Hypervisors for Memory Introspection and Reverse Engineering| memN0ps
| memN0ps
Projects Windows Kernel Rookit in Rust (Codename: Eagle) Windows UEFI Bootkit in Rust (Codename: RedLotus) Windows Kernel Blue Pill Type-2 Hypervisor in Rust (Codename: Matrix) Windows UEFI Blue Pill Type-1 Hypervisor in Rust (Codename: Illusion) Shellcode Reflective DLL Injection (sRDI) in Rust (Codename: Venom) A collection of experimental Process Injection and Post-Exploitation Techniques in Rust| memN0ps
Sigreturn-Oriented Programming (SROP) Vulnerability Analysis We take a look at the main function in IDA graph view and can see that a system call is made. We can quickly determine what function is being called by looking at system call number inside the EAX register before the system call. Also IDA has detected that the write function is called. We can confirm this by looking at system call table which shows that 1 is the system call number for write.| memn0ps.github.io
Bypassing Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) Buffer Overflow / Memory Corruption A buffer overflow is when an application attempts to write more data in a buffer than expected or when an application attempts to write more data in a memory area past a buffer. A buffer is a sequential section of memory that is allocated to contain anything from strings to integers. Going past the memory area of the allocated block can crash the program, corrupt data an...| memn0ps.github.io
Please complete Windows User Mode Exploit Development Part 1, Windows User Mode Exploit Development SEH Part 2 and Windows User Mode Exploit Development Egghunter Part 3 before continuing so everything makes sense as some things will not be explained again :). Please note, to understand exploit development thoroughly and adequately, you must have a strong understanding of both x86 (x32 bit) and x86_64 (x64 bit) assembly. Learning reverse engineering is one of the best ways to understand how t...| memn0ps.github.io
Note Please complete Windows User Mode Exploit Development Part 1 and Windows User Mode Exploit Development SEH Part 2 before continuing so everything makes sense as some things will not be explained again :). Enter the Egghunter An egghunter is a short piece of assembly code which is safely able to search the Virtual Address Space (memory) for a signature or an “egg” which is a short string signifying the beginning of a larger payload.| memn0ps.github.io
Structured Exception Handler Let’s go through this again from Windows User Mode Exploit Development Part 1 What is a Buffer Overflow? A buffer overflow is when an application attempts to write more data in a buffer than expected or when an application attempts to write more data in a memory area past a buffer. A buffer is a sequential section of memory that is allocated to contain anything from strings to integers.| memn0ps.github.io
Special thanks to James Kettle @albinowax Persistence is key, do it for the learning, not for the bounty ;) Quick note: Not all bounties are a success, this is a story about how I tried harder when failing. (As full time Security Consultant I spent my own time on this which was about 1 week and I don’t regret the learning experience) To make this process easier I’d recommend using the Burp plugin “HTTP Request Smuggler”.| memn0ps.github.io
Introduction This post will go through some of the basic rootkit techniques, using one of the first publicly available rootkits made in Rust as a proof of concept https://github.com/memN0ps/rootkit-rs/. Many anti-cheats and EDRs are utilizing Windows kernel drivers using rootkit-like techniques to detect game hackers or adversaries. However, this is a cat and mouse game, and the game hackers and malware authors have been years ahead of the industry. Why was this made?| memn0ps.github.io
Injecting code into explorer.exe or notepad.exe is not trivial to evade detection as these processes generally do not generate any network activity. The svchost.exe system process is a shared service process that allows several services to share this process to reduce resource consumption, which usually generates network activity. The svchost.exe process runs under a SYSTEM integrity level, and that will prevent us from injecting inside it from a lower integrity level.| memn0ps.github.io
EDR Parallel-asis through Analysis Recently MDSec / Peter Winter-Smtih researched a new technique and released a blog post EDR Parallel-asis through Analysis - MDSec, that show us how to extract system call numbers for 3 critical Windows API functions called NtOpenFile, NtCreateSection and NtMapViewOfSection. Combining these functions allows us to load a fresh copy of NTDLL.dll from disk into memory. Before we deep dive into this technique, there are a few fundamental concepts about Windows I...| memn0ps.github.io
What is a Buffer Overflow? A buffer overflow is when an application attempts to write more data in a buffer than expected or when an application attempts to write more data in a memory area past a buffer. A buffer is a sequential section of memory that is allocated to contain anything from strings to integers. Going past the memory area of the allocated block can crash the program, corrupt data and even execute malicious code.| memn0ps.github.io
Note: This research as been discontinued. Description A kernel mode rootkit is a stealthy malicious program that allows an attacker to maintain root/SYSTEM access on a victims computer. Kernel mode rootkits run in ring 0 whilst user mode rootkits run in ring 3. Figure 1: Rings (0x0sec) Building the Windows Device Driver This is a first “hello world” example #include "ntddk.h" NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath) { DbgPrint("Hello World!| memn0ps.github.io
Profiles Twitter: https://twitter.com/memn0ps GitHub: https://github.com/memn0ps HackTheBox: https://app.hackthebox.com/profile/25804 HackerOne: https://hackerone.com/memn0ps Bugcrowd: https://bugcrowd.com/memN0ps Synack: @memN0ps UnKnoWnCheaTs: https://www.unknowncheats.me/forum/members/4945492.html Discord: memN0ps Matrix: @memn0ps:matrix.org Experience Senior Security Consultant at October 2022 - Present Security Consultant at January 2019 - September 2022 Certifications Offensive Securi...| memn0ps.github.io
Intel VT-x Hypervisor Development in Rust This article will cover the development of a minimalistic Intel VT-x research hypervisor in Rust. We will use the x86 crate and documentation, which help simplify the code. Credit and acknowledgments are given to the following individuals and their respective blogs or repositories for their invaluable contributions and references: @daax_rynd, @Intel80x86, @not_matthias, and @standa_t. The inspiration for this occurred shortly after the release of @not...| memn0ps.github.io