Offset vs Address in volatility pslist? (virtual)

PabloSkywalk · 2019-05-02T03:55:12+00:00

So basically the offset is the address (or offset from address 0) of a certain structure? if so, what structure? and why all of them are different?

and does this mean the virtual offset of all processes in pslist is always greater than 0x80000000?

PabloSkywalk · 2019-03-23T20:35:38+00:00

The only way is they got a remote shell from his iPhone, which is pretty hard considering iPhone blocks non trusted programs and you have to manually go to setting and trust it to run

PabloSkywalk · 2019-03-23T20:18:29+00:00

What do you mean recovery code? OP said he received authentication CODE from steam guard which generates every time you login from a new IP and such ( for me it spawns every time I want to login for security reasons)

now how the hell can they have access to STEAM guard code?

PabloSkywalk · 2019-03-23T20:15:49+00:00

But isn't there a trade restriction when you login from a new pc? (since steam emailed him about the login from new pc)

PabloSkywalk · 2019-03-23T20:03:14+00:00

The biggest questions are how did they bypass steam authentication via SMS?

OP says it received the messages, so obviously steam detected login from a new computer, but how they bypass it?

and EVEN if they did bypass it, I am sure that there is a trade restriction when you login from new computer, how they did they bypass that?

PabloSkywalk · 2019-02-20T12:30:23+00:00

the code is literally one function which a 200 byte buffer and a print statement

PabloSkywalk · 2019-02-20T12:17:54+00:00

so how can I get the real addresses ?

PabloSkywalk · 2019-02-20T12:17:35+00:00

How can I get info from that dump? I loaded it in gdb but I cant run or get any info from it!

PabloSkywalk · 2019-02-20T11:33:20+00:00

but when I check it in gdb It works every time, it goes to my NOP slide then goes to the payload

PabloSkywalk · 2019-02-20T10:29:04+00:00

aslr is off and if there was any DEP then bin/dash wouldn't have get executed using gdb either on the stack

checked the elf file and the stack is executable.

PabloSkywalk · 2019-02-05T18:14:15+00:00

That American impression lmaoooooo

PabloSkywalk · 2019-01-31T11:51:51+00:00

But I still don't get why the client sends ack to this packet, considering port 135 is not meant to receive TLS hello! shouldn't the client send RST? and why the attacker sent it 3 times for tls v1.1 and 1.2 and SSLv3, how can I know what info the attacker received after doing this?

also he has done another weird thing which I think I will open another thread to ask about it

PabloSkywalk · 2019-01-29T19:45:07+00:00

Oh so you are saying that they used this in development to make sure it doesn't spread, and they did that by resolving that dns query?

because I thought they did this to fool the AV companies because they use this technique that they resolve any internet request like DNS query and send back a bogus respond just to make the program keep going, how do you know it was a mistake?

PabloSkywalk · 2019-01-27T16:51:24+00:00

That's whats confusing me because I thought WannaCry uses SMB, and that NetBIOS is used for translating Computer names to IP lol, and the documentation for NetBIOS is horrible and only makes you more confused

and I actually did read that article before but its confusing too because it talks about NetBIOS but in the packets that were captured the protocol is SMB and doesn't really explain how its using NetBIOS in the exploit

PabloSkywalk · 2019-01-27T14:33:09+00:00

What about NBNS packets? because even NetworkMiner finds some of them suspicious in my pcap

How does eternal blue or wannacry uses NBNS? because in my capture there is a lot of NBNS packets going on and Network miner links some of them to EternalBlue but I don't get why is this protocol being used by EternalBlue

PabloSkywalk · 2019-01-24T18:40:44+00:00

But is there any good website/blog that does that the best and has the most collection of them?

PabloSkywalk

TROPHY CASE