In the previous blog we looked at abusing callbacks inside of ntdll for the purpose of control flow obfuscation. While interesting, these techniques leave a visible trace inside of its disassembly. In this blog I would like to share a second technique that completely eliminates that trace. If executed correctly, you should be able to completely hide control flow and data loads. Intro To aid in explaining the technique I’ve made a benign proof of concept executable that poses as a simple calculator that, when given the right parameters, executes a shell command.
Welcome to the first blog in a 2 part series on implementing control flow obfuscation by abusing elementary windows mechanisms. In this blog I will give an introduction to Context Hijacking and the second blog will go into Exception Hijacking, continuing on from the ideas laid out in this blog Context Hijacking is a way of obfuscating control-flow or data-flow in your windows executable by abusing APIs that use the CONTEXT struct.
After reading about a devestating attack on the Irish Health Services (article here), I decided to take a deeper look at what makes the Conti ransomware so devestating. The malware, that some consider to be the successor to the ryuk ransomware has been wreaking havoc on organisations over the last year, infecting nearly 200 companies. The ransomware is a classic example of a Ransomware-as-a-Service (RaaS) employing highly skilled operators to break into big big company networks and execute the payload in exchange for a share of the profit.
This year it was once again time for the most highly anticipated reverse engineering event of the year (for me anyway!), Flare-On! For those who don’t know, Flare-On is an annual jeopardy style reverse engineering event organized by FireEye. The event runs for 6 weeks and comprises of around 8-12 binary challenges that reflect the actual real world challenges the fireeye teams face on a day to day basis. This year we got 11 challenges ranging from a simple python crackme to a fully fledged piece of malware based on gozi.
Once upon a corona quarantine day, I wanted to create a fully privileged process by becoming system. My desire was to get unlimited access to any user-mode process on the system. After stealing system’s token I was granted unlimited power, or so I thought.. In this post I’ll show you the journey I went on trying to get full access to a privileged process Humble beginnings The goal of this prject being getting complete access to protected processes, we will start of by making a small c program which attempts to open a process with PROCESS_ALL_ACCESS rights:
Working through the babyheap challenge from defcon 2019 quals to exploit an off-by-one vulnerability and abusing the tcache to gain a shell. The files for this ctf can be found here. Start From my background as a malware analyst, I like getting a good static understanding of the binary before running it. We can see in the main function that it is made up of a simple loop that accepts commands using the read function.