Steve S.
@0xTriboulet
Followers
2,923
Following
1,175
Media
225
Statuses
2,923
Explore trending content on Musk Viewer
#خلصوا_صفقات_الهلال1
• 295382 Tweets
ラピュタ
• 295053 Tweets
#AlnassrNeedsMidfielder
• 123503 Tweets
#金曜ロードショー
• 96087 Tweets
Gaudreau
• 91088 Tweets
NAMJOON
• 54820 Tweets
YINWAR OVER THE HORIZON
• 53564 Tweets
#พรชีวันEP15
• 48265 Tweets
#Mステ
• 39206 Tweets
#バルス祭り
• 37204 Tweets
CK WEDDING DAY
• 31797 Tweets
#笑うマトリョーシカ
• 26361 Tweets
ムスカ大佐
• 20529 Tweets
#ساعه_استجابه
• 18371 Tweets
CHERISH TWENTY WITH WONYOUNG
• 17624 Tweets
ブラックスワン
• 15154 Tweets
トパーズ
• 11505 Tweets
パズーとシータ
• 11396 Tweets
ロボット兵
• 10437 Tweets
Pinned Tweet
This write-up covers the basics of working with Native Applications and some interesting things you can do with them.
Thanks to
@Protexity
for giving me the opportunity to work with them on this blog
We are happy to share a guest blog post by Steve S! Steve is a Marine veteran, graduate student, and offensive security developer. He is currently Associate Staff at Datalytica where he spearheads the development of counter-AI capabilities.
0
13
36
0
10
38
New polymorphic techniques pushed to Revenant.
Rev now uses the python build script to generate C code at build time, compile randomly different binaries, and combine runtime polymorphic patches to give better obfuscation
Check it out!
@deadvolvo
5
129
451
In this writeup, we leverage
@rustlang
's inherent obfuscation against existing AV technologies to quickly bypass all detection on VirusTotal using unsafe code blocks.
We can even achieve 0-total detections with a standard MSFVenom payload!
Check it out
5
137
440
Use C, and some inline assembly, to create a self-extracting shellcode executable!
This solution was inspired by
@hasherezade
's C to Shellcode method, and was the basis for my solution to
@MalDevAcademy
's shellcode challenge.
Check it out!
2
115
363
Novel
@Windows
Defender bypass that leverage’s Defender’s inability to detect a malicious executable with a >2MB stack requirement.
1) Make a big payload
2) Put it in main()
3) ???
4) PROFIT
2
102
310
Check out my guest write-up on the MaliciousGroup blog.
If you're interested in C, inline assembly, and return address spoofing, this is the writeup you're looking for.
@deadvolvo
5
85
220
In this writeup, we discuss string obfuscation techniques and implement a classic string obfuscation technique, XOR, using modern CPU features to bypass emulation and analysis by
@Mandiant
's FLOSS and CAPA.
Check it out
4
81
220
In this writeup we use the capabilities of inline assembly to overwrite part of our program's .text section and achieve non-standard payload self-injection and execution.
Check it out!
3
61
217
Apparently the large stack bypass I wrote about earlier today affects a lot of AV engines.
I’ll do some more testing on my lab over the next couple of days and see what the consequences might be.
I feel like a shitty ad…
“Bypass AV with this one ez trick!”
Novel
@Windows
Defender bypass that leverage’s Defender’s inability to detect a malicious executable with a >2MB stack requirement.
1) Make a big payload
2) Put it in main()
3) ???
4) PROFIT
2
102
310
3
40
183
In this writeup, we use
@vector35
's BinaryNinja to manipulate a standard raw
@metasploit
meterpreter payload in order to bypass detection by Windows Defender.
No encryption. No encoding. Just opcodes.
Check it out!
3
71
178
Diago's writeup on Thread Pool manipulations is exactly what you need to read before your next Pool Party
4
60
146
If you’re in the red teaming space and have never checked out this book, you need to. I’m only a couple of chapters in and it’s easily the single most beneficial resource for understanding the necessary adversarial mindset
5
19
120
Two articles that demonstrate the viability of unhooking by bringing your own copy of ntdll (byoDLL).
