2021

    Malware Development: Kernel Rootkit Shellcode-Runner

    Create a kernel rootkit that accepts a user-provided buffer that contains shellcode to execute in kernelmode

    Malware Development: Hide a Rootkit via DKOM
    1. Create a kernel rootkit that hides itself via manipulating PLDR_DATA_TABLE_ENTRY
    2. Create a usermode client that communicates with the rootkit
    3. Hide the rootkit on demand via IOCTLs
    Malware Development: Writing a PE File Packer/Crypter

    https://github.com/FULLSHADE/pe-Packer

    Malware Development: Read/Write Memory Kernel Driver TeslaCrypt Ransomware Malware Analysis

    TeslaCrypt ransomware is an older ransomware family that was shut down in 2016 with the release of a master decryption key. This blog post gives a technical walkthrough of reverse engineering the ransomware loader and main payload.

    CrackingLessons: Challenges #01 - #20 Writeup

    This is a series of writeups for the 20 reverse engineering “crackme” challenges posted on crackinglessons.com. You can find the original binaries and challenges here. The challenges are written C/C++, delphi, VB, p-code, Assembly, and C# and cover a variety of topics such as removing obfuscation, unpacking, patching, creating keygens, loaders, removing nag screens, extending 30-day trials, reverse engineering serial key number algorithms, and more. Each challenge writeup will include a brief overview and high level solution, followed by a technical walkthrough of reversing the binary and solving the challenge.

    Windows Implant Development: REDPULSAR DamCTF 2021 DanceParty Writeup

    For this challenge we are provided with a Windows PE binary that is reported as being malicious, the end goal is to identify the embedded configuration file that the malware uses while communicating with a remote server. The configuration includes a set of domains that the malware can reach out to along with the challenges flag. This writeup will give an overview of reverse engineering the payload to identify, extract, and decrypt the configuration data.

    Windows PE File Parsing New APT31 Droppers Malware Analysis

    The Chinese nation-state group APT31 also known as ZIRCONIUM, JUDGMENT PANDA, and BRONZE VINEWOOD carried out offensive cyber operations against targets in Russia, Belarus, and others between January and July of 2021. This attack included malware in the form of droppers that lead to the deployment of backdoors. The droppers rely on DLL-sideloading to load the malicious second-stage payload. APT31 is a Chinese-backed nation-state APT group that provides the Chinese government and state-owned enterprises with information to aid in political, economic, and military advantages. The group has a history of targeting government-related organizations.

    RagnarLocker Ransomware Malware Analysis

    RagnarLocker is a Windows based ransomware family that includes the ability to encrypt a systems files with the intention of financially extorting the victim for money. One of the most famous ransomware attacks involving Ragnar was the attack against the Portuguese company, EDP Group. During the attack, the Ragnar actors compromised the company’s network and later deployed the ransomware payload and demanded a payment of 1500+ Bitcoin. During the attack, the actors also exfiltrated around 10TB worth of internal documents from the company, which was used to doubly extort the victim. In order to regain access to their systems and to not have their internal, sensitive documents leaked, EDP Group would need to pay the ransomware actors. The malware sample analyzed in this post is one of the same samples involved in the EDP Group attack. The malware sample includes a EDP Group specific ransom note that can be obtain while decryption the configuration data from within the malware.

    Post Exploitation: Loading Kernel Drivers With NtLoadDriver

    This post focuses on loading signed Windows kernel drivers onto the system. During the post-exploitation phase of an offensive operation, actors may decide that loading a rootkit onto the system to enhance their capabilities is the correct approach, to do so the actor must have the driver loaded into the kernel. This process is typically done through the Windows Service Control Manager (SCM), the SCM maintains installed services and allows for a user to add, remove, and modify services. Adding a rootkit onto the system can be done through the sc.exe utility on Windows, which is an interface with the SCM, but using a utility like this will alert EDR/AV systems as they will capture CMD commands being executed, and suspicious instances of new services being created (MITRE T1543.003). An alternative to this is to directly interface with the Windows API using functions such as OpenSCManagerA and CreateServiceA, but like using sc.exe, these function calls are monitored by EDR/AV systems.

