Outer Web | Explore

Explore >> Select a destination

You are here		scorpiosoftware.net Building a Verifier DLL - Pavel Yosifovich
\|	\|	pentestlab.blog Persistence - DLL Proxy Loading - Penetration Testing Lab	9.7 parsecs away Travel
\|	\|	DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate DLL in an attempt to not disrupt the execution flow so the binary is executed as normal. The technique falls under the category of DLL Hijacking and it is typically...	9.7 parsecs away Travel
\|	\|	openpunk.com Injecting DLLs at the start of a Windows process - OpenPunk	10.6 parsecs away Travel
\|	\|	Recently I faced a rather intimidating problem while working on a project. The problem was fairly simple from an objective point of view: "How do I load a DLL into a process on startup?" Now you might be wondering, "Why not just patch the IAT (import address table) on the executable and force it to load your payload DLL??" Yes! That was my exact thoughts too, however for reasons I'll explain it wasn't that simple.	10.6 parsecs away Travel
\|	\|	theevilbit.github.io A simple protection against HMValidateHandle technique · theevilbit blog	16.8 parsecs away Travel
\|	\|	In the recent days I was reading technical analysis of win32k exploits from recent years, and it caught my eyes, that the HMValidateHandle technique is very heavily used almost everywhere. Then I had an idea how to protect against this family of exploits, which I think is very simple. This post will be about that. What is HMValidateHandle? Link to heading HMValidateHandle is an internal, unexported function of user32.dll. It takes a handle and a handle type as arguments, and by looking up the handle table, if the handle is matching with the type it will copy the object to user memory. If the object contains a pointer to itself, like tagWND it can be used to leak memory addresses from the kernel. This has been a known technique for very long time, I think the first mention of this was in Tarjei Mandt's 2011 BlackHat US talk, you can find the PDF here: https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf There are awful lot of documentation about this, and it was widely abused in many-many Windows kernel exploits, as you could reliably leak kernel object addresses, especially useful for kernel pool spraying. Thus Microsoft decided to finally close this, and so this technique doesn't work beyond Windows 10 RS4.	16.8 parsecs away Travel
\|	\|	snyk.io The XZ backdoor CVE-2024-3094 \| Snyk	70.4 parsecs away Travel
\|		On the 29th of March 2024, the high-stakes investment and prolonged campaign to plant a backdoor in the Linux software library liblzma to gain access to multiple operating systems via Linux distributions was carried out by a malicious actor.	70.4 parsecs away Travel