Philip Tsukerman

@PhilipTsukerman

Security Researcher .

Israel
Vrijeme pridruživanja: listopad 2017.
32 fotografije ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @PhilipTsukerman

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @PhilipTsukerman

  1. Prikvačeni tweet
    4. srp 2019.

    An incomplete list of personal learning/research goals for the next few months/year(s?), in no specific order: - Get comfortable enough with UEFI to conduct my own research - Write my first non-toy Windows driver (that's not an APC injector)

    5 replies 2 proslijeđena tweeta 47 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  2. 2. velj

    I just wanted to plug my bass into a sound card at a friend's house, but it seems like for me, playing music might require more driver debugging than previously assumed.

    5 korisnika označava da im se sviđa
    Poništi
  3. proslijedio/la je Tweet
    26. sij

    After examining and rereading , MS solution to most Elevation of Privilege (Symbolic\Hard Link) attacks is: Either keeping an open handle to the exploited resource or doing local impersonation correctly. Like in Or in

    1 reply 13 proslijeđenih tweetova 38 korisnika označava da im se sviđa
    Poništi
  4. 20. sij

    Thank you, Yiddish Wikipedia page for Windows Me, for being my guiding light in these trying times.

    2 korisnika označavaju da im se sviđa
    Poništi
  5. 20. sij

    Random question time: Does anyone know what the various "TearoffThunk" vtables in mshtml.dll are supposed to do? From my extremely brief analysis, it seems like they might be used as proxies for a few COM interfaces, but any further information would be much appreciated.

    1 reply 3 korisnika označavaju da im se sviđa
    Poništi
  6. 18. sij

    A rare non-infosec tweet: is a fantastic band. Their music is that right kind of weird which makes me pick up an instrument for hours and write new stuff of my own. Go listen to them! That's it. Back to talking about Windows or whatever.

    2 korisnika označavaju da im se sviđa
    Poništi
  7. proslijedio/la je Tweet
    17. sij

    I need to do more of these. Here is my first of the year:

    10 replies 4 proslijeđena tweeta 18 korisnika označava da im se sviđa
    Poništi
  8. 13. sij

    Anyway, no mitigation bypasses here (at least according to my quick analysis), but this has been a nice opportunity to learn...

    1 reply 3 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  9. 13. sij

    BTW - Looks like the .Net Core 3.0.0 version of System.Private.CoreLib.dll doesn't have a RWX section anymore, so you can load it into a process with ACG and MicrosoftSignedOnly CIG, but it won't give you any fun RWX buffers to play with :(

    1 reply 2 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  10. 13. sij

    This happens because MiMapViewOfImageSection actually checks the section permissions of loaded images, and calls MiArbitraryCodeBlocked (the main ACG function) when needed. Looks like MSFT has already considered this scenario against ACG :)

    1 reply 5 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  11. 13. sij

    Sadly, it seems that while you're able to map RX memory into the process (which is necessary to load a library), ACG restricts RWX memory even when mapped as part of an image. Trying to load this dll into Edge will fail with STATUS_DYNAMIC_CODE_BLOCKED.

    5 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  12. 13. sij

    I thought such a library could be used as a CIG+ACG bypass, but it looks like this won't work. The idea was to load the MSFT signed library into Edge, which would get the process to map some RWX memory (as you can't just VirtualAlloc/Protect executable memory under ACG).

    Recently, I was curious to know if there were any Microsoft-signed PEs that had a section marked read/write/execute. While I didn't find any Windows-signed PEs, I found one Microsoft-signed PE: System.Private.CoreLib.dll Its .xdata section is marked RWX.
    Prikaži ovu nit
    1 reply 19 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  13. proslijedio/la je Tweet
    30. stu 2019.

    Need some help from the community. Mu baby sister (she hates when I call her that) has thyroid cancer and needs help with her medical bills. Mu wife created this GoFundMe page to help her out with her bills. Any amount helps

    16 replies 107 proslijeđenih tweetova 84 korisnika označavaju da im se sviđa
    Poništi
  14. proslijedio/la je Tweet
    22. stu 2019.

    Hey, new uploads to Windows-Insight: - an article on invocations between ci.dll and skci.dll: ; - a WiP paper on a framework for executing Hyper-V hypercalls (this allows fuzzing and testing performance): (code will follow soon!)

    1 reply 34 proslijeđena tweeta 82 korisnika označavaju da im se sviđa
    Poništi
  15. proslijedio/la je Tweet
    5. stu 2019.

    Research on the Windows Defender ELAM

    67 proslijeđenih tweetova 125 korisnika označava da im se sviđa
    Poništi
  16. 5. stu 2019.

    Is NAR (as in SkmiOperateOnLockedNar) short for "Normal Address Range"? I'm guessing the meaning of too many unknown terms recently, and I'm afraid that I might be living in some sort of made up acronym fantasy...

    3 korisnika označavaju da im se sviđa
    Poništi
  17. proslijedio/la je Tweet
    28. lis 2019.

    Hey, I just uploaded a couple of articles on DeviceGuard/WDAC internals in the Windows-Insight repo: . More articles on WDAC internals focusing on the most recent implementation (incl. new policy file management, driver blacklisting etc.) coming soon!

    1 reply 54 proslijeđena tweeta 96 korisnika označava da im se sviđa
    Poništi
  18. proslijedio/la je Tweet
    26. lis 2019.

    While reverse engineering a rootkit sample (That I soon will publish about 😉) I saw this weird compiler optimization. I thought I'll start documenting compiler optimizations for reverse engineers. Read my first article in the series:

    6 replies 178 proslijeđenih tweetova 431 korisnik označava da mu se sviđa
    Poništi
  19. proslijedio/la je Tweet
    25. lis 2019.

    As I'm currently missing and so can't troll in person here's a blog about the recent changes to my .NET Remoting Exploit tool to bypass Low Type Filtering .

    58 proslijeđenih tweetova 117 korisnika označava da im se sviđa
    Poništi
  20. proslijedio/la je Tweet
    19. lis 2019.

    My talk is also online! 🎉

    CppCon 2019: Gal Zaban “Behind Enemy Lines - Reverse Engineering C++ in Modern Ages”
    29 proslijeđenih tweetova 98 korisnika označava da im se sviđa
    Poništi
  21. proslijedio/la je Tweet
    19. lis 2019.

    Just published my latest project "ByePg", exposing an entirely new attack surface to PatchGuard/NT and bringing 's InfinityHook back:

    5 replies 97 proslijeđenih tweetova 136 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi

@PhilipTsukerman još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·