Dylan Tran
@d_tranman
Followers
1,056
Following
156
Media
34
Statuses
211
salsa sultan, verde villain oscp crto crtl ex: pentest intern @xforce | @NationalCCDC / @wrccdc & @globalcptc competitor @calpolyswift
please dont hurt me
Joined June 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
EXTRAORDINARY OIL WITH BECKY
• 461774 Tweets
محمد
• 452042 Tweets
Atatürk
• 315078 Tweets
ラピュタ
• 114387 Tweets
Saudi
• 84528 Tweets
#خلصوا_صفقات_الهلال1
• 72478 Tweets
Kimi
• 38359 Tweets
ラウール
• 24411 Tweets
#Mステ
• 21379 Tweets
バルス祭り
• 13087 Tweets
Antonelli
• 12966 Tweets
#金曜ロードショー
• 12876 Tweets
ブラックスワン
• 10739 Tweets
ロビン復刻
• 10561 Tweets
Pinned Tweet
Dug into call stacks spoofing for the past few months and wrote something. Hopefully this is helpful.
9
113
312
I think I did the patchless/breakpoint in process amsi bypass thingy with C#
6
67
240
Had a ton of fun finally getting a grasp on sleep encryption and trying to bypass Hunt Sleeping Beacons with Ekko.
tldr; spoof the callstack while sleeping and avoid Wait:UserRequest in your timer callback.
5
99
215
I made another sleep encryption POC based on Ekko & RustChain, except it uses TpAllocWork + TpWaitforWork . It's probably possible to fix the sus callstack and shitty code but I am happy it works. Thanks to the people in OnlyMalware for helping me out.
3
29
113
Sleep obfuscation? what about sleep....walking? no more roaming ips, its all about the roaming shellcode
@Altoid0day
3
28
106
Testing advanced module stomping via reflective loader + IAT hook, seems pretty cool so far
0
20
99
Wrote up on module stomping and modding AceLdr to implement it at rest
11
45
130
I've always wanted to try to make a custom implant for a C2 to practice some maldev. Luckily,
@C5pider
's Havoc and documentation from
@codex_tf2
made it super easy.
Will hopefully become a dollar tree Apollo
0
21
93
Trying to learn this call stack tampering stuff. It's nothing new; based on synthetic frames from SilentMoonWalk. I think it works, but someone who knows code better than me can probably correct me on that...
2
24
71
Managed to get basic BOF integration into my havoc implant from
@C5pider
using RunOF from
@Nettitude_Labs
modified with indirect syscalls and dynamic invocation. Will have to figure out argument parsing; does not support it yet.
2
13
69
Started playing around with C. Tried to modify
@C5pider
's Ekko with indirect syscalls via HellsHall from Maldev-Academy.
It copies a stub into memory for execution during the sleep and passes a struct, but theres probably a better way to go about it.
0
24
70
Check out what Bobby and I cooked over the summer
We just released Reflective Call Stack Detections and Evasions! This was co-authored by our
@XForce
Red intern Dylan Tran
@d_tranman
! Dylan is wicked smart and it was fun working with him! Check it out!🥷
15
158
387
3
5
33
A stupid POC that generates RWX memory through the JIT compiler. I thought it was kinda funny.
Could be useful if you wanted to write some assembly and execute it without directly calling winapis I think idk.
0
5
21
Super excited that I can go to defcon now, thanks a ton! Looking forward to the stack spoofing talk from
@KlezVirus
The winner of the
@defcon
ticket is
@d_tranman
!!!!! I will DM you and will transfer the ticket to your account
1
2
9
1
0
20
@VirtualAllocEx
Regarding
#2
, this has worked for me:
(not sure about more recent versions of windows though)
tldr; SSN is the same as the nt/zwapi's order in memory relative to the others (for x64)
1
1
13
Update: This talk was super epic. Thanks again for
@cybersyrupblog
for the ticket.
Super excited that I can go to defcon now, thanks a ton! Looking forward to the stack spoofing talk from
@KlezVirus
1
0
20
1
1
11
Took inspiration from recent feedback (yall are awesome for that) and am trying to make slight improvements my stack spoofing poc; still susceptible to a call integrity check, though. No clue how to bypass that.
