How would you prefer to name macros that generate syscalls in assembly?
Recent searches
Search options
#shellcode
0 posts0 participants0 posts today
→ #Speedrunners are #vulnerability researchers, they just don't know it yet
https://zetier.com/speedrunners-are-vulnerability-researchers/
“Super Mario World runners will place items in extremely precise locations so that the X,Y coordinates form #shellcode they can jump to with a dangling reference. Legend of #Zelda: Ocarina of Time players will do heap grooming and write a #function pointer […] so the game “wrong warps” directly to the #end #credit sequence… with nothing more than a #game #controller and a steady #hand”
Zetier · Speedrunners = vulnerability researchersVideo game enthusiasts are developing experience in the cybersecurity industry by accident. Discover how gaming skills can translate into intriguing careers.
Decai decompiling a malicious shellcode.
The instructions are not so readable, if you're not used to syscalls int 0x80. AI does it for you.
asciinema.orgNice decompilation of Linux shellcodesha256: fd8441f8716ef517fd4c3fd552ebcd2ffe2fc458bb867ed51e5aaee034792bde Uses Mistral AI. The assembly instructions spot calls to syscall, and see it's socket calls, sleep etc.
What are people using as a syscall database?
Analysis of malicious HWP cases of 'APT37' group distributed through K messenger
The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. The malicious files contained OLE objects that executed PowerShell commands and shellcode, ultimately deploying the RoKRAT malware. This file-less attack method allowed for information gathering and potential remote control of infected systems. The attackers used pCloud for data exfiltration and command-and-control communication. The report emphasizes the importance of endpoint detection and response (EDR) systems to combat such evolving threats.
Pulse ID: 67a38d686710526e35f1ff4d
Pulse Link: https://otx.alienvault.com/pulse/67a38d686710526e35f1ff4d
Pulse Author: AlienVault
Created: 2025-02-05 16:10:16
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again
A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of downloads, ultimately executing AsyncRAT malware via Python scripts. The campaign employs legitimate infrastructure like Dropbox and TryCloudflare to evade detection. It uses a multi-step process involving LNK, JavaScript, and BAT files, culminating in the extraction of malicious Python scripts. The attackers use process injection techniques to inject shellcode into legitimate processes like notepad.exe and explorer.exe. This sophisticated approach highlights the evolving nature of cyber threats and the exploitation of legitimate services for malicious purposes.
Pulse ID: 679dd8f83b0571424707dbf6
Pulse Link: https://otx.alienvault.com/pulse/679dd8f83b0571424707dbf6
Pulse Author: AlienVault
Created: 2025-02-01 08:19:04
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Shellcode over MIDI? Bad Apple on a PSR-E433, Kinda - If hacking on consumer hardware is about figuring out what it can do, and pushing ... - https://hackaday.com/2025/01/23/shellcode-over-midi-bad-apple-on-a-psr-e433-kinda/ #reverseengineering #musicalhacks #shellcode #badapple #yamaha #video #midi
Hackaday · Shellcode Over MIDI? Bad Apple On A PSR-E433, KindaIf hacking on consumer hardware is about figuring out what it can do, and pushing it in directions that the manufacturer never dared to dream, then this is a very fine hack indeed. [Portasynthica3]…
The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:
https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/
I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.
Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).
Have a great day.
Is there an example of shellcode or other malware needing to use Floating Point assembly instructions?
From C to shellcode (simple way)
This post explains the journey of turning C code into shellcode, including techniques to create compact and executable shellcode suitable for exploitation.
print3m.github.io · From C to shellcode (simple way)In this post I demonstrate how to write and compile C code to get a pure standalone shellcode in easy way.
Roughly two years ago I hacked together a small tool to automatically download the
#windows #docker images, extract the ntdll.dll from them and extract the #syscall numbers for that Windows version. This can be used for #shellcode and other #malware dev activities.
I've finally pushed the code to GitHub and redeployed the website.
All the data is either available in the HTML tables, or as a JSON by appending ?format=json to the URL.
