Tracing a program with strace generates a lot of output because of the sheer number of syscalls every program calls during its runtime. This can become overwhelming very quickly, making it hard to analyze the trace and find what you are looking for. Fortunately, strace has several features that allow you to limit which syscalls … Continue reading Limiting which Syscalls to Trace with Strace| Abstract Expression
For avoiding EDR userland hooks, there are many ways to cook an egg: Direct system calls (syscalls), Indirect syscalls, unhooking, hardware breakpoints, and bringing and loading your own version of a library. These methods each have advantages and disadvantages. When developing a C2 implant it’s nice to work with a combination of multiple of these. For instance, you could use a strong (in)direct syscall library for direct usermode to kernel transition, then use unhooking or hardware breakpo...| Outflank
So we run a bunch of EventMachine at Stripe. I personally hate EventMachine, but it’s what we’ve got, and it’s probably the best answer if you really want async I/O in ruby. One question you inevitably find yourself asking the question: How close is my EventMachine worker process to capacity? How many more requests/second can this worker handle? This is, frustratingly, not a super straightforward question. Because of the asynchronous nature of EM, you might have multiple requests logic...| nelhage debugs shit
A look at code to parse the PE header and remove API hooks placed by AV/EDR.| www.solomonsklash.io
A small proof of concept Windows shellcode injector using syscalls.| www.solomonsklash.io