1
1
13
Thanks to a lot of help from
@C__Sto
and his BananaPhone repo, I was able to get indirect syscalls to work in go!
0
2
11
Revisited my Havoc implant to clean up some code for future development. Still kinda sucks but I got some neat screenshots out of it.
1
0
9
Managed to mostly port my direct syscalls stuff from C# to Go. Uses freshycalls to find the ID and then maps the call into memory.
Currently relies on calling VirtualAlloc + RtlCopyMemory to map the syscall into memory.
0
4
6
@passthehashbrwn
@checkymander
I played around with that a while ago and wrote something hella janky. .NET do le funni allocations
0
1
8
@ilove2pwn_
I might be understanding this picture wrong, but did you overwrite ntdll's .text bytes without losing the shared/shareable working set?? 👀
1
0
11
Made a funky managed hook for NtAllocateVirtualMemory, based on the work from
@NaxAlpha
. Pretty fun to sanity check dinvoke/(in)direct syscalls with this stuff.
0
2
7
Trying to play around with return address spoofing using namaszo's code.
Anyone know why overwriting the retaddr on the stack with the trampoline shows less entries than with a arbitrary address/number? Or is it a process hacker visual thing? Idk if its important, just curious
0
1
7
We're finally back
Congratulations to
@calpolypomona
- our 2023 CCDC Wild Card winner! They'll advance to the NCCDC and compete with all the other regional winners for the title of National Champions.
2
4
29
0
0
6
its so beautiful
0
0
5
This POC was just me wanting to try sleep encryption with other apis. Although theres a ton of flaws (looking at you call stack), but they're probably fixable by anyone whos actually competent at this stuff 🗿🗿
0
1
5
Is this considered a successful callstack spoof/duplication/idk while sleeping? Shellcode manages to look like this while sleeping. Idk how to tell if this callstack seems normal or suspicious or whatever.
0
1
4
@NinjaParanoid
@0xBoku
@XForce
Yeah this is valid, definitely gonna try to improve it. Thanks for the feedback!
1
0
3
@0xTriboulet
@Altoid0day
If I missed any flags lmk, haven't played with pe-seive all too much. But after fixing some cleanup from my loader, it seems to be fine when sleeping/not fine when active, as expectedish.
1
0
4
@ilove2pwn_
Thanks for sharing, I was completely on a different track. Kept digging into freeing the private working set w/ virtualunlock, but in hindsight, I don't think that would have affected the shared workingset.
2
0
2
@Chrollo_l33t
@dmcxblue
From a use case basis, from my understanding, Pinvoke allows you to import functions of unmanaged code (c/c++) and easily call them in C#. Dinvoke allows you to do this (d)ynamically; without explicitly doing the import (which is easy way to get detected)
0
0
3
@DaniLJ94
100% yes, those slides were super helpful in helping me understand meterpreter and reflective loaders
1
0
3
@daem0nc0re
Functions get jitted so you could also use them to execute shellcode; iirc thats what the SharpHellsGate project did. I played around with dynamic functions to do a similar thing too (its flawed, but was still funny)
1
0
2
@Evil_Mog
Your keynote speech was very inspiring, thank you for your contributions and sharing your experiences with all of us this year! Hopefully you'll be back next year.
1
0
2
@NinjaParanoid
@0xBoku
@XForce
Oh wow, its possible to use rop and have frames line up with the call instructions? Thats super cool. Definitely gonna give it a shot
0
0
1
@daem0nc0re
Oh the code i wrote was for .net framework 4.7 something. Haven't tested recent versions of .net core/.net
1
0
2
LETS GOOOOOOOOOOO
Announcing the Winners of
#GlobalCPTC
2021:
1st place:
@calpolypomona
2nd place:
@Stanford
3rd place:
@tennesseetech
Congratulations to all teams, we look forward to seeing you next year.