    Exploiting Capcom.sys On x86_64 Windows 1607 RS1

    Capcom.sys is a signed Windows kernel driver that was included in a release of Street Fighter 5 in 2016. Capcom.sys include a security vulnerability within its I/O functionality in which it accepts a user-mode provided memory pointer and executes it within kernel-mode, but not before disabling Supervisor Mode Execution Prevention (SMEP) on the system, disabling SMEP allows the kernel to perform callbacks to user-mode regions of code (the user-provided pointer in this case).

    2020

    AgentTesla InfoStealer Malware Analysis

    Agent Tesla is .NET based malware that is sold as “advanced” keylogger software, Agent Tesla is sold under the description that it is a monitoring and data recovery tool that can be utilized to “monitor your systems, get keyboard logs, view screens, and more”.

    Cerber Ransomware Malware Analysis

    Cerber ransomware is a Windows-based ransomware family that is sold on cybercrime underground markets as Ransomware-As-A-Service (RaaS). This malware family was widely popular in the 2016–2018 era. But some samples still show up every now and then. Cerber ransomware typically spends via email attachments, attachments including embedded malicious scripts, allowing the Cerber ransomware to get onto the system.

    Leaking Kernel Addresses on Windows 10 1607, 1703, and 1809 - Undocumented Structures to Bypass KASLR

    Over the years, Microsoft has implemented various security mitigation tactics within the Windows operating system to circumvent and thwart malicious actors from leveraging various types of exploitation techniques to obtain higher levels of privilege than they are supposed to have.

    HEVD - Windows 7 x86 Kernel Arbitrary Write - Abusing the HAL for a Classic Write-What-Where

    This post covers the HEVD exploitation of overwriting HalDispatchTable+0x4 and calling NtQueryIntervalProfile() to obtain EOP.

    HEVD - Windows 7 x86 Uninitialized Stack Variable

    This post covers the exploitation of the Uninitialized Stack Variable vulnerability class that resides within the HEVD third-party driver application.

    CVE-2020-9453 & CVE-2020-9014 - Multiple IOCTL DOS Bugs in Epson's iProjection V2.30 Drivers

    Multiple vulnerabilities have been discovered within the Epson iProjection v2.30 software provided by EPSON. These vulnerabilities also have the potential to be weaponized and turned into privilege escalation exploits (EOP) which may allow an attacker(s) to obtain higher-level privileges on an unpatched system. The current stage of the produced proof-of-concept exploits is a POC that simply sends data to the various IOCTLs which invokes a BSOD crash on the system.

    Code Caving & Backdooring Windows PE Files

    Code caving is a technique deployed by threat actors to run malicious shellcode within the valid PE space of a regular program. It’s a technique where an actor discovered a un-used or non-optimized part of code within a compiled program that they can use via hijacking the execution flow to point to this location that has shellcode allocated in it. Which can lead to the application executing a malicious shellcode payload.

    Fuzzing Drivers, Techniques of the Trade for Discovering Brand-New 0days

    This post covers the needed knowledge to discover brand-new 0days throughout the internet, with this information, you will be able to fuzz and write new exploits for third-party drivers.

    Writing a Windows Kernel-Mode Driver - Part 1

    Introduction to writing Windows kernel-mode drivers in the C programming language. This post covers setting up the kernel development enviroment and the basics to get your first kernel driver deployed.

    Common Windows Anti-Debugging techniques in C/C++ using winAPI

    When conducting malware research, reverse engineering, or any kind of analysis, debugging will come into play sooner or later. Demonstrated within this article are a few common techniques that malware may try to utilize to evade and not let your debuggers work properly when trying to analyze the malicious pieces of code. The topics below will also include code written in C to fully demonstrate the evasion techniques.

    HEVD - Windows 7 x86 Kernel Integer Overflow

    This post covers the exploitation of the integer overflow that resides within the HEVD driver.

    HEVD - Windows 7 x86 Kernel Type Confusion

    Walkthrough for the HEVD Windows Kernel Driver exploitation, exploiting a Kernel level Type Confusion bug vulnerability.

    HEVD - Windows 7 x86 Kernel NULL Pointer Dereference

    Walkthrough for the HEVD Windows Kernel Driver exploitation, exploiting a NULL Pointer Dereference vulnerability. let’s get this out of the way since I have a bunch of un-disclosed 0day’s (which happen to be NULL Pointer Derefence vulnerabilities) so this post will expand on what the vulnerability is, how to debug it, and how to exploit it.

