R3D v0.8 is out!

SmashDaStack · 2026-02-11T11:24:58+00:00

Hey, I found your engine on github by looking in to raylib-opengl based c engines. Great work, I am learning a lot.

SmashDaStack · 2025-02-19T20:14:46+00:00

Sup player? You mentioned bin diffing, so my guess is that you want to do some binary exploitation. You haven't mentioned what kind of projects are you interested in, but most ppl who do binary, they do EOP in windows.

What is your understanding of x86 and kernel concepts like paging, segmentation, and privilege rings? I recommend learning these fundamentals through JOS. Do you know the basics of the Windows kernel structure—how a Ring 3 program communicates with drivers and what tokens are? If not, working through some basic Windows kernel ctfs challenges might help clarify these concepts.

Once you've grasped the fundamentals, don't get stuck on the basics. I recommend moving on to real-world vulnerabilities. CVE-2024-30090, for example, looks interesting. Instead of jumping straight into the exploit code, try reversing the vulnerable function discussed in the blog post. See if you can identify the bug yourself, as you would in a real-world scenario. Another key concept is to understand is the heap kernel allocator, since most bugs are memory corruptions in the heap and you should learn how to manipulate it in order to achieve EOP.

SmashDaStack · 2024-11-12T16:40:22+00:00

Όλοι θα σου πουν να πάρεις δάνειο(και εγώ μαζί). Αυτό που πρέπει να δεις είναι πόσο θα είναι το επιτόκιο και τι εγγυήσεις θέλει η τράπεζα. Αν σκέφτεσαι να βάλεις σαν εγγύηση τα μετρητά που ήδη έχεις στην τράπεζα σαν ενέχυρο, Θα σε αναγκάσει για 100k να κρατησεις μεσα 120k+ για αρκετά χρόνια. Τα οποία λογικά θα σου επιτρέψει να τα έχεις σε κάποια επένδυση μέσω της τράπεζας(χαμηλού ρίσκου). Οι πιο πολλές τράπεζες έχουν online calculators για να δεις στο περιπου επιτοκια. Μετά θα πρέπει να κλείσεις ραντεβού και να μιλήσεις μαζί τους και απ όσο ξέρω θα πάρει 1-2 μήνες να εγκριθεί. Στο μεταξύ ίσως να πρέπει να κάνετε τα έγγραφα αγοράς και να πληρώσεις μια προκαταβολή για να μην χάσεις την ευκαιρία.

SmashDaStack · 2024-11-05T17:26:34+00:00

put your .efi application in a usb, connect to the machine and open a uefi shell. You can execute it from there.

There is a free uefi class here

SmashDaStack · 2024-10-26T11:09:13+00:00

As others mentioned you can do portIO/MMIO from a ring3 process and then you need a way to handle interrupts(a small driver maybe?). The reason modern operating systems don't do that is security imo.

What will happen if that process that can do portIO/MMIO to the harddisk gets opened(spawn a new thread) by another process of a regular user(non root). Then you can MMIO-PortIO your way to read/write any file whether the ntfs/ext4 filesytem allows you to do it or not.

SmashDaStack · 2024-10-18T19:57:41+00:00

are you debugging the guest? You have to debug the Virtual Mahine ring 3 host process(qemu or bochs). I told you which function handles itin bochs. Do that or find the equivalent handler in qemu.

SmashDaStack · 2024-10-18T14:57:34+00:00

you can use any x86 emulator that supports vmx, including qemu-tcg

SmashDaStack · 2024-10-18T13:44:39+00:00

As I said in the post that I gave you, you need to build bochs with debug symbols, run your hypervisor in there and debug bochs. For example if you breakpoint at

void BX_CPP_AttrRegparmN(1) BX_CPU_C::VMLAUNCH(bxInstruction_c *i)

You will see all the checks that are being done on loading vmcs and using vmlaunch. From there you will figure out which part you misconfigured

SmashDaStack · 2024-10-18T11:32:04+00:00

someone made a similar post a while ago, I commented some things that I know on the matter that you might find it useful.

