GhouLSec
532 FOLLOWERS
Read writing from GhouLSec on Medium. Typical memes addict GitHub: https://github.com/ghoulgy.
GhouLSec
1M ago
Recently came across with interesting blogs from RedDrip and Fortra which talks about dwmcore.dll vulnerability (CVE-20240–30051). This vulnerability is interesting when it comes to debug the vulnerable function. Since the vulnerable function is in user-mode and it can’t debug directly on the machine itself as debugging dwm.exe (The process that loads dwmcore.dll) directly will cause graphic freeze on the machine.
In order to debug the dwm.exe or dwmcore.dll without any issue, remote debugging can be useful over here. You may think why not just using kernel mode? I had tried this, and it ..read more
GhouLSec
5M ago
This blog will note down some mechanism that Windows implemented to select an application to open a file. Both cmd.exe and powershell.exe were tested in this case.
Let’s try this by using an executable file named calc.exe which has renamed into calc.pdf. During the experiment, cmd.exe able to run the executable regardless of the file extension name. However, powershell.exe will select default application that associated with the file extension name to open the file.
Command used in the experiment:
PS> calc.pdf (Result: Launch MSEdgePDF)CMD> calc.pdf (Result: Pop calc.exe appli ..read more
GhouLSec
10M ago
EDRSilencer by netero1010 is a tool that utilizing Windows Filtering Platform (WFP) to block EDR agent to send out its event data to its server by adding both IPv4 and IPv6 WFP outbound block rule (Administrator access required). That is bad as most of the defenders are heavily depends on the event data from EDR to perform their operation task. In this blog, here are some of the indicators that we can go for if the EDR event data flow has been “blocked” due to any security events (e.g. red teaming or threat actor).
Event Logs
As usual, Security event logs contain event that is related to ..read more
GhouLSec
1y ago
Recently just came across with the JPCert blog which talks about MalDoc in PDF which is quite interesting and I’m just took the sample and start analyze on them. This blog will share my analysis and a interesting artifact that left behind when the maldoc starts an internet connection to next stage url.
It is recommend to read through their blogs for better understanding on the file structure.
Analysis
Thanks for Will Dormann’s X post which mentioned that the link tab with rel attributeEdit-Time-Data will points to a base64 encoded ActiveMime blob. This would be a great start to begin the ..read more
GhouLSec
1y ago
When I was playing with some red teaming toolkit, found out conhost.exe 0xffffffff -ForceV1 process is quite interesting. Therefore, this blog will explain why this happened based on my understanding.
Based on the Mandiant blog, conhost.exe is related with windows console host which is responsible in handling console input thread. For better understanding, it is encourage to read their blog.
Since most of the windows based computer now is using Windows 10 (soon might move to Windows 11 ?), the finding will be stick to Windows 10 environment only or Windows version that follows the similar ..read more
GhouLSec
1y ago
There is a blog on CheckPoint Research and Sophos mentioned about this vulnerable driver has been abused in various incident to terminate protected process especially anti-malware related process.
Here is the short note on the how does the driver able to terminate any process. To make things easier, I will just refer to the OSS project BackStab, protected process killer by Yaxser.
There is a driver function that is responsible to open a protected process handle and determine the level of protected process level which I didn’t cover in this case.
The binary will load a vulnerable ..read more
GhouLSec
1y ago
There is already a comprehensive analysis on Qakbot already from Elastic Security Labs, Kudos to them!! It seems like there is not much changes since 2022 in terms of Its core function. The obvious changes is the implementation of double RC4 encryption on the resource file and Mersenne Twister + Issac Random random number generator
It does have a lot of adaptation on both 32/64-bit system, checking account privilege.
This is my first time using ChatGPT to make my life easier also ?
In general:
Unpacker -> 1st stage -> 2nd stage
* 1st stage and 2nd stage are from the same file with d ..read more
GhouLSec
1y ago
Due to my curiosity on the rundll32.exe that will trigger a COM execution via -sta/-localserver switch, I decided to dig into the rundll32.exe code further to understand why does it so.
Investigation
During the initial phase, rundll32.exe itself will parse the argument passed into it via RunDLL_ParseCommand. This function will determine which part of code will be execute based on the output of switch_flag that been processed by RunDLL_ParseCommand.
There are only 3 switch type for rundll32.exe:
-sta (represented by decimal value 1)
-localserver (represented by decimal value 2 ..read more
GhouLSec
2y ago
The sample most probably related to CVE-2022-24521 which is related to CLFS parsing bug.
The vulnerability is due to the parsing issue of the CLFS on specially crafted log file (.BLF / Base Log File) which allow user to alter the kthread.previous_mode and enable write permission on kernel memory address, in this case is token replacement.
Please correct me if there is some misinformation from the post!
General exploitation flow:
Create 2 buffer that contains the address to setup the gadget ClfsSetEndofLog and previous mode address
Create a new log file with a new container
Modi ..read more
GhouLSec
2y ago
[CTF Series #12] Mini Linux Forensics — MUS22
Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for me to perform investigation from there. So, I’m thinking of mounting the image in my Linux machine to make my life easier.
Therefore, after some google-fu and bash-fu, I managed to created a script to mount Linux partition from E01 image. \o/
RandomCodes/LinuxE01_mount ..read more