x86matthew
@x86matthew
Followers
17,851
Following
348
Media
46
Statuses
140
C / asm / reverse engineering. Developer at @MDSecLabs . Other stuff at @the_secret_club
UK
Joined June 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Francia
• 654168 Tweets
#HouseOfTheDragon
• 535575 Tweets
Rhaenys
• 250488 Tweets
#GranHermano
• 243693 Tweets
Bautista
• 175820 Tweets
Meleys
• 163799 Tweets
Emma
• 161185 Tweets
#HOTD
• 128363 Tweets
#loveislandusa
• 125905 Tweets
Aegon
• 98265 Tweets
Serena
• 63800 Tweets
Daemon
• 61714 Tweets
Uruguayo
• 59118 Tweets
Jana
• 50525 Tweets
Marcos
• 46967 Tweets
FURIA ES LEYENDA
• 41532 Tweets
Sunfyre
• 40143 Tweets
KIM SEOKJIN
• 32163 Tweets
Criston Cole
• 28387 Tweets
Kordell
• 27677 Tweets
FRED GLOBAL AMBASSADOR JIN
• 27438 Tweets
リリカルなのは
• 22584 Tweets
Kaylor
• 18435 Tweets
間宮結婚
• 17164 Tweets
セレクトセール
• 16914 Tweets
Jace
• 16309 Tweets
#JinxFredJewelry
• 15865 Tweets
間宮祥太朗
• 13438 Tweets
萩のツッキー
• 13010 Tweets
hyuna
• 12321 Tweets
KMPDU
• 11068 Tweets
Fed up of WiFi? No problem, my solution is here - all you need is a microphone and speaker (and a quiet room!)
Transmitting data via audio:
81
438
2K
How can we run arbitrary code without allocating/overwriting executable memory? We "borrow" (abuse) instructions from ntdll.dll!
20
392
1K
EmbedExeLnk - Embedding an EXE inside a LNK with automatic execution
18
411
1K
First blog post in a while! This article describes an undocumented trick to embed executable code within (what appears to be) a read-only PE section.
16
336
1K
ImportDLLInjection - An alternative method of injecting DLLs by modifying PE headers in memory.
No need to create temporary threads, modify/allocate executable code, etc.
9
354
972
NTSockets - Downloading a file via HTTP using the NtCreateFile and NtDeviceIoControlFile syscalls
This sample demonstrates how to communicate directly with afd.sys to create TCP sockets. No Winsock library necessary!
18
380
964
Is it possible to start a process as SYSTEM using only CreateFile and WriteFile? Yes
Spoiler: Write a custom RPC client and create a temporary service using \\.\pipe\ntsvcs 🙂
12
312
911
i have been writing a windows 3.1 emulator in my spare time over the last few weeks, it emulates an 80286 cpu running in protected mode and forwards/translates win16 api calls to the native api at runtime. my first test program is working correctly - minesweeper is coming next 🙂
24
86
827
StackScraper - Capturing sensitive data using real-time stack scanning against a remote process
HTTPS won't save you here!
14
259
823
SharedMemUtils - A simple tool to automatically find vulnerabilities in shared memory objects (commonly used for IPC in Windows services)
This tool immediately uncovered potential exploitation routes in both Nvidia and Dell Audio services on my system.
9
260
822
ClipboardInject - Abusing the clipboard to inject code into remote processes
This PoC uses the clipboard to copy a payload into a remote process, eliminating the need for VirtualAllocEx / WriteProcessMemory.
20
289
788
StealthHook - A method for hooking functions without modifying memory protection.
This tool automatically discovers writable global pointers/vtable entries that are nested within the target function, enabling stealthy function hooking and interception.
8
258
759
Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286)
A brief overview of reverse-engineering a Windows service to discover local privilege escalation exploits.
9
247
716
ProcEnvInjection - Remote code injection by abusing process environment strings in CreateProcess.
Another method of injecting code into a remote process without using WriteProcessMemory. 🙂
16
278
708
AddExeImport - Add a hardcoded DLL dependency to any EXE
No DLL hijacking opportunities available? Create your own instead!