Because it's just been redeployed, it's re-downloading all the images, so it will take a few hours until more Windows versions are indexed. It's now indexed more than 200 different version of ntdll.dll :)
You've probably heard of the xz-utils backdoor by now. You shouldn't submit backdoors to Open Source projects... unless it's to ronin-payloads! We're always looking for more payloads!
#opensource #ruby #payloads #shellcode #webshells #hacking #corny #shamelesspromotion
GitHubGitHub - ronin-rb/ronin-payloads: A Ruby micro-framework for writing and running exploit payloadsA Ruby micro-framework for writing and running exploit payloads - ronin-rb/ronin-payloads
ChaiLdr: un caricatore di shellcode che sfida gli antivirus
#ChaiLdr è un #progetto #opensource che mira a creare un #loader di #shellcode che possa evitare il rilevamento da parte dei #software #antivirus (#AV) e dei #sistemi di rilevamento e risposta agli endpoint (#EDR).
#redhotcyber #online #it #web #ai #hacking #privacy #cybersecurity #cybercrime #intelligence #intelligenzaartificiale #informationsecurity #ethicalhacking #dataprotection #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #infosecurity
https://www.redhotcyber.com/post/chaildr-un-caricatore-di-shellcode-che-sfida-gli-antivirus/
il blog della sicurezza informatica · ChaiLdr: un caricatore di shellcode che sfida gli antivirusChaiLdr è un progetto open source che mira a creare un loader di shellcode che possa evitare il rilevamento da parte dei software AV ed EDR
StopCrypt: il ransomware per i comuni mortali difficile da rilevare ma altamente virale
I #ricercatori di #sicurezza hanno scoperto una nuova variante del #ransomware chiamata #StopCrypt, noto anche come #STOP. Questa versione utilizza un processo di esecuzione #shellcode per aggirare gli strumenti di sicurezza, rendendo il #malware particolarmente pericoloso perché difficile da rilevare.
#redhotcyber #online #it #web #ai #hacking #privacy #cybersecurity #cybercrime #intelligence #intelligenzaartificiale #informationsecurity #ethicalhacking #dataprotection #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #infosecurity
il blog della sicurezza informatica · StopCrypt: il ransomware per i comuni mortali difficile da rilevare ma altamente viraleStopCrypt è una nuova variante del ransomware noto come STOP, scoperta dai ricercatori di sicurezza. Utilizza un processo di esecuzione shellcode per eludere le misure di sicurezza, rendendolo particolarmente insidioso e difficile da individuare.
Nice introduction to Position Independent shellcodes (MinGW, GetProcAddress, GetModuleHandle)
https://steve-s.gitbook.io/0xtriboulet/just-malicious/from-c-with-inline-assembly-to-shellcode
New cheatsheets pushed 
https://github.com/r1cksec/cheatsheets
Including:
A nice writeup about a XSS vulnerability found on chess.com
https://skii.dev/rook-to-xss
This tool can be used as a framework for CI/CD security analysis 
https://github.com/CycodeLabs/raven
A great post about Process Injection in the context of Kernel Triggered Memory Scans 
https://www.r-tec.net/r-tec-blog-process-injection-avoiding-kernel-triggered-memory-scans.html
# Simple Shellcode Runner in Rust Language
https://github.com/CyberSecurityUP/shellcode-runner-rust
GitHubGitHub - CyberSecurityUP/shellcode-runner-rust: Simple Shellcode Runner in Rust LanguageSimple Shellcode Runner in Rust Language. Contribute to CyberSecurityUP/shellcode-runner-rust development by creating an account on GitHub.
Introduction to PIC shellcodes (MinGW, GetProcAddress, GetModuleHandle)
https://steve-s.gitbook.io/0xtriboulet/just-malicious/from-c-with-inline-assembly-to-shellcode
Hier hat mal jemand eine schadhafte Excel-Datei auseinandergenommen. Es nutzt eine Schwachstelle im Formeleditor (CVE-2017-11882) aus und lädt schadhafte Inhalte nach.
https://isc.sans.edu/diary/Simple+Shellcode+Dissection/29642