A forum for reverse engineering, OS internals and malware analysis 

Search found 11 matches

 Go to advanced search

Re: Windows 10 Redstone 3 IAF/EAF

 by zerosum0x0 ¦  Wed Jun 28, 2017 12:41 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Windows 10 Redstone 3 IAF/EAF ¦  Replies: 2 ¦  Views: 8909

They added this today: https://blogs.technet.microsoft.com/mmp ... rs-update/

Looks like you can set these and other settings in a new "Windows Defender Security Center" panel.

Windows 10 Redstone 3 IAF/EAF

 by zerosum0x0 ¦  Mon Jun 26, 2017 6:08 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Windows 10 Redstone 3 IAF/EAF ¦  Replies: 2 ¦  Views: 8909

Windows 10 Redstone 3 adds the following to EPROCESS: +0x82c MitigationFlags2Values : <unnamed-tag> +0x000 EnableExportAddressFilter : Pos 0, 1 Bit +0x000 AuditExportAddressFilter : Pos 1, 1 Bit +0x000 EnableExportAddressFilterPlus : Pos 2, 1 Bit +0x000 AuditExportAddressFilterPlus : Pos 3, 1 Bit +0...

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

 by zerosum0x0 ¦  Sun May 14, 2017 11:35 am ¦  Forum: Tools/Software ¦  Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch ¦  Replies: 7 ¦  Views: 26263

My colleague and I reverse engineered EternalBlue and ported it to Metasploit.

https://twitter.com/zerosum0x0/status/8 ... 9856016384

Will probably do a blog post in the coming days.

Re: "Not a valid win32 application"

 by zerosum0x0 ¦  Sun May 07, 2017 4:15 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: "Not a valid win32 application" ¦  Replies: 3 ¦  Views: 13374

There are many reasons which could possibly be the problem. You'll need to reverse Ldr* functions in ntdll.dll, or maybe take a look at ReactOS Ldr code. Maybe if you post a sample and we can see which headers look bad. Any any rate here is a list of some relevant NT status codes: 0x4000000E STATUS_...

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

 by zerosum0x0 ¦  Sun Apr 23, 2017 6:14 am ¦  Forum: Tools/Software ¦  Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch ¦  Replies: 7 ¦  Views: 26263

Yea I am sure if newer PatchGuard didn't watch this hook before, it will probably be added now. And some of the "better" antivirus vendors might add checking too. It does seem to bypass the shitty Win7 PatchGuard though. -- On another note I figured out the DoublePulsar "xor key" (how to authenticat...

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

 by zerosum0x0 ¦  Sun Apr 23, 2017 12:53 am ¦  Forum: Tools/Software ¦  Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch ¦  Replies: 7 ¦  Views: 26263

I dont understand where it avoids PatchGuard and how? Is it in Step 4, where the .data section already has 'write' permissions set? It avoids PatchGuard in that it hooks an obscure part of the system, the SMB driver dispatch table. PatchGuard looks for hooks in the syscall table and things such as ...

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

 by zerosum0x0 ¦  Sat Apr 22, 2017 5:12 am ¦  Forum: Tools/Software ¦  Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch ¦  Replies: 7 ¦  Views: 26263

I performed analysis of the DoublePulsar payload. https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html tl;dr: Step 0: Shellcode trickery to determine if x86 or x64, and branches as such. Step 1: Locates the IDT from the KPCR, and traverses backwards from the first inte...

Re: Shadow Brokers releases numerous Windows 0-days - FuzzBu

 by zerosum0x0 ¦  Wed Apr 19, 2017 11:55 pm ¦  Forum: Tools/Software ¦  Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch ¦  Replies: 7 ¦  Views: 26263

Post about the kernel DLL loader. Pretty standard, just map DLL into process memory and queue APC. Still not much info on the backdoor installed in the SMB service in the first place. https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/ Here's some info on ...

Shadow Brokers releases numerous Windows 0-days - FuzzBunch

 by zerosum0x0 ¦  Sat Apr 15, 2017 8:05 am ¦  Forum: Tools/Software ¦  Topic: Shadow Brokers releases numerous Windows 0-days - FuzzBunch ¦  Replies: 7 ¦  Views: 26263

In case you are living under a rock, Shadow Brokers dumped all kinds of remote exploits for Windows today. Official Microsoft Response: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/ Allegedly it's all fixed In MS17-010. I actually just got a MS17-010 u...

Re: Non-executable malware

 by zerosum0x0 ¦  Tue Apr 04, 2017 1:48 pm ¦  Forum: Newbie Questions ¦  Topic: Non-executable malware ¦  Replies: 2 ¦  Views: 8194

MS JScript does not have direct access to the Windows API (although it is possible in indirect ways). It generally requires COM (ActiveXObjects) to do anything interesting. There is a "Scripting.FileSystemObject" (FSO) ActiveXObject. I don't know if there is a COM object for direct crypto, but there...