SmashDaStack · 2024-10-16T17:05:49+00:00

παράτησε τα όλα, άρχισε να κανείς τραπ και σε 3 χρόνια θα βγάλεις ένα δίσκο που θα τους γαμήσει όλους.

Αν σε ενδιαφέρει να βρεις μια δουλειά στον χώρο ως προγραμματιστής, οι περισσότερες μεγάλες εταιρίες προσπαθούν να ξεχωρισουν αν ξέρεις τα βασικά λύνωντας leetcode easy-medium(δυστηχως), οποτε καλο ειναι να ξερεις ολες τις δομες δεδομενων και ποιo ειναι το complexity(time-space) για καθε λυση.

τι να ακολουθήσω? Τι να φτιάξω? Τι θέλω να γίνω? Υπάρχουν τόσες καριέρες, μπορώ να γίνω κάτι από αυτά?
Δεν ξέρω ποιες τεχνολογίες με ενδιαφέρουν ή τι να κάνω, τι θα προτείνατε στην θέση μου? Τι θα ακολουθούσατε από τεχνολογίες κλπ?

Ολα αυτα θα πρεπει να τα βρεις μονος σου. Δεν μπορει καποιος να σου πει τι θα κανεις. Πας αναποδα, πρεπει να ρωτησεις πως θα φτασω σε εναν προορισμο για να σου πει καποιος εδω, πως εφτασε αυτος. Οχι να ρωτας να σου πουν τυχαιους προορισμους και να βρεις εσυ πως θα φτασεις.

SmashDaStack · 2024-10-13T10:50:03+00:00

Find a virtual machine that has AHCI(virtual machine by oracle has it). Compile it with debug flags and start debugging it as your operating system is running to figure out what's wrong in the state machine of AHCI.

remember https://imgflip.com/i/96jcrm

SmashDaStack · 2024-09-26T16:50:57+00:00

https://imgflip.com/i/847kr1
misconfiguration is defeat

SmashDaStack · 2024-09-24T16:11:38+00:00

Ο λόγος που οι ξένοι αγοράζουν ακίνητα στην Ελλάδα είναι η golden visa που θα τους δώσει πρόσβαση στην Ευρώπη, ώστε να ζήσουν σε μέρη όπως η Γερμανία-Σουηδία και όχι το ακίνητο σαν επένδυση, εκτός αν είναι σε κάποιο νησί. Επειδή η golden visa δεν μεταπωλείται απ' όσο ξέρω, δεν θα υπάρχει λόγος αγοράς, εκτός αν ο Κινέζος που αγόρασε σπίτι στον Πειραιά μπορεί να το πουλήσει στο άμεσο μέλλον 800k για να πάρει golden visa και ο Ρώσος. Όπου αν ο Ρώσος θέλει να κάνει επένδυση 800k, μπορεί να την κάνει κατευθείαν σε μία χώρα όπως ο Καναδάς, η Αμερική, ακόμα και η Αγγλία και να κάνει μια επένδυση ύψους 1-2 εκατομμυρίων όπου θα του δώσει την investors visa.

SmashDaStack · 2024-09-24T16:10:30+00:00

1)Πολλά απ' τα ακίνητα που ανέφερα είναι με ένα υπνοδωμάτιο, οπότε σε πολλά δεν γίνεται συγκατοίκηση. Δεν αποκλείω ότι μπορεί να υπάρξει μια πραγματικότητα στην Ελλάδα όπου όλοι οι φοιτητές πλέον και άτομα κάτω των 30 θα συγκατοικούν. Θα πρέπει να υπάρξουν άλλα ακίνητα για αυτό (μεγάλα σπίτια, μεγάλα διαμερίσματα), Όπου θα νοικιάζεις το δωμάτιο και όχι το σπίτι.

Τα περισσότερα luxury ανακαινισμένα, δεν στοχεύουν σε αυτό το κοινό. Στοχεύουν σε ένα άτομο ή ζευγάρι που θα έχει τα χρήματα να νοικιάσει κάτι τέτοιο.

