Skip to content
Permalink
Browse files

new

  • Loading branch information
matteo
matteo committed Nov 20, 2019
1 parent 10b175b commit ac41a23241f9775989013464544ce63fd55a4c51
Showing with 23 additions and 0 deletions.
  1. 0 assets/scss/_logo.scss
  2. 0 content/about.md
  3. 0 content/binary_analysis.md
  4. 0 content/blog/2013-08-18-rip-convergence-within-dmvpn.markdown
  5. 0 content/blog/2013-09-28-mss-clamping.markdown
  6. 0 content/blog/2013-10-25-ospf-e2-route-type-selection.markdown
  7. 0 content/blog/2013-11-02-udld-loop-guard-etherchannels.markdown
  8. 0 content/blog/2013-11-17-ospf-age.markdown
  9. 0 content/blog/2014-02-02-bgp-peering-behind-nat-overloaded-pat-network.markdown
  10. 0 content/blog/2014-02-15-unique-flag-dmvpn.markdown
  11. 0 content/blog/2014-04-23-nat-overload-pat-get-rid-source-port-ambiguity.markdown
  12. 0 content/blog/2014-07-07-ipv6-default-gateway-slaac-vs-dhcpv6.markdown
  13. 0 content/blog/2014-07-23-inter-vpn-option-b-ios-xr.markdown
  14. 0 content/blog/2014-07-27-next-hop-resolution.markdown
  15. 0 content/blog/2014-07-29-load-balancing.markdown
  16. 0 content/blog/2014-08-22-tcp-transfer-using-full-bandwidth.markdown
  17. 0 content/blog/2014-10-12-best-place-mark-traffic.markdown
  18. 0 content/blog/2014-11-13-multicast-troubleshooting-start-source.markdown
  19. 0 content/blog/2014-12-02-ethernet-multicast-promiscuous-mode.markdown
  20. 0 content/blog/2015-01-15-infinite-mpls-loop-possibile.markdown
  21. 0 content/blog/2015-02-02-bier-stateless-multicast.markdown
  22. 0 content/blog/2015-02-17-how-a-browser-decides-to-surf-on-ipv6.markdown
  23. 0 content/blog/2015-03-01-tcp-congestion-avoidance-in-a-nutshell.markdown
  24. 0 content/blog/2015-06-07-how-many-minimum-active-links-do-i-need-on-my-bundle.markdown
  25. 0 content/blog/2015-06-25-how-to-verify-interface-mtu-on-ios-xr.markdown
  26. 0 content/blog/2015-09-05-why-we-need-ipv6-flow-label.markdown
  27. 0 content/blog/2015-10-24-what-is-an-interface-symbol-error.markdown
  28. 0 content/blog/2016-01-26-bgp-neighbor-authentication-some-minutiae.markdown
  29. 0 content/blog/2016-05-07-anycasting-multicast-sources.markdown
  30. 0 content/blog/2016-05-13-tftp-slower-ftp.markdown
  31. 0 content/blog/2016-12-04-tiny-python-dns-querier.markdown
  32. 0 content/blog/2017-02-03-ip-spoofing-and-how-sps-avoid-it.markdown
  33. 0 content/blog/2017-08-29-SLAE-1-TCP-bindshell.markdown
  34. 0 content/blog/2017-08-31-SLAE-2-TCP-reverse-shell.markdown
  35. 0 content/blog/2017-09-03-SLAE-3-Egg-Hunter.markdown
  36. 0 content/blog/2017-09-05-SLAE-4-Custom-Encoder.markdown
  37. 0 content/blog/2017-09-05-SLAE-5-msf-payload-analysis.markdown
  38. 0 content/blog/2017-10-06-SLAE-6-polymorphic-shellcode.markdown
  39. 0 content/blog/2017-10-10-SLAE-7-custom-crypter.markdown
  40. 0 content/blog/2018-11-16-windows-kernel-debugging-fusion.markdown
  41. 0 content/blog/2018-12-02-revealing-software-breakpoints.markdown
  42. 0 content/blog/2018-12-05-detecting-vmware-on-64bit.markdown
  43. 0 content/blog/2019-01-21-malware-b64.markdown
  44. 0 content/blog/2019-03-25-PBA-ctf-level6.markdown
  45. 0 content/blog/2019-04-01-PBA-ctf-level7.markdown
  46. 0 content/blog/2019-04-17-confusing-objdump-sections.markdown
  47. 0 content/blog/2019-05-18-elf-injection.markdown
  48. 0 content/blog/2019-06-13-windows-shellcode-msfvenom.markdown
  49. 0 content/blog/2019-07-06-windows-kernel-shellcode.markdown
  50. +23 −0 content/blog/2019-11-15-win-defender-atp-cred-bypass.markdown
  51. 0 content/blog/2019-11-18-linux-syscall-monitoring.markdown
  52. 0 content/exploit_dev.md
  53. 0 content/hacks.md
  54. 0 content/minutes/binary_analysis.md
  55. 0 content/minutes/exploit_dev.md
  56. 0 content/minutes/pentesting.md
  57. 0 content/pentesting.md
  58. 0 content/tutorials/AV-Evasion.md
  59. 0 content/tutorials/buffer_overflow.md
  60. 0 i18n/en.toml