1) The first method creates a temp file (not_ntdll.dll)
2) The second method uses
@hasherezade
's
#pe2shc
to load ntdll entirely in memory
0
54
121
You might have seen this 3-byte AMSI bypass last week by
@blazeinfosec
You can actually achieve this same bypass by with a 1-bit patch.
More of a cool party trick than anything else, but still pretty interesting. Check out the screenshots below.
1
44
117
Wrote an RDI today using
@deadvolvo
's writeup as a guide. I learned a ton going through the process.
If you haven't checked it out, you're missing out.
0
27
98
In this writeup we demonstrate how custom payload/implant implementations can be used to break call stack tracing using assembly functions, inline assembly, and a custom payload based on
@0xBoku
's popcalc!
Check it out!
2
38
96
A detailed analysis on embedding payloads (x86) using
@metasploit
's MSFVenom . We look at effects the payload has on the binary, how the redirection stub works, and a quick look at defeating some AV signatures when we use this technique
Take a peek
Would anyone be interested in a detailed analysis of how msfvenom’s -x option works?
Here’s a good write up on how to use it, but I’m interested in showing how it works
0
1
6
1
31
91
Pushed some string obfuscation to Revenant tonight, check it out!
Shout out to
@deadvolvo
for all the help 🔥
1
23
88
Revenant Updates!
> DLL support
> Revamped polymorphic egg search mechanics
> Improved inline assembly injections for stability
> Improved unhooking. Clean ntdll in memory instead of always starting clean process
> Antidebug checks run regularly to mitigate debugger attachment
3
18
84
Finally finished this book!
A lot of the technical specifications are dated, but it’s so rich in creativity and offensive mindset that I would recommend this book to anyone!
Do you have any other book recommendations?
2
11
77
After a couple weeks of studying and playing with the Talon implementation, we have a working (v0.01) of Revenant for
@C5pider
's Havoc C2!
It's still mostly Talon, but
@deadvolvo
and I will keep grinding on it in the coming weeks👀
0
17
75
In this writeup we continue our use of
@vxunderground
's VX-API, implement a decompressing -> remote process injection implant, and then use some compiler trickery to bypass
#Windows
Defender.
Check it out.
3
18
69
A writeup on achieving zero detection on VirusTotal for a plain msfvenom calc.bin by making assembly level modifications using
@vector35
's BinaryNinja.
No encryption. No encoding. Just opcodes.
1
22
69
If you're not using the VX-API for your tooling, you're missing out on very useful capabilities packaged into a well written API.
In this article we look at the default implant in the API to analyze functionality and utility.
Check it out
1
20
64
I'm looking to beef up my offensive security reading this year. Drop your favorite articles and book recommendations 👇👇👇
12
10
64
By popular demand, this week we demonstrate command interception in PowerShell with ".COM" executables (sort of) 👀
Check it out!
0
25
61
Easily some of the best research into position independent code development since Stephen Fewer's research into reflective loading
Modern implant design: position independent malware development.
A small blog post on how to design "modern" malware with features like global variables, raw strings, and compile-time hashing.
Repo:
27
321
1K
0
8
61
Revenant Updates!
> powershell (pwsh) command
> Architecture part of default name (Revenant_x64/x86.exe)
> Fixed OS architecture enumeration bug
> Improved debugging and error handling
> (HAVOC) Health monitoring candidate
@C5pider
Check it out!
0
17
58
The more I learn about writing good C and C++, the dumber I feel for writing terrible code 🥲
2
6
48
In this writeup we look at Windows support for non-existent file paths and demonstrate a use case against Yara rules.
It's an interesting trick, check it out!
2
20
51
Revenant updates focused on backward compatibility:
> x86 .exe building
> Rolled to C99 standard
> Win7/8 Compatability (WinAPI)
Check it out!
#HavocC2
2
17
52
New updates to Revenant!