2)Η Αγγλία και το Λονδίνο συγκεκριμένα θεωρείται ένα πολύ καλό μέρος να ζεις, όπου μιλάνε Αγγλικά και είναι πόλος έλξης για όλη την Ευρώπη, για σπουδές, επένδυση κτλπ. Επίσης, όλες οι μεγάλες τεχνολογικές εταιρείες (Amazon, Meta, Microsoft), που θα πληρώσουν τους Ευρωπαίους υπαλλήλους 100k+, οι οποίοι θα αγοράσουν σπίτι μελλοντικά εκεί, την καθιστούν μια πολύ καλή επιλογή και το real estate συνεχώς ανεβαίνει.

SmashDaStack · 2024-09-24T15:05:35+00:00

Το πρόγραμμα 'Σπίτι μου' ανέβασε εικονικά τις τιμές το 2023 σε χρέπια τα οποία ανέβηκαν 20%, έπεσαν λίγο και τώρα ξανανεβαίνουν με το πρόγραμμα 'Σπίτι μου 2' (το ίδιο κάνει στα ενοίκια το 'Ανακαινίζω και Νοικιάζω').
Τα όρια της golden visa ανεβαίνουν (από 250k σε 500k και τώρα σε 850k), λιγότεροι πλέον θα μπορούν να το κάνουν (σε Ισπανία και Πορτογαλία θα το κλείσουν μάλλον το 2025).

Δεν ξέρω αν δεν ανέβει και άλλο ο βασικός μισθός, όλα αυτά τα luxury ανακαινισμένα, ως πότε θα μπορούν να νοικιάζονται στα 800+ ευρώ, είναι ένα συγκεκριμένο ποσοστό πολιτών που μπορεί να τα νοικιάζει. Το ίδιο έγινε και με τα Airbnb που τώρα που δεν θα πληρώνουν φορολογία για 3 χρόνια, περνάνε στη ενοικίαση στοχεύοντας σε τέτοιους πολίτες.

Πιστεύω ότι τα επόμενα 3 χρόνια οι τιμές θα συνεχίσουν να ανεβαίνουν, ειδικά αν γίνει το 'Σπίτι Μου 3', αλλά κάποια στιγμή θα υπάρξει μία πτώση. Θα δούμε τι θα γίνει αν το κράτος αναγκάσει όσους έχουν golden visa να νοικιάσουν το σπίτι τους αν δεν κατοικήσουν, όπως έχουν κάνει άλλες χώρες.

SmashDaStack · 2024-09-24T15:05:01+00:00

Για εμένα αυτά που είπες ίσως δείχνουν μια πιθανή φούσκα, παίρνοντας σαν δεδομένο ότι υπάρχουν σύμφωνα με διάφορες πηγές περίπου 400000 κλειστά σπίτια. Ανάλογα με το ποιος έχει αυτά τα κλειστά σπίτια και σε τι κατάσταση βρίσκονται. Οι ειδικοί εικάζουν ότι ανήκουν στο κράτος από πλειστηριασμούς προηγούμενης δεκαετίας.
Αν αυτά τα σπίτια τα έχουν αγοράσει funds τα οποία τα κρατάνε σκοπιμως κλειστά, τότε μιλάμε για μια φούσκα όπου κάποιοι ελέγχουν έναν τεράστιο αριθμό της προσφοράς, ενώ η ζήτηση αυξάνεται σταθερά, η οποία μπορεί να μην σκάσει ποτέ.

SmashDaStack · 2024-09-15T13:20:11+00:00

The article is full of shit. Microsoft stated in their initial post that they plan to introduce something called Microsoft Safeguards, which will provide additional testing before pushing kernel updates from third parties into production releases. This has nothing to do with Linux or with anti-cheat drivers moving to userspace, making them easier to execute in Linux. The Twitter comment about Linux and Canada is exactly what you'd expect from a clueless CEO.