16
267
614
@yarden_shafir
(((1 * 214013) + 2531011) >> 16) & 0x7FFF == 41 (therefore using the default seed of 1) 😀 also, microsoft's implementation of rand() stores the seed in TLS (well, more specifically FLS these days), so the seed must be initialised for each new thread 🙂
7
19
466
WriteProcessMemoryAPC - Write memory to a remote process using APC calls
Another alternative to WriteProcessMemory!
5
159
427
WoWMIPS - A MIPS R4000 emulator which allows legacy Windows NT MIPS binaries to run on modern x86/64 Windows.
A short series of articles describes the development of this emulator:
9
120
363
HijackFileHandle - Hijack a file in a remote process without code injection
A covert method of intercepting data from remote file streams (log files, etc)
9
133
364
how to crash the visual studio 2019 compiler in under 10 lines 🙃
5
42
331
DOSVisor - A hypervisor-level emulator for executing 16-bit real-mode DOS programs on Windows
3
99
328
earlier this year, i decided to join twitter and upload some personal projects out of boredom. 3 months later, i'm about to start working with some of the best in the security industry (
@modexpblog
,
@domchell
,
@peterwintrsmith
) - looking forward to seeing what the future holds!😃
25
13
272
SelfDebug - A useless anti-debug trick by (sort of) forcing a process to debug itself
5
57
225
LogNT32 - Trace all ntdll function calls without a pre-defined list of headers
Useful for performing a quick analysis of a potentially malicious 32-bit exe, or to get an insight into the inner-workings of Windows API functions!
2
80
226
it has been a few years since i last wrote a game cheat. modern games don't interest me so i've gone the other way and written an aimbot for the original doom - works on windows 95 with the official binaries 🙂
12
24
224
16-bit solitaire is now running as it should 🙂 now i'm definitely finished with the project because i can't handle any more nights debugging minor cpu logic bugs until 5am 😥
11
16
216
Flare-On 2023 Challenge 7 (flake) - Solving a compiled Python challenge using native tools
(Luckily for me, no Python knowledge necessary!)
#flareon10
4
51
201
following on from my post last week, 16-bit minesweeper now runs flawlessly in my windows 3.1 cpu/win16api emulator 🙂 i don't plan to take it any further from here but will consider writing a post covering the fun (and not so fun) bits if there is any interest in this project 🙂
10
28
181
Reading and writing remote process data without using ReadProcessMemory / WriteProcessMemory
2
62
134
i didn't think it needed mentioning but since a few people have messaged me to say that wifi is faster... of course it is! 😄even a dial-up modem is hugely faster. speed is not a priority here - this is simply a basic example of audio encoding/decoding 🙂
2
0
120
LogNT32 (part 2)
Return-address hijacking has been implemented to improve efficiency - we are no longer reliant on exception handlers. Credit to
@mrexodia
for the idea! 🙂
0
24
90
@hasherezade
yes, i wrote a custom PE loader with MUI support a few months ago, i was surprised how little information was available online. there are various different ways to load them, i chose to merge the MUI resources into the main exe in memory to avoid needing hooks 🙂
2
8
54
reading
#flareon9
writeups from other people has been interesting - it highlights how everybody (including myself) used very different methods and thought processes to solve the challenges 🙂
2
5
46
@0gtweet
i have been meaning to look into http.sys for some time now... after seeing your question, i spent an hour over lunch reversing the "\Device\Http\Communication" initialisation. see "HttpCommunicationExtendedAttributes" in my code - incomplete but works 🙂
4
2
33
i put it all together in around 3 hours last night, the availability of the linux source code made it very easy to reverse the windows binaries. i haven't come across watcom calling conventions for a long time!
1
2
32
@ShorSecLtd
@C0axx
@dec0ne
you can remove the GetNtdllBase(HANDLE hProcess) function entirely and simply replace it with GetModuleHandle("ntdll.dll"), it will always be mapped at the same base address across processes 🙂
1
0
27
@TheHackersNews
this doesn't really have anything to do with WinSXS, any program that attempts to load a non-existent DLL at runtime is "vulnerable" as the CWD is a valid part of the search order. if you really want to prevent this behaviour, you can set the CWDIllegalInDllSearch reg value 🙂
1
3
24
@gynvael
this behaviour has existed since ms-dos, it was used (or abused) in self-modifying batch files - the same logic has probably been carried forward simply for compatibility reasons. but to answer your question, i would suggest looking in some ancient dos manuals 🙂
2
2
23
@pentest_swissky
while useful in their time, i wouldn't recommend using these definitions in 2023, they are a relic from the windows 2000 era. most (if not all) headers are specific to 32-bit and may cause alignment problems in x64 code, amongst other issues
2
1
22
@C5pider
it does, although the crash occurs further down the code when it attempts to generate an error message for the "printf" line 🙂
0
0
21
@vxunderground
the extract isn't accurate, BindIoCompletionCallback calls BaseSetLastNTError on failure, which in turn calls RtlNtStatusToDosError. this means GetLastError() will return a standard windows error code as you'd expect to see with high-level apis.
