hexnomad

@hexnomad@infosec.exchange
333 Followers
215 Following
138 Posts
Researcher, developer, @fieldeffectsoft, tfr
Twitterhttps://twitter.com/hexnomad
Offensive Con Talkhttps://youtu.be/1CjQ1_QWssI
Windows LPEs writeuphttps://hello.fieldeffect.com/hubfs/Blackswan/Blackswan_Technical_Write%20Up_Field_Effect.pdf
Field Effecthttps://fieldeffect.com/
hexnomadMay 29
buheratorMay 29
[RSS] The Windows Registry Adventure #8: Practical exploitation of hive memory corruption

https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-8-exploitation.html
The Windows Registry Adventure #8: Practical exploitation of hive memory corruption

Posted by Mateusz Jurczyk, Google Project Zero In the previous blog post , we focused on the general security analysis of the registry a...

hexnomadMay 19
Ivan FratricMay 19
The slides for my OffensiveCon talk "Finding and Exploiting 20-year-old bugs in Web Browsers" https://docs.google.com/presentation/d/1pAosPlKUw4uI5lfg7FVheTZAtI5mUy8iDeE4znprV34/edit?usp=sharing
Finding and Exploiting 20-year-old bugs in Web Browsers

Finding and Exploiting 20-year-old bugs in Web Browsers Ivan Fratric, Google Project Zero OffensiveCon 2025 Thank the audience for having the patience for another talk

Google Docs
hexnomadJul 25, 2024
Show threadMarcus Hutchins Jul 25, 2024

On top of loading kernel drivers, a lot of EDR vendors inject DLLs into every running process. The reason they had to do this is because even from kernel mode, certain security events simply aren't obtainable due to limitations placed by Microsoft. Let's say, for example, you want to know any time a process allocates executable memory (commonly used by malware to execute shellcode). There was for the longest time no legitimate way to track this.

So EDRs basically had to inject a DLL into every process, hook all the functions responsible for allocating memory pages, parse the parameters for flags that specify the memory as executable, then pass that info off to the main antivirus process via some kind of pipe.

Eventually, Microsoft upgraded their kernel to add an interface where the kernel would log these kinds of events, then security products could register to receive them from either user mode or kernel mode. This was added in (I think) Windows 10 1703, which was over a decade after they first tried to remove security products from the kernel.

But even today, because many enterprises are still running older Windows versions, EDR providers are still required to use legacy techniques like kernel callbacks and DLL injection. Additionally, the new events are read only. With DLL injection, if you detect a potentially malicious call you could intercept, redirect, or block it. Now you simply just get notified that the call happened, and just have to kind of figure out what to do next.

hexnomadJul 19, 2024
Show threadKevin BeaumontJul 19, 2024
By far my fave thing with the Crowdstrike thing is Microsoft saying to try turning impacted PCs off and on again in a loop until you get the magic reboot where CrowdStrike updates before it blue screens.
hexnomadJul 19, 2024
Kevin BeaumontJul 19, 2024
Crowdstrike published a faulty update. Causes Windows to bluescreen. Driver is C-00000291*.sys. Will cause worldwide outages. Thread follows, I suspect. 🧵
hexnomadJun 20, 2024
Natalie SilvanovichJun 20, 2024

Can LLMs find vulns? Here’s what Project Zero found

https://googleprojectzero.blogspot.com/2024/06/project-naptime.html

Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models

Posted by Sergei Glazunov and Mark Brand, Google Project Zero Introduction At Project Zero, we constantly seek to expand the scope and e...

hexnomadJun 16, 2024
@screaminggoat There’s probably a couple of CWE’s that could fit the bug, including CWE-781. The one referenced in Microsoft’s bulletin is definitely incorrect, it is not a heap base buffer overflow.
hexnomadJun 14, 2024

TFW you spend so much time looking for vulns in a piece of code without finding any that you convince yourself it is bug free… then someone else comes along and finds a sweet one:

https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/

Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938 - Android Offensive Security Blog

At OffensiveCon 2024, the Android Red Team gave a presentation (slides) on finding and exploiting CVE-2023-20938, a use-after-free vulnerability in the Android Binder device driver. This post will provide technical details about this vulnerability and how our team used it to achieve root privilege from an untrusted app on a fully up-to-date (at the time of exploitation) Android device. This vulnerability affected all Android devices using GKI kernel versions 5.4 and 5.10. This vulnerability is fixed and the patches were released as part of the Android Security Bulletin–February 2023 and July 2023 (more details in the remediation section of the blog).

hexnomadJun 12, 2024
chompieJun 12, 2024

microsoft: Exploit Code Unporoven

me: i literally gave you a compiled PoC and also exploit code

m$: No exploit code is available, or an exploit is theoretical.

me:

hexnomadJun 6, 2024
James Forshaw Jun 5, 2024
Damn, I really thought the Recall database security would at least be, you know, secure. Turns out Microsoft did pretty much what I blogged about for WindowsApps, except you need to find a specific WIN://SYSAPPID instead. So to bypass the security just get the token for the AIXHost.exe process, then impersonate that and you can access the database, no admin required. Or, as the files are owned by the user, just grant yourself access using icacls etc :D