Olivia
Online
Rt.
@rt10_07
Melbourne, Victoria
Joined October 2012
1K Following
269 Followers
1.5K Posts
Themida turns a few lines of code into thousands of VM handler instructions. Completely unreadable.
back engineering built a static devirtualizer that lifts it all to IR, resolves the control flow, and recovers the original logic.
The before/after in the repo is genuinely shocking.
Works on pretty much any VM obfuscator, not just Themida.
Blog: https://t.co/fY4YkY2aH3
Devirt output: https://t.co/p2gkKi1vXp
Author: @BackEngineerLab
#ReverseEngineering #InfoSec #Malware
Plugin Contest winners used it. Binarly built award-winning Rust bindings with it. BinSync added an idalib mode for headless pipeline support...
... Now it's your turn.
We're hosting a free virtual workshop on idalib — IDA as a library. Call IDA's analysis engine directly from your own code, automate workflows without launching the GUI, and integrate IDA into any toolchain you're already running.
Free. Virtual. Hands-on.
👉 https://t.co/WHQyp8rxf1
Static Devirtualization of Themida/CodeVirtualizer. The techniques in this article apply to pretty much every virtual machine obfuscator with minor modifications.
https://t.co/RMvPKcv3KB
Original Program & Devirtualized Output
https://t.co/R8hLk9ISRZ
Updated KernelToUserInjector kernel driver to get around ALLOCVM, WRITEVM, PROTECTVM, QUEUEUSERAPC ETW threat intelligence sensors.
Find the sample EtwTi logs in Misc dir.
https://t.co/QtylOFJifH
Who to follow
Confirmed! Took a process dump of the parent msedge process, used SysInternals strings utility searched for a known password and there it was! Don't share @MicrosoftEdge process dumps !!
We are "Biological Bootloader" for "Silicon Successor". -- AI's take.
Damm 😲
A new update to the WinDbg LLM decompiler extension adds Zydis-based structured disassembly, SSA-lite recovery, RIP/IAT awareness, and PDB-based type and name hints. Decompiler output in WinDbg should now read a bit more naturally and hold together more consistently.
https://t.co/WFDyKqA2HG
There is also a pre-alpha Linux version brewing 👀
I've been building libghidra: a typed SDK for automating Ghidra from C++, Python, and Rust (mainly for AI agents). Decompile, rename, comment, inspect symbols/types/xrefs, save, close, and reopen projects from code. Treat Ghidra like infrastructure, not just a GUI.
Under the hood this is a typed API surface over a Ghidra host/extension. The same core workflows exist across C++, Python, and Rust, so you can use it for quick scripts, larger pipelines, or native tooling. 1/n
I see few people including the author of #RedSun himself asking questions why would AV write the malicious file back. To this I want to say the virus cleaning happens in the same way across all AV. If detection is a Virus first it would try to disinfect and if fail restore it
Another zero day exploit released by some nerd (can't remember name right now) because they're annoyed with Microsoft. It's been confirmed by other nerds. It is yet another legit zero day. Whew.
https://t.co/Zllhns1ztn
Reposted on my channel: https://t.co/ofuWP1UtQk
New Post: Debugging - WinDBG(X) Automation & Scripting - Part 1 https://t.co/4E19TTdDQJ
gopacket is live! Check it out, it is intended to be a full reimplementation of Impacket in Go (it is in beta please send me bug reports) https://t.co/9XjTickbyA
I think many other AV vendors are likely vulnerable to this same attack pattern. Defender was the target here and being roasted while other AV quietly patch their product. Tech at this level is almost similar across the board.
Another zero day exploit released by some nerd (can't remember name right now) because they're annoyed with Microsoft. It's been confirmed by other nerds. It is yet another legit zero day. Whew.
https://t.co/Zllhns1ztn
@EvilSecOfficial @vxunderground Btw who know how many vendors are vulnerable to similar attack pattern. I am sure Defender is not the single one but it’s the target here and others will quietly fix it. The tech across AV at this level is nearly similar.
The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.
Investigation by: @wbmmfq, @Curity4201, + @_JohnHammond 🧵👇
@ChaoticEclipse0 Btw is the true that this has to be running on the machine for quite some time before a new update is downloaded. if so, then isn't that a big enough window to get this detected via cloud etc.
Neat https://t.co/9FJ1tIirVR
LIVE - Workflow Optimizations in IDA Pro with @allthingsida (Elias Bachaalany) https://t.co/qRKb80pHRU
My BlueHammer version ( now redhammer) implements my VDM version patch, deploys and loads the BYOVD for my exploitkit.
It bypasses the new signature for BlueHammer aswell. How is this still unpatched?
Last Seen Users on Sotwe
Nhkari
BOY STATION 🔞
Seen from Netherlands
Sehrish
Seen from Pakistan
Aslan13
Seen from Turkey
คลิปนักศึกษา นักเรียน
Seen from Singapore
Vợ Chồng Dâm
Seen from Vietnam
TÜRK PAYLAŞIM MERKEZİ +18
Seen from Turkey
Sang Pemburu
Seen from Indonesia
Deshi Healthy Figure
Jade Liu 🇨🇳
Seen from United States
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers