Seen from Thailand
Matamatain
Seen from Singapore
Queen roze jordan
Seen from Jordan
Haseena ISB
Seen from India
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers