PoC: Encoding Shellcode Into Invisible Unicode Characters

Malware has been using unicode since time ago, to hide / obfuscate urls, filenames, scripts, etc... Right-to-left Override character (e2 80 ae) is a classic. In this post  a PoC is shared, where a shellcode is hidden / encoded into a string in a python script (probably this would work with other languages too), with invisible unicode characers that will not be displayed by the most of the text editors.

PoC: Copy Data into Remote Process Address Space with Window Messages

This post is the story of an unuseful fuzzer that became an unuseful but funny PoC. These days I have been playing with window messages and I would like to share some notes about the behavior of some messages, such as WM_SETTEXT or WM_COPYDATA, and a tiny PoC to execute code into explorer.exe process by using these messages and SetThreadContext. This is not about a bug or vulnerability, these window messages work as expected. It is only some ideas about using these messages in a tricky way to put our data into the address space of some target processes.

Copy and execute file to remote machine like psexec with the Windows api

These days we have heard a lot about the new Petya (or NotPetya, EternalPetya, etc…) ransomware (or wiper). It propagates itself using the same exploit as WannaCry, eternalBlue. But the malware is using additional method to propagate itsefl. It enumerates local credentials and tries to login into remote machines with psexec for executing itself there. In this article I talk a bit about the Windows api that psexec is using for copying and executing files in a remote machine, and i share a PoC in python.

Batch, attach and patch: using windbg’s local kernel debugger to execute code in windows kernel

In this article I am going to describe a way to execute code in windows kernel by using windbg local kernel debugging. It’s not a vulnerability, I am going to use only windbg’s legal functionality, and I am going to use only a batch file (not powershell, or vbs, an old style batch only) and some Microsoft’s signed executables (some of them that are already in the system and windbg, that we will be dumped from the batch file).