Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.

https://www.loldrivers.io/

#redteam #loldrivers #windows

Finding and exploiting process killer drivers with LOL for 3000$

In this article, I will introduce some kernel driver/internals theory and explain how to use the data in LOLDrivers to find interesting drivers. Finally, I will present 2 examples of vulnerable drivers and explain how to quickly reverse them and create a PoC to exploit them.

https://alice.climent-pommeret.red/posts/process-killer-driver/

#redteam #loldrivers #windows

WindowsNoExec - Abusing existing instructions to executing arbitrary code without allocating executable memory

https://www.x86matthew.com/view_post?id=windows_no_exec

#windows #ctf #malware #tips

Process Injection without R/W target memory and without creating a remote thread

https://github.com/Maff1t/InjectNtdllPOC

#windows #redteam #ctf #malware #tips

Centralized resource for listing and organizing known injection techniques and POCs

https://github.com/itaymigdal/awesome-injection

#redteam #malware #process #inject

Analyzing a Modern In-the-wild Android Exploit

https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html

#expdev #android #linux

CVE-2023-4047 Root Cause Analysis

https://www.richardosgood.com/posts/cve---2023---4047-root-cause-analysis/

#expdev #windows #1day #winrar

Advanced Root Detection & Bypass Techniques

In this blog, we will explore techniques related to root detection on Android devices and methods to bypass it. Our main focus will be on the strategies employed by app developers to protect their applications and prevent them from running on compromised devices.

https://8ksec.io/advanced-root-detection-bypass-techniques/

#mobile #android #reverse #frida #root #detection #bypass

Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device

https://boschko.ca/qemu-emulating-firmware/

#qemu #firmware

HEVD: How a simple K-TypeConfusion took me 3 months long to create a exploit? — Windows 11 (build 22621)

https://wafzsucks.medium.com/how-a-simple-k-typeconfusion-took-me-3-months-long-to-create-a-exploit-f643c94d445f

#expdev #windows #hevd #kaslr #smep

Local Privilege Escalation in the glibc's ld.so (CVE-2023-4911)

https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

POC: https://github.com/leesh3288/CVE-2023-4911

#expdev #linux #lpe #Alexs3y

msdocviewer is a simple tool that parses Microsoft's win32 API and driver documentation to be used within IDA.

https://github.com/alexander-hanel/msdocsviewer

#tools #idapro #windows #api

PatchaPalooza uses the power of Microsoft's MSRC CVRF API to fetch, store, and analyze security update data. Designed for cybersecurity professionals, it offers a streamlined experience for those who require a quick yet detailed overview of vulnerabilities, their exploitation status, and more. This tool operates entirely offline once the data has been fetched, ensuring that your analyses can continue even without an internet connection.

https://github.com/xaitax/PatchaPalooza

https://patchapalooza.com

#expdev #helpers #tools

LdrLibraryEx a small x64 library to load dll's into memory.

https://github.com/Cracked5pider/LdrLibraryEx

#tools #redteam #dev

Use the free Microsoft bing's gpt with ida pro, to perform free analyzes!

https://github.com/p1ay8y3ar/idaBingGPTPlugin

#tools #reverse #idapro #ai

Reverse Engineering Go Binaries with Ghidra (Part 1)
https://forum.reverse4you.org/t/reverse-engineering-go-binaries-with-ghidra-part-1/20096/1

Reverse Engineering Go Binaries with Ghidra (Part 2)
https://forum.reverse4you.org/t/reverse-engineering-go-binaries-with-ghidra-part-2/20097

#reverse #ghidra #golang

VMProtect Source Code (Leaked 07.12.2023)

intel.cc and processors.cc included

mirror:
https://github.com/jmpoep/vmprotect-3.5.1

#tools #source #leaked #vmp #protector

Titan is a VMProtect devirtualizer

https://github.com/archercreat/titan

#tools #reverse #devirt #devirtualizer #vmp #protector

Mergen converts Assembly code into LLVM IR, a process known as lifting. It leverages the LLVM optimization pipeline for code optimization and constructs control flow through pseudo-emulation of instructions. Unlike typical emulation, Mergen can handle unknown values, easing the detection of opaque branches and theoretically enabling exploration of multiple code branches.

These capabilities facilitate the deobfuscation and devirtualization of obfuscated or virtualized functions. Currently in early development, Mergen already shows promise in devirtualizing older versions of VMProtect, with ambitions to support most x86_64 instructions.

https://github.com/NaC-L/Mergen

#llvm #lifting #vmprotect #tnaci

xVMP is an LLVM IR-based code virtualization tool, which fulfilled a scalable and virtualized instruction-hardened obfuscation. It supports multiple programming languages, and architectures. It is also compatible with existing LLVM IR-based obfuscation schemes (such as Obfuscator-LLVM).

xVMP is developer friendly. You only need to add annotations to the to-be-protected function in the source code, and xVMP can perform virtualization protection on the function during compilation.

https://github.com/GANGE666/xVMP

#virtualization #obfuscation #alekum