|
@SandboxBear | |||||
|
Procmon works very well for me. If I were to write my own tooling, I would write something similar to process monitor, atleast visually, that allows you to hook arbitrary functions (ones that are used for resource access) to find race conditions elsewhere, not just filesystem
|
||||||
|
||||||
|
SandboxEscaper
@SandboxBear
|
16. pro |
|
sandboxescaper.blogspot.com/2019/12/chasin… Here is part one. Pretty sure the attack surface described has many more bugs (not just the vmware tools installer.. I doubt this bug is exploitable in the first place, just wanted something to demo that is unpatched, easier for folks to learn!)
|
||
|
|
||
|
checkymander
@checkymander
|
17. pro |
|
awesome post, out of curiosity have you thought of using subscribing to SHChangeNotify or something similar to monitor for when the files get created/deleted?
|
||
|
|
||
|
checkymander
@checkymander
|
17. pro |
|
Sorry, I meant in reference to your poc where you attempt to createfile until the file is gone and the call succeeds.
|
||
|
|
||
|
SandboxEscaper
@SandboxBear
|
17. pro |
|
lol! Sorry, I completely misunderstood. Yes, I have done that in the past, but it's too slow when you have a really small timing window. It takes a while for the event to register. Sometimes you can get away with the small delay, sometimes not.
|
||
|
|
||