  61. 0 layouts/_default/list.html
  62. 0 layouts/minutes/list.html
  63. 0 layouts/partials/header.html
  64. 0 static/CNAME
  65. 0 static/LICENSE
  66. BIN static/android-chrome-192x192.png
  67. BIN static/android-chrome-256x256.png
  68. BIN static/apple-touch-icon.png
  69. 0 static/assets/0xD9E6A87B.gpg
  70. BIN static/assets/avatar.png
  71. BIN static/assets/blog/defender_alert.png
  72. BIN static/assets/fonts/FontAwesome.otf
  73. BIN static/assets/fonts/fontawesome-webfont.eot
  74. 0 static/assets/fonts/fontawesome-webfont.svg
  75. BIN static/assets/fonts/fontawesome-webfont.ttf
  76. BIN static/assets/fonts/fontawesome-webfont.woff
  77. BIN static/assets/fonts/fontawesome-webfont.woff2
  78. BIN static/assets/images/AV-evasion/ID2.png
  79. BIN static/assets/images/AV-evasion/ID3.png
  80. BIN static/assets/images/AV-evasion/av_diagram.png
  81. BIN static/assets/images/AV-evasion/av_diagram2.png
  82. BIN static/assets/images/AV-evasion/immunity_debug1.png
  83. BIN static/assets/images/AV-evasion/virustotal.png
  84. BIN static/assets/images/avatar.jpg
  85. BIN static/assets/images/avatar.png
  86. BIN static/assets/images/avatar2.png
  87. BIN static/assets/images/avatar_mini.jpg
  88. BIN static/assets/images/avatar_mini.png
  89. BIN static/assets/images/avatar_mini2.png
  90. BIN static/assets/images/banner2.jpg
  91. BIN static/assets/images/banner2.png
  92. BIN static/assets/images/banner3.png
  93. BIN static/assets/images/cheatsheets-ELF1.png
  94. BIN static/assets/images/daemon.png
  95. BIN static/assets/images/default-thumb.jpeg
  96. BIN static/assets/images/expl.png
  97. BIN static/assets/images/favicon.png
  98. BIN static/assets/images/git.png
  99. BIN static/assets/images/header1.jpg
  100. BIN static/assets/images/header_rosso_sito_1200px150px.jpg
  101. BIN static/assets/images/kernel_shellcode_2.png
  102. BIN static/assets/images/kernel_shellcode_priv.png
  103. BIN static/assets/images/linux_x86_binshell_ipv6_tcp.png
  104. BIN static/assets/images/shell_token.png
  105. BIN static/assets/images/stack.png
  106. BIN static/assets/images/stack2.jpg
  107. BIN static/assets/images/stack2.png
  108. BIN static/assets/images/stack3.png
  109. BIN static/assets/images/stack4.png
  110. BIN static/assets/images/stack5.png
  111. BIN static/assets/images/stack_old.png
  112. BIN static/assets/images/thumbnails/1.png
  113. BIN static/assets/images/thumbnails/2.png
  114. BIN static/assets/images/thumbnails/3.png
  115. BIN static/assets/images/thumbnails/4.png
  116. BIN static/assets/images/thumbnails/5.png
  117. BIN static/assets/images/twit.png
  118. 0 static/assets/js/_main.js
  119. 0 static/assets/js/main.min.js
  120. 0 static/assets/js/plugins/jquery.fitvids.js
  121. 0 static/assets/js/plugins/jquery.greedy-navigation.js
  122. 0 static/assets/js/plugins/jquery.magnific-popup.js
  123. 0 static/assets/js/plugins/jquery.smooth-scroll.min.js
  124. 0 static/assets/js/vendor/jquery/jquery-3.2.1.min.js
  125. BIN static/banner2.png
  126. 0 static/browserconfig.xml
  127. 0 static/css/highlightjs.piperita.scss
  128. 0 static/css/jquery.mmenu.all.css
  129. 0 static/css/style.scss
  130. 0 static/css/syntax-highlighting.css
  131. 0 static/css/syntax-highlighting.scss
  132. BIN static/favicon-16x16.png
  133. BIN static/favicon-32x32.png
  134. BIN static/favicon.ico
  135. BIN static/favicon.svg
  136. BIN static/img/avatar.png
  137. BIN static/img/avatar_small.png
  138. BIN static/img/banner3.png
  139. BIN static/img/daemon.png
  140. BIN static/img/stack2.png
  141. 0 static/js/jekyll-search.js
  142. 0 static/js/jquery.mmenu.min.all.js
  143. BIN static/mstile-150x150.png
  144. BIN static/plugin.zip
  145. 0 static/safari-pinned-tab.svg
  146. 0 static/search.json
  147. 0 static/site.webmanifest
  148. BIN static/stack.png
0 assets/scss/_logo.scss 100644 → 100755
No changes.
