DLL Hollowing
Deep dive into a stealthier DLL hollowing/memory allocation variant.
https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
#malware #dll #hollowing
Deep dive into a stealthier DLL hollowing/memory allocation variant.
https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
#malware #dll #hollowing
www.secforce.com
SECFORCE - Security without compromise
Cybersecurity consultancy specialized in offensive security helping top-tier organisations all over the world.
UAC bypass - DLL hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
Process Injection via KernelCallBackTable
Process injection via the KernelCallBackTable involves replacing original callback function by custom payload so that whenever the function is invoked, payload will be triggered. In this case the fnCOPYDATA callback function has been used.
C# Code Snippet:
https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13
#edr #evasion #dll #injection #kernelcallbacktable
Process injection via the KernelCallBackTable involves replacing original callback function by custom payload so that whenever the function is invoked, payload will be triggered. In this case the fnCOPYDATA callback function has been used.
C# Code Snippet:
https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13
#edr #evasion #dll #injection #kernelcallbacktable
👍2
📌 Save the Environment
Many applications appear to rely on Environment Variables such as
By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs.
Research:
https://www.wietzebeukema.nl/blog/save-the-environment-variables
Source Code:
https://github.com/wietze/windows-dll-env-hijacking
#maldev #dll #hijacking #environment
Many applications appear to rely on Environment Variables such as
%SYSTEMROOT% to load DLLs from protected locations. By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs.
Research:
https://www.wietzebeukema.nl/blog/save-the-environment-variables
Source Code:
https://github.com/wietze/windows-dll-env-hijacking
#maldev #dll #hijacking #environment
👍9
⚛️ AtomLdr
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
🔥7👍3
🔑 KeePass2: DLL Hijacking and Hooking API
This new article about a way to get the Master Password of a KeePass database.
https://skr1x.github.io/keepass-dll-hijacking/
#keepass #dll #hijacking #redteam
This new article about a way to get the Master Password of a KeePass database.
https://skr1x.github.io/keepass-dll-hijacking/
#keepass #dll #hijacking #redteam
👍8😁1
Learn the process of crafting a personalized RDI/sRDI loader in C and ASM, incorporating code optimization to achieve full position independence.
🔗 https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/
#maldev #reflective #dll #clang #asm
Please open Telegram to view this post
VIEW IN TELEGRAM
Malicious Group
Writing your own RDI /sRDI loader using C and ASM
In this post, I am going to show the readers how to write their own RDI/sRDI loader in C, and then show how to optimize the code to make it fully position independent.
🔥12👍2
DLHell is a tool for performing local and remote DCOM Windows DLL proxying. It can intercept DLLs on remote objects to execute arbitrary commands. The tool supports various authentication methods and provides capabilities for local and remote DLL proxying, as well as DCOM DLL proxying.
🔗 Source:
https://github.com/synacktiv/DLHell
#windows #dll #proxing #dcom
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - synacktiv/DLHell: Local & remote Windows DLL Proxying
Local & remote Windows DLL Proxying. Contribute to synacktiv/DLHell development by creating an account on GitHub.
👍6❤3
"Assembly Unleashed: A Hacker's Handbook" is a definitive resource tailored specifically for hackers and security researchers seeking to master the art of assembly programming language. Authored by seasoned practitioners in the field, this book offers a comprehensive journey into the depths of assembly, unraveling its complexities and exposing its potential for exploitation and defense.
🔗 Source:
https://redteamrecipe.com/assembly-for-hackers
#asm #syscalls #dll #apc #injection #redteam
Please open Telegram to view this post
VIEW IN TELEGRAM
ExpiredDomains.com
redteamrecipe.com is for sale! Check it out on ExpiredDomains.com
Buy redteamrecipe.com for 195 on GoDaddy via ExpiredDomains.com. This premium expired .com domain is ideal for establishing a strong online identity.
👍10🔥2❤1
👻 Ghost in the PPL: BYOVDLL
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 1: BYOVDLL
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary…
🔥12😱3❤1
APT
👻 Ghost in the PPL: BYOVDLL This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and…
👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/
#lsa #lsass #ppl #dll #maldev
In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and…
🔥8
APT
👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting…
👻 Ghost in the PPL Part 3: LSASS Memory Dump
In the third part of the series, the author explores methods for dumping the memory of LSASS, including indirectly calling
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-3/
#lsa #lsass #ppl #dll #maldev
In the third part of the series, the author explores methods for dumping the memory of LSASS, including indirectly calling
MiniDumpWriteDump, loading arbitrary DLLs into LSASS via the WinSock2 Autodial feature, and dynamically resolving addresses.🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-3/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 3: LSASS Memory Dump
Back to the Basics: MiniDumpWriteDump
🔥7👍6
🚀 Elevating Privileges in Windows via Activation Cache Poisoning
A deep dive into CVE-2024-6769, which leverages two chained bugs to escalate privileges from medium to high integrity. The first stage involves remapping the root drive, followed by a DLL hijacking exploit. The second stage poisons the Activation Cache through the CSRSS process to gain full administrator access.
🔗 Research:
https://www.coresecurity.com/core-labs/articles/cve-2024-6769-poisoning-activation-cache-elevate-medium-high-integrity
🔗 Source:
https://github.com/fortra/CVE-2024-6769
#windows #privesc #dll #hijacking
A deep dive into CVE-2024-6769, which leverages two chained bugs to escalate privileges from medium to high integrity. The first stage involves remapping the root drive, followed by a DLL hijacking exploit. The second stage poisons the Activation Cache through the CSRSS process to gain full administrator access.
🔗 Research:
https://www.coresecurity.com/core-labs/articles/cve-2024-6769-poisoning-activation-cache-elevate-medium-high-integrity
🔗 Source:
https://github.com/fortra/CVE-2024-6769
#windows #privesc #dll #hijacking
10🔥10👍4❤🔥1