Source Byte

Hello everyone, I've made a somehow big update in the HyperDbg. Now, it utilizes a dedicated HOST IDT and HOST GDT, different than the Windows IDT/GDT. This update will address a specific category of bypasses for HyperDbg, although there are still many bypasses to address. This change influences the handling of interrupts, especially NMIs for halting cores in VMX root-mode. lt may introduce instability issues in various systems, potentially leading to crashes. If you're using HyperDbg, please switch to the 'dev' branch and re-build and test it to help us identify any problems. Currently, it works well on my 12th Gen machine, but I'm uncertain if it's universally stable. If you encounter any crashes or BSODs, please notify me before the release of v0.9 (the next version). The best way to test it is using events (EPT hooks) with a high rate of execution (e.g., using !epthook on nt!ExAllocatePoolWithTag and meanwhile pause the debuggee). The 'dev' branch: https://github.com/HyperDbg/HyperDbg/tree/dev GitHub built artifact for those who can't build: https://github.com/HyperDbg/HyperDbg/actions/runs/9384856535

Table of contents Syntax Comments Assembly Language Statements Syntax of Assembly Language Statements Example: Hello World Program in Assembly Compiling and Linking Sections Processor Registers System Calls Strings String Instructions Repetition Prefixes Numbers BCD Representation Instructions: Conditions CMP Instruction Conditional Jump Instructions (Signed Data) Conditional Jump Instructions (Unsigned Data) Special Conditional Jump Instructions Addressing Modes MOV Instruction File Handling Example: Reading from a File Stack and Memory Stack and Memory Tools for Analysis Code Injection Attack DLL Injection APC Injection Valid Accounts System Binary Proxy Execution: Rundll32 Reflective code loading Modify Registry Process Injection Mark-Of-The-Web (MOTW) Bypass Access Token Manipulation Hijack Execution Flow Resources

IDA Pro Version 8.3 (with tools, sdk + keygen for x86_x64, ARM, ARM64, PPC, PPC64, and MIPS decompilers! )

Windows PE权威指南

Heavenly.exe

is the main process that generates the anti-killing loader. It reports viruses normally and does not contain malicious code. To ensure anti-killing performance, the source code is not open. It will be updated to 2.0 later.

GitHub

Avoiding Memory Scanners credit : Kyle Avery https://kyleavery.com/posts/avoiding-memory-scanners/

Important warning to people who have anonymous activity - on Twitter, Telegram, etc. Don't put a hamster link! Although it only shows the subcategories in the bot, and apparently the person himself does not have the ability to see the account that invited him, but in practice, by checking the api requests, we see that the identity of the inviting person is also known! credit : Ali , Mohammad Zarchi source : https://x.com/ali_r7h/status/1798103831244636261 , https://x.com/mhzarchi/status/1798365439262867689

🔴 ویدیوهای کنفرانس OffensiveCon24 در یوتیوب منتشر شده که میتونید از این لیست پخش بهشون دسترسی داشته باشید. برای دسترسی به اسلایدها (فعلا 4 موردش پابلیک شده)، میتونید از این لینک استفاده کنید. #کنفرانس 🆔 @onhex_ir ➡️ ALL Link

In-memory Obfuscation cerdit : Djordje Atlialp https://oldboy21.github.io/posts/2024/05/swappala-why-change-when-you-can-hide/

GoThief

Recently, I encountered such a scenario in an attack and defense game. The target machine accessed the internal application system and was uniformly controlled by VPN. After connecting to VPN, the connection with the external network would be disconnected, resulting in the inability to issue commands in real time. Therefore, I had the idea of developing this small tool. By taking screenshots of the keyboard and recording the clipboard, I could obtain the target's operations after connecting to VPN, and collect sensitive information for the next step of lateral movement.

GitHub #stealer #malware_dev