The Box Breaker and Script Creator
Offensive Security Specialist, Application Engineer, Developer, Researcher, Electrical Engineer, Bird Dad and Idiot.
- Some great words to describe myself!
From jobs to personal projects, I've encountered many different situations, met many diverse people and unwillingly learned new programming languages (looking at you PHP).
My combined experience helps drive the thought process behind all my projects and allows me to constantly strive towards improvement of my current projects or development of great and new ideas!
You may have heard of me from my work as the software development lead for The Scorebot Project or my custom C2 framework XMT. If not, it might be from one of my other numerous Projects that or you may have ran into me as a Blue Teamer (which in case, Hi! lol).
Regardless, my main goal is constantly improving my own work and being able to pass on the things I've learned to others.
If you ever play the Pros Versus Joes CTF or are at any major InfoSec con (BSidesLV, BSidesDC, BSidesDE, Shmoocon, Defcon, Blackhat, etc..) you might just run into me! I can always be found wherever the dank memes are.
Don't forget to peek at my Twitter to check up on the shenanigans that I'm getting into or to get a heads up on any updates to my projects!
- R to @iDigitalFlame: So if I'm correct, the code in the screenshot will return OUR StdErr handle, NOT the target process's StdErr as intended.
Tbh it's a weird "bug" maybe? But I guess you would never do this? (I hope) so it hasn't really popped up before? *shrug*
I'll have to test! #programming
- R to @iDigitalFlame: The next addition lands us at the handles of StdOut/StdErr/StdInput. Which makes sense as -10,-11,-12 are console input constants! (10/xB/xC)
BUT! WHAT IF we want to grab the StdErr/StdOut of ANOTHER process using the constants? Notice how it's using OUR (calling proc's) PEB? 4/5@iDigitalFlame
- R to @iDigitalFlame: Ok, makes sense.
But if you know anything about the GS register, it's used to store the TEB (thread env block) which is index+0x60, which then gives us the PEB (proc env block).
Next, the +0x20 into the PEB gives us the ProcessParams struct.
Good so far.. 3/5@iDigitalFlame
- R to @iDigitalFlame: One of the methods, is going "lower" in the call stack (ie: OpenProcess->NtOpenProcess).
So DuplicateHandle is up next. Does this code look weird to you? At first, it didn't but reading the docs for it said "if the handle is a pseudo handle, it converts it into a real handle" 2/5@iDigitalFlame
- Wanted to write this up and maybe I'm not crazy, but I think I found weird behavior in how "DuplicateHandle" works in #windows.
Basically, I've been using Ghidra to find any corners I can cut while loading some function calls to give me a better chance at detecting AV hooks. 1/5@iDigitalFlame
- Tip for my #blueteam-ers out there
Notice the diff in pics 1&2?
Pic1 has a GPO that prevents admins from getting "SeDebugPrivilege" which prevents me from elevating as SYSTEM (Pic3) using the code in Pic4
Good idea if you dont want me as SYSTEM on your box! 😈
- RT @_JohnHammond: Don't forget, 0-days wouldn't happen if you had just bought that one vendor's EDR, MDR, XDR, NDR, RDR, NXDR, ODR, PDR, LDR, QDR, VDR, JDR, KDR, IDR, 1DR, 4DR, DDR, ZDR, YDR, ⧫DR, 🟋DR, 🙻DRR, DRDRDR, AIDR solutions they emailed you about after you got stickers from their booth.@_JohnHammond
- Got some cool stuff in the works..
EDR/AV hooking API calls on your victim? Just ship your own syscalls right to your implants, no more loosing shells cause you tried to read "ntdll.dll" 😈
#redteam #golang #programming #windows@iDigitalFlame
- RT @MalwareJake: Please RT for reach: If you were backdooring a program written in go, how would you do it? I'm trying to put together a quick cheat sheet of things to check for.
Thanks in advance!@MalwareJake
- RT @dakacki: Hey, Project Managers, for someone who has never done PM but wants to get into it, what are some things every new PM should know/work on?
Even if you’ve never been a PM but have worked with ones who you thought excelled at their craft, what made them great?@dakacki