Incorporate Windows ETW in your code using Krabsetw
Introduction In this post we are going to discuss about how we can perform ETW tracing using krabsetw ETW library. We will not be discussing ETW basics here, for that I would recommend readers to check out following posts: using krabsetw library let the fun begins Trace types The ETW has mainly two sets of…
The Stack, The Windows & The Adventures
Introduction This post is a “how-to” for writing Win32 code for performing a stackwalk on both x86 and x64 architectures and along the way we will learn the theory behind some of the concepts associated with the stack. In fact this is a quick note created for myself when I started working on designing a…
The Stack Series: The X64 Stack
Overview of x64 stack static RSP caller/callee saved registers According to x64 convention Non Volatile registers are expected to be saved and restored by the function that uses them. On the other hand, as the name suggests the Volatile register states are expected to change through out the execution of any function. Volatile Registers RAX…
Analysing a Multi Stager : A case study of QBOT
motivation This is not going to be about QBOT analysis rather a quick “how-to” for analysing malwares that employ multiple stages in the infection chain. Recently, in my work, I got a sample (a mal pdf) for analysis, at the time I had no prior information and task was identification. Interestingly initial vector used to…
The Stack Series: Return Address Spoofing on x64
introduction The stack of a process has the potential to give away the true nature of the running program in the memory. Hence it is one of the monitored entities by the security solutions. When a program executes any interesting functions like InternetConnectA, security systems may initiate a stack check to find out if there…
Memory Hiding Technique Series: Ekko – The basics
Introduction In previous post, we covered Gargoyle memory hiding technique, this time we will look at another technique called Ekko, a POC created by C5pider which is actually based on Austin Hudson’s findings from reversing MDSec NightHawk payload. The implementation of the Ekko is very straightforward. Before we jump right into internals of Ekko, we…
Memory Hiding Technique Series: Gargoyle
introduction As reflective loading has become the staple vector for staging malware, adversaries rely on in-memory payloads for ensuring both operational security and evasion in the post exploitation phase and to counter such effort we have quite a few robust tools like Moneta and PE-sieve for scanning memories to catch active beacons/agents hidden inside running…
Tale of Hosting .NET in unmanaged code Part 0x3: HavocFramework
recap We are wrapping up the “Tale of Hosting .Net” series by covering the implementation details of InlineAssembly-Execute feature in Havoc Framework- A very recent open source C2 framework developed by C5pider. Here in this post we are reiterating everything we saw in the earlier posts part-1 and part-2, so make sure you read it…
Tale of Hosting .NET in unmanaged code- PART/0x2 | InMemory Execution.
background In the previous post, we implemented a basic host program that could load up the CLR and execute an assembly. The issue with that approach is loading of the .NET assembly, we loaded the assembly from the disk and required passing of additional information like type and method name. In this post we will…
Tale of Hosting .NET in unmanaged code- PART/0x1
offensive .NET Amazing folks in the community especially those who are inclined towards adversary simulation and other advanced attack vectors started tooling in C#. Why? you might ask. The reason is the .NET is at the heart of Windows and it is heavily integrated with the architecture itself, one could simply harness the power of…
Loading…
Something went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.
offensivecraft 