0 content/about.md 100644 → 100755
No changes.
0 content/binary_analysis.md 100644 → 100755
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
@@ -110,3 +110,26 @@ PssCaptureSnapShot — > PssNtCaptureSnapshot --> SYSCALL->ZwCreateProcessEx
Kernel32 — — -ntdll — — — — — — — — — - — — — — — ntoskrnl
```
PssCaptureSnapShot -> PssNtCaptureSnapshot internamente chiamata ZwCreateProcessEx per creare il clone.
Quindi se in controllo di ATP, che sappiamo basarsi su una statistica di quantità di dati letta,
si basa sull'attività diretta che viene fatta su lsass (o su un handler diretto a questo processo), è possibile che
eseguendo MiniDumpWriteDump su l'handle del processo creato internamente con ZwCreateProcessEx non rientri
nella sorveglianza di ATP.
Quindi ho aggiunto anche questa opzione al progetto che ti ho inviato.
PssCaptureSnapShot si basa per la sua quasi tutalità su NtMapViewPfSection
La NtRead c'è ma quando sein inminidumpwritedump cioè oltre la PssCaptureSnapShot
NtMapViewOfSection è una syscall quindi o la controllano o nulla
NTMap è una syscall
nNo è proprio questo il punto
la ntread quando si usa PssCaprtureSnapshot
non viene MAI chiamata su un handle diretto di lsass
ma soltanto sul clone
se non usi lo snapshot la ntread la fai direttamente sull'handle a lsass
Io vedo con ghidra che internamente la psscapturesnapshot chiama una create process
secondo me l'handle ritornato è il risultato di questa chiamata
ZwCreateProcessEx
No changes.
0 content/exploit_dev.md 100644 → 100755
No changes.
0 content/hacks.md 100644 → 100755
No changes.
No changes.
0 content/minutes/exploit_dev.md 100644 → 100755
No changes.
0 content/minutes/pentesting.md 100644 → 100755
No changes.
0 content/pentesting.md 100644 → 100755
No changes.
0 content/tutorials/AV-Evasion.md 100644 → 100755
No changes.
No changes.
0 i18n/en.toml 100644 → 100755
No changes.
0 layouts/_default/list.html 100644 → 100755
No changes.
0 layouts/minutes/list.html 100644 → 100755
No changes.
0 layouts/partials/header.html 100644 → 100755
No changes.
0 static/CNAME 100644 → 100755
No changes.
0 static/LICENSE 100644 → 100755
No changes.
0 static/android-chrome-192x192.png 100644 → 100755
No changes.
0 static/android-chrome-256x256.png 100644 → 100755
No changes.
0 static/apple-touch-icon.png 100644 → 100755
No changes.
0 static/assets/0xD9E6A87B.gpg 100644 → 100755
No changes.
0 static/assets/avatar.png 100644 → 100755
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
0 static/assets/images/avatar.jpg 100644 → 100755
No changes.
0 static/assets/images/avatar.png 100644 → 100755
No changes.
0 static/assets/images/avatar2.png 100644 → 100755
No changes.
No changes.
No changes.
No changes.
0 static/assets/images/banner2.jpg 100644 → 100755
No changes.
0 static/assets/images/banner2.png 100644 → 100755
No changes.
0 static/assets/images/banner3.png 100644 → 100755
No changes.
No changes.
0 static/assets/images/daemon.png 100644 → 100755
No changes.
No changes.
0 static/assets/images/expl.png 100644 → 100755
No changes.
0 static/assets/images/favicon.png 100644 → 100755
Diff not rendered.
0 static/assets/images/git.png 100644 → 100755
Diff not rendered.
0 static/assets/images/header1.jpg 100644 → 100755
Diff not rendered.
Diff not rendered.
Diff not rendered.
Diff not rendered.
Diff not rendered.
Diff not rendered.
0 static/assets/images/stack.png 100644 → 100755
Diff not rendered.
0 static/assets/images/stack2.jpg 100644 → 100755
Diff not rendered.
0 static/assets/images/stack2.png 100644 → 100755
Diff not rendered.
0 static/assets/images/stack3.png 100644 → 100755
Diff not rendered.
0 static/assets/images/stack4.png 100644 → 100755
Diff not rendered.
0 static/assets/images/stack5.png 100644 → 100755
Diff not rendered.
Diff not rendered.
Diff not rendered.
Diff not rendered.
Diff not rendered.
Diff not rendered.
Diff not rendered.
0 static/assets/images/twit.png 100644 → 100755
Diff not rendered.
0 static/assets/js/_main.js 100644 → 100755
No changes.
0 static/assets/js/main.min.js 100644 → 100755
No changes.
No changes.
No changes.
No changes.
No changes.
No changes.
0 static/banner2.png 100644 → 100755
Diff not rendered.
0 static/browserconfig.xml 100644 → 100755
No changes.