How to run userland code from the kernel on Windows – Version 2.0

Introduction 2 years ago, Thierry F. wrote an article in this blog about a technique that could allow a driver to inject a DLL in a process (https://thisissecurity.net/2014/04/08/how-to-run-userland-code-from-the-kernel-on-windows/). This was based on the reverse engineering of the field PEB.KernelCallbackTable, which is untyped and completely undocumented. You may have discovered, through the article mentioned above that,... Continue Reading →

The macabre dance of memory chunks

In this post, we want to share some notes on how to exploit heap-based overflow vulnerabilities by corrupting the size of memory chunks. Please note that we do not present here original content but only want to share with the community two detailed write-up. The first one exploits a basic heap-based overflow by enlarging the... Continue Reading →

From website-locker to DDoS: Rex !

In May 2016, Softpedia wrote an article about a Drupal web ransomware. This malware exploits an SQL Injection on CMS Drupal, changes admin credentials and asks for bitcoins to unlock content. After locking the website, a malware is executed on the server: After this ends, the last uploaded file is a binary file written in... Continue Reading →

Gamarue loves malicious JavaScript too

A deep look inside a recent campaign In malware ecosystem, there is some old malware families are able to adapt their propagation methods and successfully continue to infect many users. It is the case of Gamarue (Aka Andromeda). I will explain here how this new Gamarue campaign spreads via malicious JavaScript in emails spam. Early... Continue Reading →

Let’s ride with TeslaCrypt

As you can see, we have been working on ransomware over the past few days. This time, we are talking about TeslaCrypt. TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis... Continue Reading →

A lockpicking exercise

A malware calling itself « CTB-locker » is spreading over some websites since the 12th of February 2016. This campaign is different to classical ransomware attacks that focus only on workstations, at first sight, CTB-locker seems also to focus on websites in order to encrypt all files located in the server. I found this campaign... Continue Reading →

Hackers do the Haka – Part 1

Haka is an open source network security oriented language that allows writing security rules and protocol dissectors. In this first part of a two-part series, we will focus on writing security rules. What is Haka Haka is an open source security oriented language that allows specifying and applying security policies on live captured traffic. Haka... Continue Reading →

Low-cost point of sales (PoS) hacking

Hacking point of sales (PoS) systems is a very trendy topic. A lot of PoS malware can be found in the wild (jackPOS, gamaPOS, Backoff, FighterPOS…). At every big breach of PoS systems, media talk about sophisticated attacks involving high skills and great tools. But sometimes, it can be very easy to compromise a PoS... Continue Reading →

Blog at WordPress.com.

Up ↑