Source Byte

post updated : [ 17 ] Understanding ETW Patching added to the list

ETW series [ 1 ] ETW visualization [ 2 ] Uncovering Windows Events [ 3 ] ETW internals for security research and forensics [ 4 ] Exploiting a “CVE-2020-1034” Vulnerability – In 35 Easy Steps or Less! [ 5 ] Design issues of modern EDRs: bypassing ETW-based solutions [ 6 ] A Primer On Event Tracing For Windows (ETW) [ 7 ] Windows 10 ETW Events references collection [ 8 ] evading EDR book [ 1 ] , [ 2 ] [ 9 ] Detecting In-Memory Threats with Kernel ETW Call Stacks [ 10 ] Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers [ 11 ] A Begginers All Inclusive Guide to ETW [ 12 ] ETW References [ 13 ] Give Me an E, Give Me a T, Give Me a W. What Do You Get? RPC! (pars events from the RPC ETW) [ 14 ] Attacks on ETW Blind EDR Sensors ( black hat con ) [ 15 ] This write-up will present a case study of using ETW (Event Tracing for Windows) to analyze an active Cobalt Strike Beacon that was still active and communicating to it's C2 Server. [ 16 ] Event Tracing for Windows (ETW): Your Friendly Neighborhood IPC Mechanism [ 17 ] Understanding ETW Patching [ 18 ] coming soon... ——— @islemolecule_source

post updated : " Understanding ETW Patching " added

CVE-2024-21378 Microsoft Outlook Remote Code Execution * Описание работы внутри файла * POC exploit #outlook #exploit

many asks about VMProtect situation , so i decide to share RE504 from OALabs context :

01 - How To Unpack VMProtect Malware - Part 1 02 - How To Unpack VMProtect Malware - Part 2 03 - How To Unpack VMProtect Malware - Part 3 04 - How To Unpack VMProtect 3 (x64) Night Sky Ransomware (final)

🏭 We've tested the new RCE in Microsoft Outlook (CVE-2024-21378) in a production environment and confirm it works well! A brief instruction for red teams: 1. Compile our enhanced DLL; 2. Use NetSPI's ruler and wait! No back connect required! 🔥 📐📏

OALABS Research Lumma Stealer Obfuscation https://research.openanalysis.net/lumma/obfuscation/cff/ida/2024/04/07/lumma-cff.html

A modern 64-bit position independent meterpreter and Sliver compatible reverse_TCP Staging Shellcode based on Cracked5piders Stardust https://github.com/Karkas66/CelestialSpark

#meme

How to Unpack VMProtect Tutorial - no virtualization Link

Beginner guide to game hacking Link

VMP Mutation API Fix https://github.com/Shhoya/MutantKiller.git

VMProtect Analysis https://shhoya.github.io/vmp_vmpintro.html#0x01-requirements

"Windows Address Translation Deep Dive – Part 1" First of all, we need to go back to the past – the 16-bit era – and take a look at memory segmentation. A feature which still exists today on modern processors but is thankfully ignored on x64 processors when operating in long mode. Although, before we take a look at that, it’s important to recognise that there are three fundamental memory models: physical, flat (sometimes called linear) and segmented. Along with this, there are three modes of operation which the processor can be in: real mode, protected mode and system management mode (SMM)

Differences in Memory Models Differences in Modes : +Real Mode +Protected Mode Privilege Levels Paging and Segmentation

https://bsodtutorials.wordpress.com/2021/06/14/windows-address-translation-deep-dive-part-1/

" Windows Address Translation Deep Dive – Part 2 " In the first part of this post series, we looked at how segmentation worked and how a virtual address (linear address) was constructed. This part we will exploring how our linear address is translated by the memory management unit (MMU) to a physical address and the structures which Windows uses to manage this process. https://bsodtutorials.wordpress.com/2024/04/05/windows-address-translation-deep-dive-part-2/

"Windows Address Translation Deep Dive – Part 1" First of all, we need to go back to the past – the 16-bit era – and take a look at memory segmentation. A feature which still exists today on modern processors but is thankfully ignored on x64 processors when operating in long mode. Although, before we take a look at that, it’s important to recognise that there are three fundamental memory models: physical, flat (sometimes called linear) and segmented. Along with this, there are three modes of operation which the processor can be in: real mode, protected mode and system management mode (SMM)

Differences in Memory Models Differences in Modes : +Real Mode +Protected Mode Privilege Levels Paging and Segmentation

https://bsodtutorials.wordpress.com/2021/06/14/windows-address-translation-deep-dive-part-1/

#Webinar Malware Development Workshop Speakers : Uriel Kosayev, Pavel Yosifovich | TrainSec.net What you will learn in the workshop 1. What is Malware Analysis 2. What is Malware Development 3. The Malware Development Life Cycle 4. Why it's important for Red Teamers and Blue Teamers 5. Practical Malware Reverse Engineering and Development Examples وبینار توسعه بدافزار با حضور Uriel Kosayev و Pavel Yosifovich در تاریخ 17 آپریل برگزار خواهد شد. جهت اطلاع بیشتر بر روی لینک عنوان کلیک کنید. 🦅 کانال بایت امن | گروه بایت امن _