Twitter | Pretraživanje | |
Can Bölük
Security researcher and reverse engineer; mostly interested in Windows kernel development and low-level programming. Founder of .
26
Tweetovi
58
Pratim
621
Osobe koje vas prate
Tweetovi
Can Bölük 12. sij
Odgovor korisniku/ci @vm_call
Much better than dumb /Device/PhysicalMemory detection targeting the binary, using a few braincells goes a long way :)
Reply Retweet Označi sa "sviđa mi se"
Can Bölük proslijedio/la je tweet
Carl Schou / vm 12. sij
BattlEye, a popular anti-cheat, has been detecting unknown cheats by using heuristics in combination with the x86 trap flag. This was done to specifically target "The Perfect Injector" by from usermode.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 2. pro
Odgovor korisniku/ci @Franciscochoz @PorterPlant i 2 ostali
Competition? When they have exclusivity contracts? Haha.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 27. stu
Odgovor korisniku/ci @hFireF0X
Undocumented offsets.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 18. stu
Odgovor korisniku/ci @_can1357
I've received this question a lot so wanted to clarify. Do not use Windbg to debug this project, it will not work due to the internals of ByePg. VMWare GDB stub or any other hypervisor will work fine.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 18. stu
After an additional week of work, ExHook is finally live. ExHook is a standalone project utilizing ByePgLib allowing you to hook all kernel-to-user exits (SYSCALL or any interrupt) bypassing PatchGuard. Enjoy!
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 7. stu
Odgovor korisniku/ci @vm_call
Hilarious.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 21. lis
Just pushed a SEH module to ByePg, letting you use SEH in manual mapped drivers effectively bypassing another PatchGuard protected mechanism as it protects PsInvertedFunctionTable. System-call hooks coming Soon™.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 20. lis
Odgovor korisniku/ci @mjpaol @nickeverdox
ofc not🙃
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 20. lis
Just published my latest project "ByePg", exposing an entirely new attack surface to PatchGuard/NT and bringing 's InfinityHook back:
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 9. lis
Odgovor korisniku/ci @PetrBenes @standa_t
just fyi, you can check _KPROCESS.AddressPolicy to detect this behavior
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 9. ruj
Odgovor korisniku/ci @nickeverdox
You need a logo and a website Nick, should be clear after POPSS one smh...
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 11. kol
Odgovor korisniku/ci @0xNemi @nickeverdox i 2 ostali
I'm literally crying
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 17. srp
Odgovor korisniku/ci @nickeverdox
Who cares about PG /s. Memes aside, excited to see how you pulled it off 🤓
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 3. pro 2018.
Odgovor korisniku/ci @Intel80x86 @yarden_shafir
..with the right configuration.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 3. pro 2018.
Odgovor korisniku/ci @Intel80x86 @yarden_shafir
Gdb stub hides them.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 3. pro 2018.
Odgovor korisniku/ci @yarden_shafir @Intel80x86
You can always set a read bp on it via VMware gdb stub to avoid the bsod delay but yeah, can't really escape the randomness of checks and the delays between them. I'm somewhat confident it's checked on Win10 but frankly no idea about Win7.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 3. pro 2018.
Odgovor korisniku/ci @Intel80x86 @yarden_shafir
I researched Patchguard for around a year and 4 hrs was the magic number I found after which I could be quite confident ¯\_(ツ)_/¯
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 3. pro 2018.
Odgovor korisniku/ci @yarden_shafir @Intel80x86
IIRC, it is. If you want to test just get the latest windows 10, modify it and see if you can survive 2/3 boots for longer than 4 hrs, pretty easy to test.
Reply Retweet Označi sa "sviđa mi se"
Can Bölük 21. srp 2018.
Odgovor korisniku/ci @aluhrs13
Thanks for the swift fix :)
Reply Retweet Označi sa "sviđa mi se"