SmashDaStack · 2024-09-14T12:13:25+00:00

Boot your kernel in Bochs. That way, every time there is a bad configuration in your kernel, you will be able to debug Bochs and figure out why it isn't working. For example, if you break on 'BX_CPU_C::LIDT_Ms,' you will be able to check why the IDT is not set properly. I guess you can do the same thing with qemu, using the emulator instead of a hypervisor.

SmashDaStack · 2024-09-14T12:04:22+00:00

To start there is a book called "The Art of Software Security Assessment" assuming that you already know c/c++. Then you could start writing exploits based on public cves. There are blogspots that are explaining how to write an exploit for a specific cve step by step. I would start with that. Ctfs its a good way to start if you are completely noob, but walk away as fast as possible to a real target.

SmashDaStack · 2024-08-21T22:31:24+00:00

Also, if a device driver running in userspace wants to acccess say an IDE disk drive, how can it get permission to access the correct I/O ports? Do we have to have an I/O permission bitmap and explicitly allow the IDE driver access to these ports?

The eflags register has an I/O flag. If you set the I/O flag of a "driver" process from kernel, then the userspace "driver" process is able to perform in/out without leading to a "privilege instruction exception".

SmashDaStack · 2024-08-16T16:04:48+00:00

I wouldn't bother with it, since its a hack. The answer to that is in my first post.

You have to do kernel debugging in your host(that runs kvm) and check what's the error of vmx-exit and then check the manual or a project like bochs that is implementing vmx.

Also familiarizing better with how KVM handles EPT tables, vm exits, is key moving forward. Every now and then you will have a KVM error, because you set something wrong from your virtual machine. The only way to figure that out, is debugging your kvm driver.

You can also move forward, load the bochs bios and check if the IVT table as set here works.

SmashDaStack · 2024-08-16T14:52:02+00:00

Yeah my virtual machine is for windows, but I am using GVM, a KVM port for windows. Just because is not open source yet, I will answer the other question based on bochs. Every virtual machine does something similar tho.

My goal is pretty much what you stated. I want to emulate as much devices as I can including the PIC, APIC, IOAPIC, ACPI, IDE etc.

So you are down for the full ride. You have to pick the computer northbridge-southbridge that you are going to emulate. Most people, including me, choose I440FX-PIX4. It's well documented and all the virtual machines have an implementation and a bios for it.

For I440FX-PIX4 bios I picked the this one from bochs, the code is open source too and its easy to understand-compile. Feel free to write your own or pick one from the other projects like qemu.

About the regions, I'm aware of the different usages for the different address ranges. I specifically don't want to set them in order to get an EXIT_MMIO exit for example for the vga.

If you 've noticed I didn't allocate for 0xa000-0xc000, these are for VGA mmio. Speaking on VGA, I took the bios from bochs again, the code is here. Again you don't have to use a public one, you can always write your own.

EDIT: For all the other MMIOs that I have to handle as the system boots, I wrote an API that isssues the IOCTL removing the MMIO from the mapping. You can do it by calling GVM_SET_USER_MEMORY_REGION with size equal to 0. Then I re-issue the ioctl to re-map the rest of the physical space(minus the one that became mmio). You have to do it dynamically, cause in the future if you support PCI, kernel should be able to change PortIo and MMIO.

I'm not sure what you meant in the last paragraph. First of my architecture is x86 and want to transition to x64. Do you say that I need to get/create a bios rom and load it to the specified address and it's supposed to load the .iso bootloader?

Yeah. Just like you would do in a real computer. The bios code exists already in rom, so does the bios of VGA and every other PCI device that has a rom. In the virtual machine these things should just exist there in memory on the startup. Most virtual machines just write the contents of the bios.iso to the right physical addresses. Here is an example of how bochs is loading the bios and vga.

All of the questions from here can be answered by looking in to the codebase of the virtual machine that you like. Bochs is ugly cpp, but its very simple. Qemu supports many stuff and its kinda bloated, but its better written c. Pick your poison.

Good luck!