1
0
21
@C5pider
yeah it's only a hobby project so i'll clean it up and release it at some point 🙂 similar projects have been done before (eg WineVDM which is much more complete) but i wanted to start something from scratch 🙂
1
0
20
@SEKTOR7net
Thanks! I also have some more methods to come when I find the time to clean up the code :)
1
0
17
@JanRingos
@yarden_shafir
it is - i think it's mentioned on msdn but it's often overlooked, not helped by the fact that some other platforms handle it differently (posix doesn't guarantee thread-safety for rand)
0
2
16
since it's now 2022, i probably should have picked "x64matthew" instead...
1
0
16
here it is running a small DOS-based game from Flare-On 2023 (challenge 6, FlareSay.exe) 🙂
0
0
15
@VirtualAllocEx
stdcall params are cleaned up by the callee - in your VirtualAlloc example, the 'add esp, 16' instruction will corrupt the stack as the params have already been removed. this would be correct for cdecl calls though - this allows for variable argument count etc 🙂
2
0
14
@CaptMeelo
another (often missed) thing to note when statically-linking with the CRT is that memory should not be allocated in one module (using malloc) and free'd in another due to them both having separate heaps, although i would personally consider this to be bad practice regardless
1
1
13
@yarden_shafir
@cullend
@SwiftOnSecurity
if any "legit" software really does rely on this (i have my doubts, it makes no sense at all) then i too would like to know - mostly so that i can avoid it 🙃
1
0
13
@ElephantSe4l
@TheXC3LL
@trickster012
@SEKTOR7net
the "random bits" in some wow64 syscall indexes are called turbo thunks, these are just (optional) performance optimisations, the syscalls will still work correctly without specifiying them 🙂
2
1
12
@mrgretzky
not bad really, it's a lot faster when it isn't printing every instruction to stdout though 😄
1
1
12
@hasherezade
oh yes, that does look very similar! they even used ordinal
#1
as the "dummy" import too. i suspected that such a simple method must already be in use somewhere! 😃
1
0
9
i didn't see this post at the time but completely agree with this! 😃
I don't usually go these, but a massive
#FF
to
@peterwintrsmith
- anytime you need something he pulls something epic out of the bag!
5
2
21
1
1
8
@reenz0h
your problem is stack alignment - rsp should be aligned to 16 before your GetModuleHandle call.
1
0
10
@OtterHacker
i would suggest that your code has other issues here. as the name suggests, GetLastError retrieves the last error code - there is no guarantee that it will be cleared on success. in most cases it won't be cleared, but otherwise in relevant cases it will be documented as such 🙂
1
0
10
@lauriewired
32-bit compatibility will still be retained at application-level (unlike IA64 without emulation) so users won't notice any difference in the real world fortunately - i imagine intel are simply feeling the pressure from recent advances in arm64 🙂
2
0
7
@studentofthings
@peterwintrsmith
@Octoberfest73
@C5pider
this is a classic "xy problem" - forcing hash collisions is not the way to go here, it is ineffective at best (and impossible at worst). there are many ways to achieve the same outcome - a weak detection for shellcode PEBLDR/EAT enumeration - without relying on hash collisions.
2
2
8
@aionescu
Thanks Alex, hope you're doing well! 🙂 As an unrelated side-note, do you have any idea why Microsoft never implemented a SetTcpEntry6 function? I have seen many unanswered questions about this online. I documented my own fix here:
1
0
6
@0x09AL
@HackingLZ
my exploit development days are over, i'll let someone else go through that pain 😄
0
0
7
@namazso
that's interesting - i originally used this method to bypass punkbuster (not very difficult!) on quake3-based games a long time ago, it always served me well. i will check out CET, i suspected that the modern control-flow features would eventually block this method.
