Press "Enter" to skip to content

Exploring from User-Mode to Kernel-Mode

Sina Karvandi 0

There were times when I want to trace instructions from User Mode and continue tracing it into Kernel mode to reverse Windows’s internal implementation with my own supplied parameters from User Mode but there were a big problem and that was, How to access User Mode when you are in a Kernel Debugger or vice versa. Even if I knew about changing debugger context to specific process but there were other problems which cause reversing kernel in this case, impossible.…

Defeat Malware’s Dynamic Api Loading

Sina Karvandi 0

There are thousands of ways which makes malwares resist against static dissambling and static analysing. One of the known ways to circumvent against suspicious API blocking or analysing statically by AV’s, is using LoadLibrary API to dynamically load a library then use its functions and it makes a CPU Intensive task for AV’s to defeat this kind of malwares. This technique consists of using functions like LoadLibraryA or VirtualAlloc then use GetProcAdress. As msdn says, GetProcAddress : Retrieves the address…

A simple c# Trojan Horse example

Sina Karvandi 0

A simple c# Trojan Horse example There were times when I started to learn C# just for creating trojans and this kind of stuffs. It was 4 years ago when I built this Trojan horse to use it for educational purposes but soon I understood that this kind of trojan horse that is written in such a high level programming languages like C# is not good enough because they are (almost) easily reversible and new Trojan horses should be written…

Import Address Table (IAT) in action

Sina Karvandi 4

Did you ever think about how different dll files with different versions and obviously with different addresses of functions work perfectly together ? The answer is Import Address Table (IAT). In the previous post I describe about how to get SSDT. IAT is somehow a User-Mode version of SSDT and in this post I’m gonna write about what I read and experience about IAT in action. Why IAT is important ? It is important because it gives PE executer a…

Lack of rechecking permissions in Android

Sina Karvandi 0

Yesterday me and one of my friends were working on an Android Penetration testing project. After testing some kinds of exploit then we somehow get root privilege with some kinds of limitations. In the case of this exploit we can just write to any file we want and we cannot do anything more because ASLR was preventing us to do. So we just think how we could do something to violate privacy of this Android device then as we know…