Search found 11 matches

by zerosum0x0
Wed Jun 28, 2017 12:41 am
Forum: Reverse Engineering and Debugging
Topic: Windows 10 Redstone 3 IAF/EAF
Replies: 2
Views: 8184

Re: Windows 10 Redstone 3 IAF/EAF

They added this today: https://blogs.technet.microsoft.com/mmp ... rs-update/

Looks like you can set these and other settings in a new "Windows Defender Security Center" panel.
by zerosum0x0
Mon Jun 26, 2017 6:08 am
Forum: Reverse Engineering and Debugging
Topic: Windows 10 Redstone 3 IAF/EAF
Replies: 2
Views: 8184

Windows 10 Redstone 3 IAF/EAF

Windows 10 Redstone 3 adds the following to EPROCESS: +0x82c MitigationFlags2Values : <unnamed-tag> +0x000 EnableExportAddressFilter : Pos 0, 1 Bit +0x000 AuditExportAddressFilter : Pos 1, 1 Bit +0x000 EnableExportAddressFilterPlus : Pos 2, 1 Bit +0x000 AuditExportAddressFilterPlus : Pos 3, 1 Bit +0...
by zerosum0x0
Sun May 14, 2017 11:35 am
Forum: Tools/Software
Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch
Replies: 7
Views: 24476

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

My colleague and I reverse engineered EternalBlue and ported it to Metasploit.

https://twitter.com/zerosum0x0/status/8 ... 9856016384

Will probably do a blog post in the coming days.
by zerosum0x0
Sun May 07, 2017 4:15 pm
Forum: Reverse Engineering and Debugging
Topic: "Not a valid win32 application"
Replies: 3
Views: 12603

Re: "Not a valid win32 application"

There are many reasons which could possibly be the problem. You'll need to reverse Ldr* functions in ntdll.dll, or maybe take a look at ReactOS Ldr code. Maybe if you post a sample and we can see which headers look bad. Any any rate here is a list of some relevant NT status codes: 0x4000000E STATUS_...
by zerosum0x0
Sun Apr 23, 2017 6:14 am
Forum: Tools/Software
Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch
Replies: 7
Views: 24476

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

Yea I am sure if newer PatchGuard didn't watch this hook before, it will probably be added now. And some of the "better" antivirus vendors might add checking too. It does seem to bypass the shitty Win7 PatchGuard though. -- On another note I figured out the DoublePulsar "xor key" (how to authenticat...
by zerosum0x0
Sun Apr 23, 2017 12:53 am
Forum: Tools/Software
Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch
Replies: 7
Views: 24476

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

I dont understand where it avoids PatchGuard and how? Is it in Step 4, where the .data section already has 'write' permissions set? It avoids PatchGuard in that it hooks an obscure part of the system, the SMB driver dispatch table. PatchGuard looks for hooks in the syscall table and things such as ...
by zerosum0x0
Sat Apr 22, 2017 5:12 am
Forum: Tools/Software
Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch
Replies: 7
Views: 24476

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

I performed analysis of the DoublePulsar payload. https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html tl;dr: Step 0: Shellcode trickery to determine if x86 or x64, and branches as such. Step 1: Locates the IDT from the KPCR, and traverses backwards from the first inte...
by zerosum0x0
Wed Apr 19, 2017 11:55 pm
Forum: Tools/Software
Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch
Replies: 7
Views: 24476

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

Post about the kernel DLL loader. Pretty standard, just map DLL into process memory and queue APC. Still not much info on the backdoor installed in the SMB service in the first place. https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/ Here's some info on ...
by zerosum0x0
Sat Apr 15, 2017 8:05 am
Forum: Tools/Software
Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch
Replies: 7
Views: 24476

Shadow Brokers releases numerous Windows 0-days - FuzzBunch

In case you are living under a rock, Shadow Brokers dumped all kinds of remote exploits for Windows today. Official Microsoft Response: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/ Allegedly it's all fixed In MS17-010. I actually just got a MS17-010 u...
by zerosum0x0
Tue Apr 04, 2017 1:48 pm
Forum: Newbie Questions
Topic: Non-executable malware
Replies: 2
Views: 7894

Re: Non-executable malware

MS JScript does not have direct access to the Windows API (although it is possible in indirect ways). It generally requires COM (ActiveXObjects) to do anything interesting. There is a "Scripting.FileSystemObject" (FSO) ActiveXObject. I don't know if there is a COM object for direct crypto, but there...