Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique
Abusing LD_PRELOAD to intercept library calls on Linux is a known threat actor technique, but it’s possible to load libaries even before that. Meet LD_AUDIT
Moving From Manual Reverse Engineering of UEFI Modules To Dynamic Emulation of UEFI Firmware
Learn how to emulate, trace, debug, and Reverse Engineer UEFI modules in part 2 of our new blog series on Firmware Security
Case Study: Why You Shouldn’t Trust NTDLL from Kernel Image Load Callbacks
Read how we discovered and exploited several severe flaws in a security product’s kernel mode driver due to a lack of user mode input validation.
Moving From Common-Sense Knowledge About UEFI To Actually Dumping UEFI Firmware
The first in a series of posts for researchers on how to emulate, debug and fuzz UEFI modules, we begin with a refresher on how to dump SPI flash memory.
Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine
A new macOS ransomware threat uses a custom file encryption routine not based on public key encryption. Jason Reaves shows how we broke it.
Living Off Windows Land – A New Native File “downldr”
A newly discovered LOLBin offers an alternative to certutil for helping adversaries download files from a remote server. Meet desktopimgdownldr.exe.
A Click from the Backyard | Analysis of CVE-2020-9332, a Vulnerable USB Redirection Software
CVE-2020-9332 is a vulnerability that could allow an attacker to create trusted, fake USB devices and attack Windows machines in new and unexpected ways.
Sarwent Malware Continues to Evolve With Updated Command Functions
Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, with new commands and a focus on RDP.