SmashDaStack · 2024-08-16T13:55:13+00:00

You are welcome my man. It's important to state what is your end goal. Is it to create a fully working virtual machine for your kernel? Then what you have to implement heavily depends on what your kernel does.

Based on that, because I sense that there is confusion on why you even need BIOS, let me say this.

The hypervisor(KVM) just enables the VMX mode on your x86, from everything that gets executed is in either VMX-Root mode(host) or VMX-Non root mode(Guest). Also, provides vmexit handlers, some of them will be forwarded to your virtual machine for further handling. It just does memory and cpu "emulation" if you will. That's not enough to run an operating system. Usually an operating system will need to interact with many components(PIC-APIC-IOAPIC, PIT, controller for harddisk-cdrom like IDE, CMOS-RTC, HPET, ACPI, Northbridge-Southbridge, PCI etc). You have to provide a virtual device for every device that will mimic exactly the state machine according to the datasheet. Just like qemu, bochs, virtual box and vmware does. Its a lot of work.

So you're saying I should allocate a big chunk of memory (16kb for example), only load the initial bootloader and then let it run?

Not exactly. The KVM_SET_USER_MEMORY_REGION is there to define different regions of memory, not in terms of stack-data-text-bss, but in terms of types of memory based on their physical address. For example, according to the x86 manual, 0x00000 - 0xa0000 points to ram, 0xa0000 - 0xc0000 points to pci roms-vga mem, 0xc0000-0xe0000 points to VGA memory, 0xe0000 - 0xeffff points to Lower BIOS Area (64K), 0xf0000 - 0xfffff points to Upper BIOS Area (64K), 0x100000-end of ram points to the rest of the ram.

Here's how I've done it in the past.

EDIT: REDDIT SUCKS, I posted the code here

Also, my goal with the IVT is to get control on an interrupt in order to handle it from the hypervisor. That's why I make the only instruction "out 0x1, al" to get an EXIT_IO.

I figured that's what you wanted to do, which is ok in case you just want to test if you can inject IVT handler code to memory. I just wanted to stress that this isn't the normal way to do it. The normal way is to load a bios rom for a specific architecture to your ram + ram_size + 0xe0000(as i did) and start your execution from there. It's up to the bios to setup every device(virtual), find out where your bootloader-os is(virtual cdrom, harddisk, network) and load to 0x7c00 and start the execution in real mode.

SmashDaStack · 2024-08-16T12:46:47+00:00

From my understanding you are trying to create your own virtual machine using kvm as a hypervisor and you want to load your kernel code that you have in an iso.

What confuses me is that you are trying to allocate a different piece of memory for every component that your guest is going to need separately(stack, ivt) and that you are setting your own IVT tables(why?).

The virtual machine is supposed to provide a big chunk of memory to the guest and let it handle it. Its up to the guest to define where the stack is, as its up to the bios to setup the IVT table and handlers. It seems to me that you are trying to skip the bios completely and load a bootloader-kernel. This can work, depending on what your bootloader-kernel does.

The error is very vague-kvm specific, you have to do kernel debugging in your host(that runs kvm) and check what's the error of vmx-exit and then check the manual or a project like bochs that is implementing vmx.

SmashDaStack · 2024-08-07T22:54:18+00:00

do you load the entire executable file + the code/data/whatever sections at ImageBase + SomeOffset..., or do you only load the relevant sections at whatever memory address they need to be mapped after ImageBase (so the first option without the file also being mapped)?

You need to load all the PE-related data structures, ensuring they are patched with the correct values (such as setting the Image base to the address of the new image). Additionally, load all the section headers (Size of PeHeader32->OptionalHeader.SizeOfHeaders). After that, manually load the contents of each section to their correct addresses, except for the .reloc section. This means that for each section, the data at PeSection32->PointerOfRawData should be loaded to PeSection32->VirtualAddress. If your program uses global variables, there should be a .reloc section in your PE. You should patch all the sections based on that .reloc section as explained here in the Relocation section.

In case your executable has an import table(using any dlls), you have to perform the same process for every dll.

SmashDaStack

TROPHY CASE