Twitter | Pretraživanje | |
James Forshaw
Security researcher in Google Project Zero. Author of Attacking Network Protocols. Tweets are my own etc. .
4.729
Tweetovi
361
Pratim
31.115
Osobe koje vas prate
Tweetovi
James Forshaw proslijedio/la je tweet
Yarden Shafir 2. velj
Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't. and I wrote about these!
Reply Retweet Označi sa "sviđa mi se"
James Forshaw proslijedio/la je tweet
SandboxEscaper 31. sij
I hope my last 3 write-ups have covered the subject of filesystem bugs enough. It talks about discovery using procmon, and also poc writing now. You can just copy paste from the poc on github for a lot of bugs I guess. I hope it helps get atleast one person into the field.
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 1. velj
Odgovor korisniku/ci @blowdart @martinwoodward
You're just jealous you wouldn't be able to take part.
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 31. sij
Odgovor korisniku/ci @daveaitel
I'm pretty sure the UK government also consider them an espionage threat, but are just more pragmatic. And no doubt we'll do a u-turn when we're begging the US for any sort of trade deal once the Tory scum need to find any a way to make it look like Brexit was worth it.
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 30. sij
Odgovor korisniku/ci @monoxgas @jack_halon
ProcessWow64Information NtQueryInformationProcess info class?
Reply Retweet Označi sa "sviđa mi se"
James Forshaw proslijedio/la je tweet
j00ru//vx 30. sij
Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy!
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 30. sij
Odgovor korisniku/ci @thegrugq
Pot, meet Kettle...
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 30. sij
A quick post on why you shouldn't use SYSTEM Tokens when you sandbox a process. Part 1 of N (where I haven't decided how big N is).
Reply Retweet Označi sa "sviđa mi se"
James Forshaw proslijedio/la je tweet
nedwill 29. sij
Excited to start the new year with CVE-2020-3842 :) It's a fun one and unlike the other bugs I reported so far so I'm looking forward to (responsibly) disclosing it.
Reply Retweet Označi sa "sviđa mi se"
James Forshaw proslijedio/la je tweet
Bill Pollock -- shmooooocon 28. sij
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 28. sij
Odgovor korisniku/ci @explanoit
But I'm sure someone got promoted, so there's that.
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 28. sij
Odgovor korisniku/ci @ManuelBerrueta
Yup. MS Windows QA (or lack thereof) strikes again.
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 27. sij
Whatever you do don't run the PS/NtObjectManager command '[NtApiDotNet.CreateUserProcess]::Fork("IgnoreSectionObject", 0)' on Windows 10 1909. I did and I was very sad, so just don't!
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 27. sij
Odgovor korisniku/ci @phenlix @elwell2000 @cybergibbons
You fitted the plug yourself, quite literally. Or you put a screw driver into the Earth Pin to lift the protection gate and carefully inserted the bare wire ;-)
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 26. sij
Odgovor korisniku/ci @pwntester @0xdea i 3 ostali
There's always something about classes with Security in the name which seem to do the opposite ;-)
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 26. sij
Odgovor korisniku/ci @EranShimony
In the kernel you have an additional option, you can specify IO_STOP_ON_SYMLINK to IoCreateFileEx to stop the open if it encounters a reparse point. There's also the undocumented OBJ_DONT_REPARSE OBJECT_ATTRIBUTES flag, but that even stops on parsing the driver letter symlink :/
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 26. sij
Odgovor korisniku/ci @EranShimony
Doing impersonation correctly helps massively ;-) But other techniques to mitigate are post-open checking of the resource location (if it's not what you expected there's probably a symlink involved) or checking the link count on the file (for hardlinks).
Reply Retweet Označi sa "sviđa mi se"
James Forshaw proslijedio/la je tweet
Julio Ureña 25. sij
Just finished the writeup for my learning process to replicate the CVE-2019-19470, I also public the source code for exploit and a Masquerade-PEB C#. Hope you enjoy!
Reply Retweet Označi sa "sviđa mi se"
James Forshaw 26. sij
Odgovor korisniku/ci @0xdea @4chr4f2 i 3 ostali
Shame, .NET serialization gadgets are meant to be free :-D. Still wouldn't surprise me if said to take it down as there are rules on what you're suppose to share, even after the fix. But we call all surmise it's a WCF DataContract to BinFmt gadget ;-)
Reply Retweet Označi sa "sviđa mi se"
James Forshaw proslijedio/la je tweet
Bill Pollock -- shmooooocon 24. sij
Advance copy. Coming soon!
Reply Retweet Označi sa "sviđa mi se"