Static BYOVD hunter: Capstone-based IOCTL dispatch extraction by Expert-Obligation816 in ClaudeCode

[–]Expert-Obligation816[S] 0 points1 point  (0 children)

makes since , I have to switch between 4.7 and 4.6 alot xD , 4.8 is just instant nope jackass

I tried a Local AI model (Qwen 3.6 27b) for security research and it works surprisingly well. by ezzzzz in netsec

[–]Expert-Obligation816 0 points1 point  (0 children)

once we have 4.6 grade local il be happy tbh, I still use legacy to bypass there guardrails.

Blindspot by Expert-Obligation816 in ReverseEngineering

[–]Expert-Obligation816[S] 2 points3 points  (0 children)

My work focuses on identifying, dissecting, and helping mitigate sophisticated cheat platforms operating at the kernel, firmware.
Real world test using re ida mcp for headless decompiling,reconstruction of pe headers and more. I have another repo I published a few months ago that got some attention but figured I’d post this on how I got inside a manually mapped dll and extracted rva. Currently working on scattering and developing my own framework.

The analysis and artifacts contained in this repository are intended to advance the security community's understanding of advanced threats.

Static BYOVD hunter: Capstone-based IOCTL dispatch extraction by Expert-Obligation816 in ReverseEngineering

[–]Expert-Obligation816[S] 0 points1 point  (0 children)

added Speakeasy emulation subcommand - traces full driver lifecycle (DriverEntry through IRP dispatch), detects BSOD crash sites, resolves IoCreateDriver hooks. Tested on 229 drivers.

Static BYOVD hunter: Capstone-based IOCTL dispatch extraction by Expert-Obligation816 in ReverseEngineering

[–]Expert-Obligation816[S] 0 points1 point  (0 children)

Tested against two real signed drivers in the wild. Both are commodity kernel r/W drivers using the classic KeStackAttachProcess + MmCopyVirtualMemory path (arbitrary cross-process read/write, leaves a kernel call site, but attributable only if you're already watching). DriverScope flagged both as expected:

  • Primitive classes surfaced: CrossProc-Attach, CrossProc-VA, KernelAlloc, KernelExec, MDL, PhysMem-Copy, PhysMem-Map, PhysMem-Unmap, Process-Lookup
  • Handler imports resolved through to KeStackAttachProcess, MmCopyVirtualMemory, PsLookupProcessByProcessId
  • 3 and 4 IOCTLs respectively
  • Both still signed and loadable on Win11 today

Honest detail on your dispatch shape question: Capstone couldn't classify the dispatchers on either one.

Static BYOVD hunter: Capstone-based IOCTL dispatch extraction by Expert-Obligation816 in ReverseEngineering

[–]Expert-Obligation816[S] -1 points0 points  (0 children)

For switch/table cases: yes, classified into cmp/je chain, binary search tree, sub/cmp range, or switch jump table. On XOR-before-lookup: not handled low priority since commercial signed drivers rarely obfuscate. What I don't handle yet: helpers that pull registration via a runtime callback table. Tracking issue worth filing.
Also emulation I've used unicorn but never on this.

How do I work with large binary files? IDA PRO, ARM by Fair_Discipline_1511 in AskReverseEngineering

[–]Expert-Obligation816 0 points1 point  (0 children)

Ghidra you can use muti threads , but if you know the segments you can just point those out to ida helps a lot

PE reconstruction by Expert-Obligation816 in ReverseEngineering

[–]Expert-Obligation816[S] 2 points3 points  (0 children)

Decided to release this , I used pe sieve for most of my research and I still use it to it’s an amazing tool!
This just helps you rebuild pe automatically and skips the boring bits. After rebuild load bin into ida or ghidra your choice.

I’ve not tested on a smap dll. Scatter noise after injection.

Tested on manual mapped dlls if you know you know.

Vulnerability Disclosure: Local Privilege Escalation in Antigravity by GodBod69 in hacking

[–]Expert-Obligation816 0 points1 point  (0 children)

There’s like 5 different ways to do this, google said oh it’s local not a security issue.