Kernel Karnage – Part 5 (I/O & Callbacks)

After showing interceptor's options, it’s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C. 1. Interceptor 2.0 Until now, I relied on the Evil driver to patch kernel callbacks while I attempted to tackle $vendor2, however the Evil driver only implements patching for … Continue reading Kernel Karnage – Part 5 (I/O & Callbacks) →

Kernel Karnage – Part 4 (Inter(ceptor)mezzo)

To make up for the long wait between parts 2 and 3, we're releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor. 1. RTFM & W(rite)TFM! The past few weeks I spent a lot of time getting … Continue reading Kernel Karnage – Part 4 (Inter(ceptor)mezzo) →

Kernel Karnage – Part 3 (Challenge Accepted)

While I was cruising along, taking in the views of the kernel landscape, I received a challenge … 1. Player 2 has entered the game The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that … Continue reading Kernel Karnage – Part 3 (Challenge Accepted) →

Kernel Karnage – Part 1

I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”); When I finished my previous internship, which was focused on bypassing Endpoint Detection and Response (EDR) software and Anti-Virus (AV) software from … Continue reading Kernel Karnage – Part 1 →

All aboard the internship – whispering past defenses and sailing into kernel space

Previously, we have already published Sander's (@cerbersec) internship testimony. Since this post does not really contain any juicy technical details and Sander has done a terrific job putting together a walkthrough of his process, we thought it would be a waste not to highlight his previous posts again. In Part 1, Sander explains how he … Continue reading All aboard the internship – whispering past defenses and sailing into kernel space →

Dynamic Invocation in .NET to bypass hooks

This blogpost showcases several methods of dynamic invocation that can be leveraged to bypass inline and IAT hooks.

Unmanaged file searching with Filesearcher.exe

During our red team engagements, we are often reliant on a command and control infrastructure. Typically these infrastructures are capable of loading .NET assemblies in memory, which gave me the idea of coding a filesearcher assembly. This was partially invented because of a CTF event I was participating in which had me hunting several file … Continue reading Unmanaged file searching with Filesearcher.exe →

What’s in a name? Thoughts on Red Team nomenclature

In my previous post, I promised to expand on the distinction between adversary emulation, adversary simulation, red teaming, and purple teaming, or at least how I tried to distinguish these terms in a way that made sense to me Emulation and simulation; I've heard both terms used interchangeably to refer to the same type of … Continue reading What’s in a name? Thoughts on Red Team nomenclature →