> Revenant is now compiled with llvm-mingw
> Reworked polymorphic functionality
> Protection against Mandiant's FLOSS
> Anti-debug and Polymorphic functions execute prior to Main()
Check it out!
0
10
50
This week, we take another look at the VX-API and implement reverse shell capabilities in our implant using an MSFVenom payload. We leverage a compression algorithm and some compiler trickery to fool Windows Defender and get a connection.
Check it out!
1
21
49
There won't be any posts on my blog for a couple of weeks...working on a thing with
@deadvolvo
@C5pider
1
4
44
I did some testing on two binaries. One written in C++, one written in Rust.
> Rust was bigger, but just as fast
> Rust produced bigger and lower quality decompilation results
> The Rust binary was only detected by 5/72 AV engines on VT
Check it out
Does Rust have any advantages over C/C++ for offsec engineering?
8
2
14
6
9
41
Revenant Updates! 10SEP23 v0.60.1
> Implemented GhostFart Unhooking
> Hid strings associated with PeRun's Fart, GhostFart, and some Havoc comms
> Fixed polymorphic support in x86 executables
> Updated LLVM-MinGW compiler
0
17
37
Updates to Revenant! Just in time for your July 4th celebrations.
> More hash definitions in support of future functionality
> Build-time anti-debug inline assembly injections
> Unhook via Perun's Fart method
>> Rehooks after cmd execution
Check it out!
1
15
37
Congrats
@C5pider
Havoc is now a part of Kali 2023.4
Before we wrap up the year, it’s time to get out one last Kali release for 2023.
Announcing Kali 2023.4! for a focus on the addition of Hyper-V support to Vagrant, ARM64 Cloud images, support for the Pi 5, and an update to Gnome 45. Check it out!
27
326
1K
0
2
35
Huge updates dropped for Revenant!
@deadvolvo
put in a lot of work this week to bring you streamlined string obfuscation and native API functionality. These updates are pretty huge and add a lot of functionality to our
#Havoc
implant
Check it out!
2
7
34
Newest updates pushed to Revenant:
1) NativeAPI Upload/Download implementations
@deadvolvo
2) Reduced reliance on stdio.h
3) Reduced executable size (52kb -> 29kb)
4) General bug fixes
Image by Dall-E 2
0
3
32
@ruostu
@_JohnHammond
printf(“Hello World”); triggers 4-5 engines depending on compiler and compiler settings lol
0
0
29
In this writeup, we discussed a more advanced, multi-step, methodology that bypasses detection by Mandiant's FLOSS string deobfuscator.
Be sure to head over to Patreon for early access to similar writeups!
Check it out!
2
15
27
Just launched my Patreon!
We’re kicking things off with a poll. Feel free to check it out and vote on what types of things you’d like to see me cover in the future 🔥
1
3
27
Hot take:
There’s nothing wrong with writing assembly in your C++ implants/techniques
😬
2
1
28
Does anyone know why runtime modifications to a function's return address would result in broken stack tracing?
The address in the stack trace is off by one, which is what first hinted to me that something was wrong. But what's interesting is that checking the actual contents
1
5
26
Things like this could be avoided if offensive researchers could access AV/EDR samples
Obscurity != Security
A TA going by the handle Spyboy is selling an AV/EDR killer that is allegedly capable of killing almost every AV/EDR on the market.
26
154
517
6
7
26
Read a little bit more of this today and just let me say, I have some cleaning up to do
1
1
23
Pretty neat that you can use inline assembly labels to jmp between functions.
Check out the pic!
3
6
23
Intersting implementation of self-integrity checks using compile-time definitions and C macros.
0
13
23
Zero days get all the hype, but stolen creds are the real danger
if you look at the CISA stats:
~88% of pwnage is from the attacker having a set of credentials that work... (phishing, brute force or theft etc.)
Cybercrime is largely stealing credentials....
lot's of "IT people" say stuff like:
well sure if you have
22
99
482
3
3
22
New early-access writeup available on Patreon!
