Source Byte

#meme

LSASS Memory Dumps are Stealthier than Ever Before

Dumping is implemented by interfacing with various external tools: comsvcs comsvcs_stealth dllinject procdump procdump_embedded dumpert dumpertdll ppldump ppldump_embedded mirrordump mirrordump_embedded wer EDRSandBlast nanodump rdrleakdiag silentprocessexit sqldumper

[+] MiniDumpWriteDump (Vitaminizing MiniDump) [+] Comsvcs.dll [+] Direct syscall [GitHub] [+] Nano dump [info] [+] Dump with trusted process Look at all of them 1 Look at All of them 2 T1003.001 - OS Credential Dumping: LSASS Memory Lsass for everyone [advanced] WINDOWS SECRETS EXTRACTION: A SUMMARY by synacktiv https://t.me/Source_byte #malware_dev #lsass

LSASS Memory Dumps are Stealthier than Ever Before

Dumping is implemented by interfacing with various external tools: comsvcs comsvcs_stealth dllinject procdump procdump_embedded dumpert dumpertdll ppldump ppldump_embedded mirrordump mirrordump_embedded wer EDRSandBlast nanodump rdrleakdiag silentprocessexit sqldumper

[+] MiniDumpWriteDump (Vitaminizing MiniDump) [+] Comsvcs.dll [+] Direct syscall [GitHub] [+] Nano dump [info] [+] Dump with trusted process Look at all of them 1 Look at All of them 2 T1003.001 - OS Credential Dumping: LSASS Memory Lsass for everyone [advanced] WINDOWS SECRETS EXTRACTION: A SUMMARY by synacktiv https://t.me/Source_byte #malware_dev #lsass

series on virtualization technologies and internals of various solutions (QEMU, Xen and VMWare) Credit: @LordNoteworthy [ 0 ] Intro: virtualization internals part 1 intro to virtualization [ 1 ] VMWare: Virtualization Internals Part 2 - VMWare and Full Virtualization using Binary Translation [ 2 ] Xen: Virtualization Internals Part 3 - Xen and Paravirtualization [ 4 ] QEMU: Virtualization Internals Part 4 - QEMU ——- related posts : [ 0 ] Writing a simple 16 bit VM in less than 125 lines of C [ 1 ] Write your Own Virtual Machine [ 2 ] notes on vm and qemu escape exploit [ 3 ] notes on VMware escape exploits by version [ 4 ] Unpack VMProtect #VM , #cve_analysis , #VM_internals —- https://t.me/Source_byte

Parent pid spoofing Techniques $ [+] Via Createprocess ( iredteam ) [+] PPID Spoofing via WMI [+] NtCreateUserProcess [+] Pid spoofing (Methods) -Real Example by security in bits

Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification

Exploiting an io_uring Vulnerability in Ubuntu

This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months, making it an easy 0day vector in Ubuntu during that time.

https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/ #cve_analysis , #linux_internals , #CVE-2024-0582

Process Enumeration methods [+] Hunting RWX trick [+] EnumWindowsProcesses Callback [+] Toolhelp api [+] WTS API [+] NTQuerySystemInformation [+] Others

Process injection techniques $ (꩜)ListPlanting ->( Mitre ) (꩜)Process Doppelganging ->( Mitre) (꩜)Process Hollowing ->( GitHub) (꩜)Extra Window Memory Injection -> ( Mitre ) (꩜)TLS callback ->( GitHub) (꩜)APC injection -> ( earlybird ) (꩜) Thread Hijacking ->( GitHub ) (꩜) Transacted Hollowing (hasherezade) (꩜) Process Ghosting (hasherezade) (꩜) DLL hollowing (hasherezade) (꩜) ChimeraPE (hasherezade) (꩜) Process Overwriting (hasherezade) (꩜) Process Chameleon (YouTube) +Demo by hasherezade https://t.me/Source_byte #malware_dev #process_injection

Binary Exploitation Notes

Stack Heap Kernel Browser Exploitation

https://ir0nstone.gitbook.io/notes credit : Andrej Ljubic

😎

Daily linux triks and security notes from seilany ( multiple linux distrubution developer ) [ 1 ] A technique to increase the speed of Linux kernel and operating system by 25% [ 2 ] Increase the speed of ssd memory . . . Don't miss it! 👁👇🏻 https://t.me/linuxtnt

A universal EDR bypass built in Windows 10

While studying internals of a mechanism used by all EDR software to get information about processes activities on Windows, we came across a way for malicious processes to disable the generation of some security events related to process interactions. This technique could be used to evade EDR software while performing malicious operations such as process memory dumping, code injection or process hollowing.

https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/ #EDR , #windows_internals

In this research paper which is first part of the system analysis series, our team at ACQL has embarked on an exploratory journey to thoroughly understand general systems concepts, aiming to extrapolate these concepts to broader system typologies. Our initial findings suggest that systems, universally, exhibit 9 fundamental characteristics. Furthermore, we identify that any entity defined as a system is susceptible to both internal and external threats, necessitating robust protective measures. Our analysis progresses into a detailed examination of various data terminologies, along with their types and states, focusing primarily on concepts such as information and intelligence. This foundational understanding of data dynamics has enabled us to advance our study into high-level analyses of software-based systems and binaries. By doing so, we have been able to identify potential vulnerabilities within these systems. The culmination of our research involves developing strategies to exploit these identified weaknesses effectively, thereby gaining control over the systems in question. This comprehensive approach not only enhances our understanding of system security but also contributes to the development of more secure computing environments. ACQL Website: link @aioooir | #analysis #acql #research

Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/#storing-payloads-in-registry #AV , #GuptiMiner