5
27
72
0
1
2
Beutful
i'm glad to be a part of SWIFT and proud to be a part of webdev team. really happy how it turned out. peep the revamped site👀
0
0
2
0
0
0
@ilove2pwn_
yeah thats exactly what I thought when you mentioned forking. up until then I was like "how do i uncopy on write" 💀
1
0
1
@NinjaParanoid
@0xBoku
@XForce
Ooh yeah thats fair. Gotta keep thinking I guess lol, but I would really love to figure out a fully dynamic frame generation without the need for rop for fixing execution/stack.
1
0
1
On a side note, has anyone caught sliver beacons with Hunt Sleeping Beacons? Maybe I'm bad, cause I couldn't. I believe its just doing a time.sleep(), but due to the way its implemented in golang, it doesn't get flagged by HSB?
0
2
1
@NinjaParanoid
Is the gadgetless stack a special mode? On the video it looked like there was still a gadget frame with `jmp rdi` (kernel32.GetPhysicallyInstalledSystemMemory+0x16c1)
2
0
1
0
0
1
@C5pider
@trickster012
@Nettitude_Labs
Gotcha. Looking forward to that, will help a lot with some of the stuff I'm going to experiment with later on. Aside from that small issue, the API has been really intuitive and easy to use.
0
0
1
@0xLegacyy
@ShitSecure
It seems not, gonna play with it a bit more and hopefully figure a better solution out. Have to setup the bypass for each thread. Dookie screenshot for example.
1
0
1
@NinjaParanoid
@0xBoku
@XForce
On a side note, for the call opcode checking, all I can really think of is using HWBP on the last generated frame rather than using a rop gadget. Not sure if thats ideal (iirc hwbps been getting checked?), but there's probably a better way.
1
0
1
@An00bRektn
I apologize for every line of my dookie code you may have ran into while developing this.
0
0
1
@MJHallenbeck
I liked the AD stuff this year since that was my skillset, and the amount of stuff to look at after compromising a box was fun. Also client interactions were funny.
I think best part was our technical feedback being "lol amongus"
0
0
1
@anthemtotheego
It was cool getting to see you in person, even thought it was like for 5 seconds 🙃
1
0
1
@_RastaMouse
@Jean_Maes_1994
@_Kudaes_
@vxunderground
@brian_psu
Did somebody say scuffed dynamic invocation/indirect syscalls?
0
0
1
@trickster012
@C5pider
@Nettitude_Labs
Yeah RunOF supports args, and so does the Havoc API. Currently having issues with multiple args with multiple spaces. Also have to figure out how to translate the args sent from Client to the way RunOF deals with them due to way BOFs do strings/ints. Hopefully done soon tho.
1
0
1
very cool
0
0
1
@Ox4d5a
Not sure if this helps, but for my modified version of RunPE I had to compile my own mimikatz to make the arguments work properly, despite patching the PEB and GetCommandLineW
0
0
1
@An00bRektn
@DOECyberForce
Ah I was just there as a mentor (not allowed to compete), hopefully I can come back
0
0
1
I have decided to implement the ETW patch that returns only certain events in c# because why not.
#redteam
0
1
1
@namazso
Sorry, I'm still not good with this stuff. I get that "synthethic" is something I did since I just added frames (although I still don't know why pushing 0 cut the rest off). But I still don't really understand the concept of the desync stuff, even after trying to read their blog
1
0
1
@dmcxblue
Yeah I've been managing to call the Dllexport stuff with loadlibrary -> getprocaddress within a c++ exe, but I haven't been able to do dllmain either. The c dll calling the c# dll is a nice workaround though, thanks.
0
0
1
@zux0x3a
@dmcxblue
@netero_1010
Reading his stuff on indirect syscalls in c# was really cool. Also, reading into the source code for SharpHellsGate was also helpful for me
1
0
1
@0xTriboulet
@Altoid0day
No clue, will test when I can. The code snippet was meant to be integrated with C5pider's ShellcodeTemplate to create PIC so there should be a lack of PE headers. The shellcode is allocated as RW and is only RX when not sleeping, so hopefully things turn out well.
0
0
1