Check it out!
0
4
21
Take a peek at what I’m working on over on Patreon. You can now enjoy Supporter benefits, free for the first 7 days.
Check it out!
0
6
22
Apparently, there's a Yara rule for Revenant that's been out since July on
@malpedia
Seems to only work on versions of Revenant compiled in April.
Interesting...
It's worth noting that these were not all compiled with the same features enabled. Just old copies I happen to
1
6
19
No it doesn’t.
ChatGPT creates mutating malware that evades detection by EDR
10
138
403
3
2
17
I fixed it.
0
1
17
Check out this insanely detailed demonstration on writing implants 💯🤌🏽
0
7
17
An exploration of various techniques to reduce detectability for high-level code delivery. Achieved 0-total detections on virus total using only anti-debugging techniques and WinAPI pointers.
No encryption. No encoding. No winnt.h.
2
2
17
Can't wait to see ms-teams.exe launch whoami.exe
1
0
16
@egeblc
"mimicking the natural PE loading" =! a properly loaded PE. There's no debate to be had about that.
The additional artifacts and signatured mechanics of reflective loading are significant drawbacks that stardust resolves in a way reflective loading, by design, cannot.
1
3
16
Some really cool work that expands shellcode development with MSVC in C and C++ using some cool tricks.
Check it out 🔥
@0xTriboulet
I find out how to compile in MSVC what you did in …There is the github repo …there is a bunch of code but the project is shellcode_gen_msvc_c
0
2
8
0
1
17
This us a really robust resource with utility that extends beyond game hacking
Nice to see a lot of new educational content on
@GameHackingAcad
👏
They've got an interactive site (), but also a downloadable PDF 👇
1
52
141
0
3
17
@Laughing_Mantis
If Microsoft aggregates the data collected to improve the model (which is probably a given), it's now possible to poison the data set locally
0
0
15
// --- NoAPI RNG PoC ---
// x86_64-w64-mingw32-gcc main.c -masm=intel
unsigned int random = 0;
asm("rdrand rax;"
: "=r" (random)
);
1
1
15
Does Rust have any advantages over C/C++ for offsec engineering?
8
2
14
@lauriewired
@vxunderground
@yoroisecurity
Sounds like the prompt was “Write a paper on DLL side loading in the voice of Nietzsche”
0
0
14
Hell yeah! I’ll do another writeup on using the VX-API soon and we’ll talk about some of these 💯
We've updated the VX-API
- CreateProcessFromINFSectionInstallStringNoCab
- CreateProcessFromINFSetupCommand
- AmsiBypassViaPatternScan
Shellcode execution by abusing: SymEnumProcesses, ImageGetDigestStream, VerifierEnumerateResource, SymEnumSourceFiles
1
21
83
0
2
12
@vxunderground
you got any printer ink cartridge based virus samples?
HP CEO: Blocking third-party ink from printers fights viruses
48
26
126
2
0
14
@VirtualAllocEx
Yes, that’s my understanding as well.
@NinjaParanoid
has a writeup on custom callstacks that sounds like what you’re describing
1
2
14
A writeup on manually correcting deficiently embeded x64 payloads using MSFVenom and BinaryNinja.
By default embedding x64 payloads that are started on a new thread doesn't work using MSFVenom.
Learn one way to fix it.
If you saw my x86 writeup and tried to apply it to an x64 payload you know embeded payload exec in a new thread doesn't work by default w/
@metasploit
's msfvenom
In this writeup we take a practical approach to manual correction of an embeded (x64) payload.
Check it out.
0
1
2
0
9
11
@MalDevAcademy
's challenge inspired this implementation: Using macros, we can set a kill date when our implant will self-delete.
Patrons can access the early access writeup 🔥
Other writeups that haven't made it to my blog are available for free!
0
2
9
C + ASM
0
0
9
@vxunderground
The money from the Twitter blue engagement can partially go to a Grammarly subscription 😂
1
0
11
doing silly things with the C++ compiler begets silly results
1
0
11