0
0
6
@ilove2pwn_
Just had chance to look at this - looks like you're doing something very similar. You could reduce overhead by queuing multiple writes against a single thread. In my testing, I was able to queue over 1MB of data without any issues 🙂
0
0
6
@FuzzySec
@aahmad097
ci.dll is a kernel-mode library, if you set a breakpoint on ntdll!ApiSetResolveToHost i suspect you will see "ntoskrnl.exe" 🙂
1
0
6
@0gtweet
i have come across this issue in the past too - i created a separate thread with 1 second timeout. i try to avoid "fixes" like that but occasionally there's no alternative 😑
1
0
6
@SimonPinfold
@hasherezade
sadly not - i wrote this as a feature for
@MDSecLabs
nighthawk. it sounds like
@hasherezade
will soon have this topic covered though! 😀
0
0
6
@hasherezade
congrats! the earlier challenges in particular were significantly more difficult and time-consuming this year, but it was nice to see 2 16-bit challenges 🙂 FlareSay, mbransom, and HVM for me!
0
0
5
@TheXC3LL
That's interesting, it looks like we have been down a similar path! I was determined to make it work with any payload including 0x00 characters, pretty happy with the results! 😃
0
0
5
@VirtualAllocEx
yeah, if you look at a stdcall function (as 99% of exported winapi functions are) you'll see that they use the ret instruction to remove the params from the stack (eg 'ret 0x10' for VirtualAlloc) before returning
3
0
4
@ilove2pwn_
@HackingLZ
the threads themselves generally aren't responsible for sealing, the surface of the bolt head is responsible for that so it should be fine 🙂 although i would suggest swapping the rubber seal for a copper washer in future if possible 🙂
0
0
4
@peterwintrsmith
@mrgretzky
@modexpblog
@domchell
my haircut is not approved in NK so you're safe for now 😆
1
0
4
0
0
4
@Cyb3rMonk
@rpargman
@topotam77
This is the expected behaviour - only the command-line arguments are padded with spaces. Windows corrupts the over-sized parameter list when navigating back to the 'Shortcut' tab. Saving the link at this point will break it too.
1
0
3
@binaryz0ne
@modexpblog
I would guess that it has been compiled as a 32-bit exe and you are targetting a 64-bit process - try running it against "c:\windows\syswow64\notepad.exe" to check this!
2
1
3
@studentofthings
@scriptjunkie1
@vokaysh
well here's an easy one from microsoft themselves! slightly different context, but the point is string hashing for lookups is an extremely common optimisation
this example aside, "shellcode" is just code, why wouldn't it be able to read local memory and perform basic arithmetic?
1
0
3
@hasherezade
thanks! 😃 i would say that
#9
(encryptor) was my favourite as it forced me to learn more about asymmetric encryption, a subject that i have always avoided in the past. i'm sure you can guess that
#8
was my least favourite... 😆 how about you?
1
0
3
@Cyb3rMonk
@rpargman
@topotam77
That's true - that's probably the easiest way to perform a quick test. I would suggest checking for arbitrary data beyond the boundaries of the expected LNK headers (specified by the dwLinkFlags value).
0
0
3
@alexsho71327477
yes of course, as mentioned, any debug event will cause the process to freeze and become unusable. this is one of the reasons why it is useless in the real world. this is only to demonstrate the unintended effects of closing a debug object without properly detaching 🙂
3
0
3
@0gtweet
ah yes that's interesting, all of my "unknown" values become clear when looking at the fields in FILE_FULL_EA_INFORMATION 😃
0
0
3
@m417z
@yo_yo_yo_jbo
@chompie1337
yes, win32k (non-shared) data is stored in session space and therefore isolated. this is for security reasons but also for terminal services - a "remote" session shouldn't be impacted by physical input of course.
1
0
3
@wdormann
that's interesting, i know very little about .NET but i'll have a look into this - thanks!
3
0
3
@mrexodia
I still use MSVC++ 6.0 on a regular basis too! 🙃 On a serious note, x64dbg is great. The first thing that I did when I got back into reverse-engineering was to check if an x64 version of Ollydbg was ever released and came across your debugger instead. I wasn't disappointed! 🙂
0
1
2