Static Devirtualization of Themida/CodeVirtualizer. The techniques in this article apply to pretty much every virtual machine obfuscator with minor modifications.
https://t.co/RMvPKcv3KB
Original Program & Devirtualized Output
https://t.co/R8hLk9ISRZ
When practicing on a VM crackme recently, I created a devirtualizer which lifts the virtual machine to LLVM to defeat the protection. LLVM-based devirtualisation is a lot of fun and I wrote down my experience and lessons learned on my blog:
https://t.co/LiWNIj31uK
One of the most frequent questions I'm asked is "how do you stay up to date on malware stuff?"
Okay, here is a pro tip:
1. Google OTX AlienVault
2. Make account
3. Look at latest
4. Scroll until you find posts from a guy named Petr something-something (has numbers in his name).
4. Follow his account
He monitors all the big malware places and shares the URL, hashes, etc. from malware vendors. I've been following this random ass dude for years and getting updates on everything.
I have no idea who he is. I don't know where he's from. All I know is his setup is absolute fire and he keeps you up to date on literally everything malware related 24/7 365. He also has stuff from vendors in China, Russia, Japan, etc.
Every morning I log into OTX and check up on my boy Petr to see what fire he's bringing me. I love him.
15-stage Windows malware development & analysis course in Rust. Red team builds it, blue team detects it. All 15 binaries achieved 0/76 on VirusTotal. https://t.co/Ggah7Lfaxk
The FLARE team now freely distributes its quality reverse engineering and malware analysis educational content at https://t.co/bGCIjBfD3C. Launched with:
- Malware Analysis Crash Course
- Go Reversing Reference
- Intro to TTD
The article demonstrates how to bypass the Winsock layer by communicating directly with the Windows AFD driver using Native API calls. It explains how socket operations can be replicated via IOCTLs and how this reduces reliance on standard networking APIs.
https://t.co/kSUGhsHcMg
Detecting Hypervisor-assisted Hooking
TL;DR: This post will describe the concept of hypervisor-assisted hooking and a few simple approaches to detect such hooks.
https://t.co/neknbNnCHC
We can exploit the #securityvulnerability of Windows Error Reporting to put EDRs and #antimalware into a coma-like state.
By using the EDR-Freeze #redteam tool:
Github: TwoSevenOneT/EDR-Freeze
I'm happy to share that I've received a $13,337 bounty from Google for a high-impact vulnerability I reported.
My thanks to the @GoogleVRP team.
A full technical write-up is coming once the fix is confirmed.
#bugbounty#infosec#cybersecurity#GoogleVRP
Exploiting Reversing (ER)series: Article 01 | Windows kernel drivers
TLDR; This article we will review concepts, architecture and practical steps related to vulnerability research.
https://t.co/r6AnxzRsJR
As a little follow up, I wrote a small blog post/tutorial on how to reverse engineer windows drivers with IDA - this is aimed at people that newer touched drivers before and covers IOCTL codes, IRPs and some IDA shenanigans with unions.
https://t.co/AQp3Uc7GYU
Enjoy :3
EDR vendors secure their sales pipelines but neglect monitoring GitHub for exposed installer tokens -leaving customers vulnerable to abuse and over-licensing.
Adversaries likely exploit these tokens to build sandboxes for payload testing. Here are search patterns to help identify these exposures and push vendors toward better security practices:
CrowdStrike:
Base:
- Falcon
- falconctl
- CrowdStrike
- FalconSensor_Windows
Filters:
- /[A-Za-z0-9]{32}-[0-9]{2}/
Example Queries:
crowdstrike /CID=[A-Za-z0-9]{32}-[0-9]{2}/ NOT owner:crowdstrike
- crowdstrike falcon /[A-Za-z0-9]{32}-[0-9]{2}/ NOT "1234567890ABCDEF1234567890ABCDEF-12"
SentinelOne:
Base:
- SITE_TOKEN
- sentinelctl
- SentinelOne
- SentinelOneInstaller
Filters:
- 5zZW50aW5lbG9uZS5uZXQiL
- eyJ1
Example Queries:
- SITE_TOKEN 5zZW50aW5lbG9uZS5uZXQiL
- Sentinelone language:powershell eyJ1
Carbon Black:
Base:
- COMPANY_CODE
- installer_vista_win7_win8
Filters:
- /COMPANY_CODE=[A-Z0-9]{19}/
Example Queries:
- installer_vista_win7_win8 /COMPANY_CODE=[A-Z0-9]{19}/
Note: Add "s3" to any base term search to find publicly hosted installer binaries.
Vendors must apply the same rigor to token management as they do to sales - protecting customers from licensing abuse and denying threat actors easy sandbox setup.