Mergen converts Assembly code into LLVM IR, a process known as lifting. It leverages the LLVM optimization pipeline for code optimization and constructs control flow through pseudo-emulation of instructions. Unlike typical emulation, Mergen can handle unknown values, easing the detection of opaque branches and theoretically enabling exploration of multiple code branches.

These capabilities facilitate the deobfuscation and devirtualization of obfuscated or virtualized functions. Currently in early development, Mergen already shows promise in devirtualizing older versions of VMProtect, with ambitions to support most x86_64 instructions.

https://github.com/NaC-L/Mergen

#llvm #lifting #vmprotect #tnaci

xVMP is an LLVM IR-based code virtualization tool, which fulfilled a scalable and virtualized instruction-hardened obfuscation. It supports multiple programming languages, and architectures. It is also compatible with existing LLVM IR-based obfuscation schemes (such as Obfuscator-LLVM).

xVMP is developer friendly. You only need to add annotations to the to-be-protected function in the source code, and xVMP can perform virtualization protection on the function during compilation.

https://github.com/GANGE666/xVMP

#virtualization #obfuscation #alekum

Keystone / Capstone Replacement

Nyxstone is a powerful assembly and disassembly library based on LLVM. It doesn’t require patches to the LLVM source tree and links against standard LLVM libraries available in most Linux distributions. Implemented as a C++ library, Nyxstone also offers Rust and Python bindings. It supports all official LLVM architectures and allows to configure architecture-specific target settings.

GitHub: https://github.com/emproof-com/nyxstone

Blog: https://www.emproof.com/introducing-nyxstone-an-llvm-based-disassembly-framework/

Thread-Name Calling - A new process injection technique using Thread Name.

The code to be injected is passed as a thread description to the target.

https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/

#redteam #inject

The installation package for IDA Pro 9.0 Beta 2 available without password.
https://out5.hex-rays.com/beta90_6ba923/

Forum for discussion:
https://forum.reverse4you.org/t/ida-pro-9-0-beta/20459

Chat for discussion:
https://xn--r1a.website/r0_chat/1

#tools #reverse #idapro #windows #linux #macos

DJI - The ART of obfuscation

https://blog.quarkslab.com/dji-the-art-of-obfuscation.html

#reverse #mobile #android #obfuscation

LayeredSyscall – Abusing VEH to Bypass EDRs

https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs

#redteam #edr #hook #bypass

Shoggoth is an open-source project based on C++ and asmjit library used to encrypt given shellcode, PE, and COFF files polymorphically.

https://github.com/frkngksl/Shoggoth

#redteam

SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads. It uses a additive feedback loop to encode given binary instructions similar to LSFR. This project is the reimplementation of the original Shikata ga nai in golang with many improvements.

https://github.com/EgeBalci/sgn

#redteam #golang

How to Bypass Golang SSL Verification

https://www.cyberark.com/resources/threat-research-blog/how-to-bypass-golang-ssl-verification

#golang #ssl #bypass #reverse #web #pentest

V8 Sandbox escape/bypass/violation and VR collection

https://github.com/xv0nfers/V8-sbx-bypass-collection

#v8 #sandbox #escape

C++ Unwind Exception Metadata: a Hidden Reverse Engineering Bonanza

https://www.msreverseengineering.com/blog/2024/8/20/c-unwind-metadata-1

#reverse #cpp #type #reconstruction #hints

POC for trigerring CVE-2024-38063 (RCE in tcpip.sys)

https://github.com/ynwarcs/CVE-2024-38063

#expdev #poc

Exploiting the Windows Kernel via Malicious IPv6 Packets (CVE-2024-38063)

https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html

#expdev #poc

Native function and Assembly Code Invocation

https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/

#reverse #idapro

0-Click exploit in MediaTek Wi-Fi chipsets affects routers and smartphones / Exploiting (CVE-2024-20017) 4 different ways

https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html

#expdev #poc

Attacking UNIX Systems via CUPS, Part I

CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 have been assigned around these CUPS issues.

CVSS 9.9

This remote code execution issue can be exploited across the public Internet via a UDP packet to port 631 without needing any authentication, assuming the CUPS port is open through your router/firewall. LAN attacks are also possible via spoofing zeroconf / mDNS / DNS-SD advertisements.

https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/

A series of bugs in the CUPS printers discovery mechanism (cups-browsed) and in other components of the CUPS system, can be chained together to allow a remote attacker to automatically install a malicious printer (or hijack an existing one via mDNS) to execute arbitrary code on the target host as the lp user when a print job is sent to it.

https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1

#linux #rce #printer

Complete list of LPE exploits for Windows (starting from 2023)

https://github.com/MzHmO/Exploit-Street

#windows #expdev #lpe

Happy New Year! May every binary reveal its secrets, every challenge find its solution, and the Year of the Snake bring you stability, inspiration, and success!

New blog on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that identified by author in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.

https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/

Proof-of-concept for the AMSI bypass and an implementation of a CLR memory manager is on GitHub. We can implement custom memory routines and track all allocations made by the CLR.

https://github.com/passthehashbrowns/Being-A-Good-CLR-Host

#redteam #net #clr