0x00 Abstract The 12th Jun 2019 I wrote a paper about the Anti-Malware Scan Interface technology. At this time, the objective was to dig into the AMSI internals in order to, firstly, understand how the technology works and, secondly, how it is possible to bypass AMSI by carrying out an in memory module function patching. This paper will not provide more information about AMSI and the patch will be the same.
Before yesterdayPosts on am0nsec
0x00 Abstract Almost all the actions carried out by user mode applications and Windows executive subsystems (e.g. I/O Manager, Memory Manager) have to deal with Windows resources (aka objects). These actions can be related to physical objects like devices or logical objects such as processes, threads, tokens and files. For this specific reason, the Object Manager, which is a executive subsystem, is responsible for providing a standardised, uniform and singular way to manage, create, release and access objects.
0x00 Abstract Allowing direct access to named or un-named executive objects to user mode and kernel mode applications would be extremely dangerous as it would interfere with, and render the duty of the executive subsystems obsolete. As a result, this would put the whole system at risk and make the management of executive objects almost impossible. Additionally, executive objects resides in kernel memory, which means that if user mode applications could directly modify data structure in kernel memory this would also be extremely dangerous and chances of a BSOD would be high.
0x00 Abstract I used to be a Java/PHP/PolymerJS developer for 2 years before joining the wonderful information security industry and developing in C/C++ and C#. I’m probably not a great programmer but a least I’m documenting my code! Trust me, well documented code will save your butt. I have subscribed to a professional GitHub account few weeks back, which gave me access to the 3000 minutes of GitHub Actions per months.
0x00 Abstract Over the past few months I have been using Cobalt Strike (CS) quite extensively, both during Simulated Attack engagements and for R&D and offensive security projects. I subsequently used more than what I expected the famous Aggressor script engine. Throughout the different versions of CS, Raphael Mudge developed multiple features that allow operators to extend the standard capabilities of CS: C2 malleable profile, to modify the behaviours of the implant (e.
0x00 Abstract Application whitelisting and blacklisting is an interesting topic because depending on how it has been configured this can drastically increase the difficulty of an attacker to gain initial code execution. With Windows XP and Windows Server 2013, Microsoft released Software Restriction Policy (SRP), which was a great idea but a massive pain to configure with little to no flexibility. This is where AppLocker is coming into play, this is the successor of SRP.
Table of contents Table of contents Abstract Case 1 Case 2 Case 3 Case 4 Case 5 Case 6 Case 7 Operand-Size Override Legacy Prefix Abstract On an Intel or AMD processor, when executing code from a 64-bit code segment (i.e., CS segment descriptor CS[L] bit = 1b and CS[D] = 0b), the 1-byte REX (i.e., Register eXtended) prefix can be used to modify operand addressing and selection. This can be for one of the following reasons:
Table of contents Table of contents SSE and AVX Mutation Idea (xlate) Streaming SIMD Extensions (SSE) Advanced Vector Extensions (AVX) AVX and the new VEX Translation between Legacy SSE to AVX Example 1: Basic 2-byte VEX Encoded Instruction Example 2: Basic 3-byte VEX Encoded Instruction with 64-bit Example 3: 3-byte VEX Encoded Instruction with SIB Example 4: With Non-Destructive Operand WIB and Synonymous Mutation Final Notes Appendix A : Non-Destructive Operands Instructions Appendix B : AVX Only Instructions Appendix C : VSIB Instructions Appendix D : VEX.
Archive of https://www.contextis.com/en/blog/bring-your-own-.net-core-garbage-collector from 19 JUN 2020. Table of contents Table of contents Introduction .NET Core Configuration Knobs Standalone Garbage Collector Environment Variable Path Traversal Building a Custom GC Application Whitelisting Bypass Scenario Remediation Timeline Introduction This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass. The .NET Core is an open-source software framework based on the .
Archive of https://www.contextis.com/en/blog/amsi-bypass from 12 JUN 2019 Table of contents Table of contents Introduction How AMSI Operates Enumerating AMSI Functions Finding the Function’s Address Egg Hunter Patching Final Notes Introduction AMSI stands for Anti-Malware Scan Interface and was introduced in Windows 10. The name is reasonably self-explanatory; this is an interface that applications and services are able to utilise, sending “content” to an anti-malware provider installed on the system (e.g. Windows Defender).
- Posts on am0nsec
- Context IS Memorabilia - DynamicWrapperEx – Windows API Invocation from Windows Script Host
Archive of https://www.contextis.com/en/blog/dynamicwrapperex-windows-api-invocation-from-windows-script-host from 01 FEB 2021. Table of contents Table of contents Introduction COM and OLE Automation Basics Leveraging OLE Automation x86_64 Standard Calling Convention Registration-Free Activation Limitations and Operational Security Considerations Example of Shellcode Execution References Introduction The Component Object Model (COM) was a revolutionary specification when it first appeared in 1995, despite this, there is still a large veil of mystery surrounding it. Those who have worked closely with Microsoft Windows systems may have heard of it, but probably in negative terms.
Archive of https://www.contextis.com/en/blog/common-language-runtime-hook-for-persistence from 22 AUG 2019. Table of contents Table of contents Introduction .Net Overview Common Language Runtime Application Domain and Application Domain Manager Assembly and Global Assembly Cache Wrapping Everything Up Identifying .Net Framework-Based Application Introduction This blog post explains how it is possible to execute arbitrary code and maintain access to a Microsoft Windows system by leveraging the Common Language Runtime application domain manager. During scenario-based assessments or digital-based Red Team assessments, gaining initial access to the internal network of an organisation is challenging, requires time, and effort.
Table of contents Table of contents Introduction User-Mode Application Kernel-Mode Driver Example: Listing Kernel Memory Pool Tag Final Thoughts Introduction Over the last few years that I spent learning more and more about Microsoft Windows, it has been more and more apparent that studying the NT kernel is an incredibly deep and vast subject, nevertheless particularly interesting. A lot of research exists online and Windows Internals books are probably the best allies for this journey.