    HEVD - Windows 7 x86 Kernel Stack Overflow

    Walkthrough for the HEVD Windows Kernel Driver exploitation, exploiting a Stack-based vulnerability.

    IOCTL Theory for Kernel Driver Exploit Development

    An introduction to IOCTLS’s and utilizing and discovering them while conducting Windows kernel exploit development.

    Winning My First CTF, 1st Place In CMD+CTRL CTF

    Over New Years’ weekend, I was fortunate enough to compete in the seasonal CMD+Ctrl CTF, the last time I competed in one of their CTF’s was in person when I attended Defcon 27.

    CVE-2020-5509 - Remote Authenticated Remote code execution in Car Rental Project v.1.0 - arbitrary file upload

    The Car Rental Project v.1.0 web application is a piece of software produced by PhpGuruKul with over 24,944 downloads. It’s advertised as an easy to deploy a web application for small companies to utilize for setting up a car purchase/rental shop. Searching Google via various google dorks results in the discovery of a small handful of active deployments.

    2019

    Kernel Opaque Data Structures & Access Tokens

    Within the world of exploit development, a common technique to gain access on another higher level is through the process of process token theft which leads to an escalation of privileges attack (EOP).

    Windows Kernel Memory Pool & Vulnerabilities

    This article gives insight into what the Windows Kernel pool is, and what are some vulnerabilities that reside inside the pool area. Also, this article will show and explain the analysis of a Windows pool overflow crash via WinDBG.

    PEB WinDBG Analysis and Process Manipulation

    The Process Environment Block is a Windows user-mode memory management data structure that is used for storing a lot of information about loaded modules, process arguments, heap addresses, base addresses, and more.

    Understanding Windows Security Mitigations

    The purpose of implementing various exploit mitigations is to prevent and thwart attackers from launching exploits and malicious attacks against your systems and information. Microsoft over the years has implemented various exploit mitigations specifically targeted towards stopping overflow attacks and some of the techniques that advanced attackers may use to gain access to systems.

    Remote SEH Overflow With Multi-Staged Jumps - CVE-2019-17181 From Intrasrv

    Sending a unauthenticated and malicious HTTP HEAD request to the application results in a SEH based buffer overflow. This exploit utilizes a short JMP which hits a long JMP back 450 bytes which then hits a standard calculator shellcode payload

    Proposed Technique for Bypassing a Null Byte When Using a Poppopret - Seh Explotiation

    If you’ve ever encountered structured exception handler buffer overflow proof of concepts on exploit-db. And it is not complete, and they are only proving a DOS exploitation. And for some reason you want to prove the full exploitability of the vulnerability that you find. You can use this dll injection technique to add custom code to be utilized for your vulnerability exploitation. It’s really not practical, but it’s just a thought. Also, If you are using this technique in order to write your exploits, you are already at a level where you can manipulate and execute code in another processes memory, so this isn’t really a practical approach to write an exploit. But if you just want to write and fully exploit an application, this proves as a very impractical technique to do so.

    Understanding Windows Memory Data Structures

    These are a few of the commonly referred to Windows memory management data structures that you’ll commonly encounter when performing some aspect of Windows debugging, kernel debugging, or Windows exploit development. The following Windows memory data structures are crucial to understanding if you truly want to exceed at being a security researcher or exploit developer.

    CVE-2019-16724 - File Sharing Wizard Remote Unauthenticated SEH Overflow Writeup

    When sending a remote HTTP POST request to the web-servers application, an attacker can obtain arbitrary code execution by sending to much data and exploiting a SEH based buffer overflow.

    Local SEH overflow with ROP to bypass DEP - ASX to MP3 Convertor exploitation

    This post covers the exploitation of ASX to MP3 Convertor, which includes a local SEH overflow when processing files.

    Set up Immunity and WinDBG with Mona.py, set up a kernel debugging environment with WinDBG

    Set up Immunity Debugger with Mona.py

    Local SEH overflow - exploitation of Millenium MP3 Studio 2.0 with a calc.exe shellcode payload

    The victim program for this walkthrough is Millenium MP3 Studio 2.0, it includes a local SEH based buffer overflow when opening certain sized files with specific file extensions.

    Classic JMP ESP buffer overflow exploitation - remote overflow in Vulnserver

    This post covers the beginning of any exploit developers’ journey, the classic buffer overflow exploitation.