Full moneta bypass with 0FPs! A few more tweaks and I’m hoping peseive is next! Forrest Orr

My personalized Windows 10 re-creation of the HYDSEVEN exploit chain used to target Coinbase. This chain involves the use of a Firefox RCE (CVE-2019-11707) and Firefox sandbox escape (CVE-2019-11708) for shellcode execution as Medium Integrity github.com/forrest-orr/Ex…

Thanks for bringing this to my attention Andrew, this would be a much more elegant way of filtering CLR JIT memory in Moneta.

Already released way earlier but I'm sharing on Twitter too just because. Blog post + poc on detecting malware through return addresses. Recommend also looking at the following made by thefLink github.com/thefLink/Hunt-… arashparsa.com/catching-a-mal…

Going to Blackhat USA this year? I’ll be teaching a 2-day training: Day 1 - Browser internals (Firefox and Chrome) Day 2 - Virtualisation Internals (VirtualBox and QEMU) Come learn from real source code and debug real world targets! blackhat.com/us-22/training…

Excellent work on this. Well done!

Excellent work, I think you’ve found (what is at present) the most optimal fusion of stealth techniques for evasion in memory. It doesn’t get any more cutting edge than this when it comes to the memory dimension of malware design these days

Last summer I attended the Advanced Windows Heap Exploitation class given by ς๏гєɭคภς0๔3г ([email protected]) and cannot speak highly enough of his skill, dedication and enthusiasm for the topic. This is the training I recommend for learning memory corruption exploits. Truly one of a kind.

Today I am releasing a blog about kernel exploitation in the age of HVCI. This post addresses calling arbitrary kernel-mode APIs, to go beyond “traditional token stealing” data-only attacks, while also dealing with kernel control flow integrity. connormcgarr.github.Io/hvci

CVE-2021-38001: A Brief Introduction to V8 Inline Cache and Exploitating Type Confusion y4y.space/2023/05/06/cve…

My first research and tool are finally out. If you want to deep dive into some CLR internals and understand how we can abuse it to blend-in within its own logic go check it out. Hope you'll enjoy the read. ipslav.github.io/2023-12-12-let…

Very well put together research that expands on some of the memory forensics articles I wrote several years ago, it’s excellent to see improvements are still being made to malware tradecraft in this niche

Great patch, thanks for making the pull request.

I’m surprised to have recently learned that there does not seem to be a trivial way to receive notifications of suspended process launches in Windows via kernel proc notif callback, kernel ETW or EtwTi. Any ideas on how to do this? Pavel Yosifovich

Is the ability of a non admin user to obtain a full query handle to a System integrity process and unravel its ASLR considered a security boundary? I know a PROCESS_QUERY_INFORMATION handle on a PPL is considered a breach of a security boundary even if the owner is local admin.

Does anyone know what mechanisms can be used to detect suspended (non-UWP) and frozen UWP app processes, and how to programmatically wake them up in a safe and persistent way where they don't just immediately freeze again?