Showing Posts From

April 2016

Safer Shellcode Implants

This article discusses techniques for creating safer shellcode implants by implementing runtime security controls. The proposed methods include ensuring single execution through mutex checks, validating the target endpoint using host-specific identifiers, and adding an expiry time to control the implant's lifecycle. Implementation examples are provided in both assembly and C languages to demonstrate these security controls.

  • 19 Apr 2016

Heap tracing with WinDbg and Python

This article demonstrates how to use Python and PyKd to create WinDbg scripts for heap tracing in Windows. The script hooks memory allocation functions like RtlAllocateHeap and RtlFreeHeap to log heap operations. The technique allows visualization of memory allocation patterns and can support exploit development by providing insights into heap behavior.

Masquerading as a Windows System Binary Using Digital Signatures

This article demonstrates a technique for creating fake digital certificates that mimic Microsoft's code signing certificates. By generating certificates that look like they are from Microsoft and installing a custom root CA, malicious Windows binaries can be signed to appear legitimate. The method allows attackers to create executables that blend in with system processes and potentially evade initial detection.

Offline SQL Querying of Active Directory

ADOffline is a tool that converts Active Directory LDAP data into a SQLite database for offline analysis. It enables cybersecurity professionals to perform detailed reconnaissance by querying domain users, groups, and computers without maintaining a live connection to the domain controller. The tool supports complex SQL queries and provides intuitive views to explore Active Directory information.

  • 5 Apr 2016

Windows Kernel Exploitation 101: Exploiting CVE-2014-4113

This article provides a detailed walkthrough of exploiting CVE-2014-4113, a Windows kernel vulnerability. The guide demonstrates the process of creating an exploit for Windows 7 SP1 32-bit by analyzing an original Anti-Virus vendor report. The goal is to make kernel exploitation more accessible to cybersecurity researchers.

Egress Checking

The EgressCheck Framework is a tool designed to help penetration testers and system administrators identify network egress opportunities. It generates traffic across multiple ports and protocols, capturing connection attempts using tcpdump. The framework supports both TCP and UDP scanning, and can generate one-liner scripts for Python and PowerShell.

Persistence Architecture Matters

This article explores the Windows-on-Windows (WOW) redirection layer in 64-bit Windows systems. It explains how filesystem and registry paths are dynamically remapped depending on the process architecture. The technical explanation reveals how 32-bit and 64-bit processes interact with system directories and registry keys differently.