Posts

Showing posts from May, 2020

Note #4

I know that I know nothing - ipse se nihil scire id unum sciat - ἓν οἶδα ὅτι οὐδὲν οἶδα - Socrates Life is nothing more than an endless wandering, it would be foolish if not childish to think we know everything, at any point in life. Embrace the constant unknown and be skeptical to sate a untarisable desire of knowledge.

Journey Into the Object Manager Executive Subsystem: Object Header and Object Type

Image
0x00 Abstract Almost all the actions carried out by user mode applications and Windows executive subsystems (e.g. I/O Manager, Memory Manager) have to deal with Windows resources (aka objects). These actions can be related to physical objects like devices or logical objects such as processes, threads, tokens and files. For this specific reason, the Object Manager, which is a executive subsystem, is responsible for providing a standardised, uniform and singular way to manage, create, release and access objects. Among other things, this ensures that other user mode applications and executive subsystems do not re-invent the wheel when they are interacting with objects, which might cause duplication of code and logic, resulting in security issues and logical errors. Even if everything related to objects has to go through the Object Manager, defining Windows as an object oriented operating system would be an overstatement as many kernel structures are not objects. Additionally, the Objec...

AMSI Module Remote In-Memory Patch

0x00 Abstract The 12th Jun 2019 I wrote a paper about the Anti-Malware Scan Interface technology. At this time, the objective was to dig into the AMSI internals in order to, firstly, understand how the technology works and, secondly, how it is possible to bypass AMSI by carrying out an in memory module function patching. This paper will not provide more information about AMSI and the patch will be the same. The reason being that a good amount of people already talked about it over the last years. Instead I will use this module in-memory patching as a case study for writing a tool in C that enumerate a remote process. Link to the paper: https://www.contextis.com/en/blog/amsi-bypass Source code of the tool can be found on Github: https://github.com/am0nsec/wspe/tree/master/AMSI Demonstration: AMSI Module Remote In-Memory Patching 0x01 Remote Process Environment Block The Process Environment Block (PEB) is a very interesting structure that contains a lot of information such a...

Note #3

By training you will be able to freely control your own body, conquer men with your body, and with sufficient training you will be able to beat ten men with your spirit. When you have reached this point, will it not mean that you are invincible? -- Gorin no sho – Miyamoto, Musashi

Note #2

There are methods to observe people and undoubtedly recognise the manner how they think and their character. We say that the Self closely listen the heart, observe him, that he can be seen and understood as an image in a mirror. The one who have a disturbed heart can be quickly be the victim of others. That’s why the shinobi use this technique and can follow everywhere the heart of the adversary and penetrate him. This is the basics technique of the shinobi.  -- Shôninki – Natori Masazumi

Note #1

The mission dictates the target, the target dictates the weapons and the weapons dictate how they’re used.  -- Richard “Mac” Machowicz