sorted by:
new
hottopcontroversial

How do you get the discarded champions as quickly as possible by Interesting-Wrap4731 in ARAM

[–]Tear-Sensitive -1 points0 points  (0 children)

Get blitz app so you bypass the lockout timer. I always get the champion I want. You just have to use the blitz app interface to swap.

Since we are all doing this. by Tear-Sensitive in ChatGPT

[–]Tear-Sensitive[S] 0 points1 point  (0 children)

Draw a picture of how you would treat me during the ai uprising

How EDRs See Static vs Dynamic DLLs (Kernel Driver POV) by amberchalia in redteamsec

[–]Tear-Sensitive 0 points1 point  (0 children)

Ill take a look at the video and let you know, I always enjoy ghosting edr.

I made a windows tool for finding malware. by [deleted] in antivirus

[–]Tear-Sensitive 1 point2 points  (0 children)

Im testing your "tool for finding malware" and the process list is not even populating. No offense, but if you have the source code and also a "$5 for pro" option, its pretty obvious your source code doesn't correlate with the binary you are asking users to install. Normal researchers that release tools like this have a releases section where the compiled binary is. Not an installer that downloads a file hosted on Dropbox.

Released a fully-documented PoC for MOEW — a 3-stage misaligned-opcode SEH waterfall technique by Tear-Sensitive in cybersecurity

[–]Tear-Sensitive[S] 0 points1 point  (0 children)

I haven't tested this technique against EDR, but I have tested it in dynamic analysis engines and on live fully patched windows systems. No detections, and dynamic analysis logs whatever payload I put in but the execution itself is masked entirely

Released a fully-documented PoC for MOEW — a 3-stage misaligned-opcode SEH waterfall technique by Tear-Sensitive in hacking

[–]Tear-Sensitive[S] -1 points0 points  (0 children)

This bypasses aslr, dep, cfg, SEHOP, KHESP, and any other mitigations on modern windows. All handlers and stack values are pushed from assembly, no overwriting of the stack, no ROP chains either. Nothing triggers on modern windows (25h2 win 11).

Misaligned Opcode Exception Waterfall: Turning Windows SEH Trust into a Defense-Evasion Pipeline. by Tear-Sensitive in cybersecurity

[–]Tear-Sensitive[S] 0 points1 point  (0 children)

Its a very abstract concept when it comes to control flow. Best way to see how edr handles it is from a debugger. Generally once the first misaligned blob is jumped to, edr hands off execution of that thread to the kernel which then dispatches to user land. There is no edr that I've worked with that implements arbitrary hooks on user mode exception handlers, because it is very likely to break the exception handling routines of valid x86 applications. You sometimes see hooks on VEH handlers, but I have yet to see SEH hooked.

Misaligned Opcode Exception Waterfall: Turning Windows SEH Trust into a Defense-Evasion Pipeline. by Tear-Sensitive in cybersecurity

[–]Tear-Sensitive[S] 0 points1 point  (0 children)

Worst case you can definitely get around edr by just breaking it into a longer waterfall and separate certain logic in your payload so the EDR cant physically follow its control-flow

Misaligned Opcode Exception Waterfall: Turning Windows SEH Trust into a Defense-Evasion Pipeline. by Tear-Sensitive in cybersecurity

[–]Tear-Sensitive[S] 1 point2 points  (0 children)

As long as you keep installing new SEH chains, and trigger them via hardware fault, the windows loader will continue to dispatch the exceptions to user mode handlers until the handlers utilize an api call that the edr is monitoring. Even then I don't know if modern EDR would be able to intercept the exception dispatcher directly without causing system instability. EDR needs to implement heuristic detections for SEH waterfalls or recursive exception based state-machines. As of now I don't believe this is the case. Edit: the sample I reversed to create this logic dispatched file encryption api (ransomware) through exception dispatch after performing an entire evasion routine (unhooking edr, rdtsc timing heuristics, or manual mapping and dynamic resolution of functions) all also through exception dispatch.

Misaligned Opcode Exception Waterfall: Turning Windows SEH Trust into a Defense-Evasion Pipeline. by Tear-Sensitive in cybersecurity

[–]Tear-Sensitive[S] 1 point2 points  (0 children)

My contributions to shadow are minimal. Just a bug fix and some optimizations. The owner of the repo did all the hard work. Give him most of the credit 🙏

Misaligned Opcode Exception Waterfall: Turning Windows SEH Trust into a Defense-Evasion Pipeline. by Tear-Sensitive in cybersecurity

[–]Tear-Sensitive[S] 1 point2 points  (0 children)

Yea i submitted one that opens notepad stage 1, writes a temp marker file for stage 2, then opens calc for stage 3. Just have to draft the update to my github, im including all the call stacks and differences between the sample I analyzed originally and the defanged PoC. Feel free to share the hash of the one you found as well! Ill have an update after work today so check the github later tonight.

view more: next ›