Tamas K Lengyel

@tklengyel

Senior Security Researcher . Chief Research Officer . Maintainer of Xen, DRAKVUF & LibVMI. Views expressed are my own, not my employer’s.

Vrijeme pridruživanja: rujan 2014.

Tweetovi

Blokirali ste korisnika/cu @tklengyel

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @tklengyel

  1. Prikvačeni tweet
    2. velj

    Do you have an open-source cybersecurity project you would like to see being worked on as part of Google Summer of Code? We are collecting ideas & projects for this summer! Submit yours here (even if you wouldn't be able to be a mentor): !

    Poništi
  2. proslijedio/la je Tweet

    To the person who figured out my honeypot is a honeypot could you please stop putting the picture of Pooh bear with a jar of honey on it? Its like this person's life mission, I've blocked him on: - Client - IPs (now on Tor ffs) - The image (he just edits 1 pixel every time...)

    Prikaži ovu nit
    Poništi
  3. prije 23 sata

    "Our NN is initially in Python for rapid iteration, then converted to C++/C/raw metal driver code for speed"

    Poništi
  4. proslijedio/la je Tweet
    31. sij

    I've been working on making a great benchmarking suite (MMTests, by & Perf Team) better for running benchmarks in VMs. Even in multiple VMs, at the same time and "in lockstep" I'll show how far I got, as of now, tomorrow at

    Poništi
  5. proslijedio/la je Tweet
    31. sij

    A helpful tool for quantifying risk... now available via open source from the Netflix Security team! Enjoy!

    Poništi
  6. 1. velj

    "Clustering Analysis for Malware Behavior Detection using Registry Data" using DRAKVUF logs:

    Poništi
  7. proslijedio/la je Tweet
    30. sij

    Happy to announce a new LLVM instrumentation for AFL++ called CmpLog that feeds the fuzzer with comparisons operands extracted with SanCov. I used it to build the Redqueen mutator in AFL++!

    Poništi
  8. proslijedio/la je Tweet
    30. sij

    Just a Reminder! Tickets for the inaugural BSides Boulder go on sale FEB1 @ 9:00am ... There are 3 waves (Feb 1, Feb 15, Feb 29). See you there.

    Poništi
  9. proslijedio/la je Tweet
    29. sij

    CanSecWest is offering a free training and conference admission to the top 4 talk submissions from someone 25 or younger! All qualifying submissions also get a 10% discount on conference ticket. That’s basically a $5000 USD grant to the top 4 submissions. Please share!

    Poništi
  10. 29. sij

    Lot's of cool stuff being planned for Bareflank 3.0! Worth checking out!

    Poništi
  11. proslijedio/la je Tweet
    28. sij

    1\ Surprisingly, you could build a very mediocre PE malware detector with a single PE feature: the PE compile timestamp. In fact, I built a little random forest detector that uses only the timestamp as its feature that gets 62% detection on previously unseen malware at a 1% FPR.

    Prikaži ovu nit
    Poništi
  12. proslijedio/la je Tweet
    27. sij

    Windows kernel now relies on Virtualization-based Security (VBS) to securely insert dynamic trace points into kernel code. By relying on VBS, we can now safely and securely insert dynamic tracepoints in the kernel without disabling PatchGuard

    Prikaži ovu nit
    Poništi
  13. 26. sij

    Seriously, how much more convoluted can Microsoft make syscall handling??

    Prikaži ovu nit
    Poništi
  14. 26. sij

    Now to actually calculate the final syscall address from the SSDT: syscall = SSDT base + offset - 0x10000000 syscall += *(uint32_t*)(SSDT base + offset - 0x10000000 + 3) + 7

    Prikaži ovu nit
    Poništi
  15. 26. sij

    At least the debug data has a hint that such a stub exists. So if anyone wonders what "linkage_name" means for an address in the Volatility/Rekall json profile, now you know.

    Prikaži ovu nit
    Poništi
  16. 26. sij

    So what happens is that the address the SSDT points to is just a stub. It's responsible for loading the actual syscall address to r10. The address of the stub is NOT present in the PDB, only the final address it loads to r10.

    Prikaži ovu nit
    Poništi
  17. 25. sij

    To clarify, the offsets are always calculated by taking the 32bit value found in the SSDT and bitshifting it >> 4.

    Prikaži ovu nit
    Poništi
  18. 25. sij

    Now on Windows 10 1903 a new set of syscalls appeared in the SSDT with a different discrepancy. The functions are expected to be at an address above the SSDT but the (SSDT base + offset) calculation doesn't match that. All of these functions have an offset like fd78df0, fd79030..

    Prikaži ovu nit
    Poništi
  19. 25. sij

    It seems the reason for the special handling of these functions is due to them being located at an address lower then the SSDT base address. Normal functions are located at SSDT base + offset found in the SSDT. These functions are at (SSDT base + offset) - 0x10000000

    Prikaži ovu nit
    Poništi
  20. proslijedio/la je Tweet
    24. sij

    Twitter has a new security feature, if you tweet a password it put asterisks instead. Try it now ******

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·