|
Ori Damari
@
0xrepnz
0x7c00
|
|
Low level developer,
Reverse engineer,
Windows kernel
|
|
|
726
Tweetovi
|
248
Pratim
|
1.318
Osobe koje vas prate
|
| Tweetovi |
| Ori Damari proslijedio/la je tweet | ||
|
Ryan Hausknecht
@Haus3c
|
3. velj |
|
I made a PowerShell script when researching COM objects that has like 30 foreach and if loops and will search every COM object method for a keyword, e.g. finding COM objects with a method containing 'ExecuteShell'. Maybe someone else will find it useful. github.com/hausec/COMMeth…
|
||
|
|
||
| Ori Damari proslijedio/la je tweet | ||
|
Yarden Shafir
@yarden_shafir
|
2. velj |
|
Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't.
@aionescu and I wrote about these!
windows-internals.com/dkom-now-with-…
|
||
|
|
||
| Ori Damari proslijedio/la je tweet | ||
|
FireF0X
@hFireF0X
|
2. velj |
|
KDU, Kernel Driver Utility - driver loader (and not only) bypassing Windows x64 Driver Signature Enforcement with support of various "functionality" providers - including Unwinder's RTCore, github.com/hfiref0x/KDU pic.twitter.com/s154qYlIKR
|
||
|
|
||
| Ori Damari proslijedio/la je tweet | ||
|
Sophia d’Antoine
@Calaquendi44
|
14. sij |
|
INFILTRATE Training Update!
Happy to announce @psifertex from @vector35 will be joining as a co-trainer. Come learn how to use program analysis for vulnerability research.
infiltratecon.com/conference/tra…
@InfiltrateCon @vector35 #BinaryNinja pic.twitter.com/JOyHEokElw
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
26. sij |
|
If the spinlock was a DISPATCH_LEVEL spin lock it would cause a race condition.. In this case we have to queue a DPC and wait on all processors..
Remember this is fun but you typically won't use these techniques in a real product (unless you are a rootkit developer 😉)
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
26. sij |
|
In this specific case it works because to access the DPC queue you have to raise the IRQL to HIGH_LEVEL - this IRQL cannot be interrupted by the IPI
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
26. sij |
|
Yeah.. 😊 This function may not always be useful to access locked structures - imagine the case when the IPI is sent to the second processor (Runs at IPI_LEVEL) and then the second processor is interrupted while holding the lock... Ouch
|
||
|
|
||
| Ori Damari proslijedio/la je tweet | ||
|
Zelda Dungeon
@ZeldaDungeon
|
25. sij |
|
|
||
|
Ori Damari
@0xrepnz
|
24. sij |
|
Awesome!
I was not familiar with KDDEBUGGER_DATA64, Looks pretty useful 😵Thank you!
I'll probably update the solutions later when I finish.. There are many updates I need to write:)
For readers that want to read about KDDEBUGGER_DATA64:
scudette.blogspot.com/2012/11/findin…
|
||
|
|
||
| Ori Damari proslijedio/la je tweet | ||
|
Or Chechik
@orchechik
|
23. sij |
|
@yaron_samuel and i got credit for CVE-2019-19363 - LPE in many Ricoh Printer Drivers 😎 #exploit #LPE #zeroday twitter.com/yaron_samuel/s…
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
I think this is pretty awesome.
In fact, I use it all the time!
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
- Share your knowledge with the community - not for PR, but for the purpose of making it better.
Yes, I know that sometimes PR is necessary but Ehh.. Business is shit
Goodnight 💕
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
Lessons:
- Don't steal other researchers work.. If you do, (we all learn some way or another from other people's work) just give credit
- Don't get too excited about finding "CVE"s and "APT"s - sometimes it's just buzzwords used for PR, Get excited about cool technical stuff
>>
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
Anyway, that's why I'm not so interested in CVEs and PR and business, pretty shitty stuff. It's just fun learning and sharing knowledge with the community... ❤️❤️❤️
Business and politics is shit guys.
>>
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
I thought about commenting in their own tweet about this, but I don't want to get in trouble with them (sounds stupid, but yeah 😑)
maybe they found the vulnerability at the exact same time as my friend? Idk
>>
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
I think that after the vulnerability was found, they hired this security company to help them to fix it.. I just hate the fact that they claimed they found it and they are trying to do PR with this.. >>
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
Their post shows a very similar POC, their timeline started *a week* after my friend reported the vulnerability and they claim they found it.. Ehh
The developer has assigned the CVE to my friend and someone from this security company..
>>
|
||
|
|
||
|
Ori Damari
@0xrepnz
|
22. sij |
|
My friend found a vuln in October.. He managed to exploit it and reported to the developers..
One month later (right now) , some security company just posted that they found this vulnerability 😮🤔 >>
|
||
|
|
||
| Ori Damari proslijedio/la je tweet | ||
|
Mathieu Tarral
@mtarral
|
21. sij |
|
Just sharing this amazing guide to unikernel and immutable infrastructure
github.com/cetic/unikerne…
cc @rageagainsthepc
|
||
|
|
||
| Ori Damari proslijedio/la je tweet | ||
|
Gal De Leon
@galdeleon
|
21. sij |
|
Excited to speak at @BlueHatIL about logical vulnerabilities I discovered in Windows Error Reporting 😀 twitter.com/BlueHatIL/stat…
|
||
|
|
||