~$ whoami
Just a human—occasionally caffeinated, always curious.

Sometimes I drink coffee and write.
Sometimes I hack, play, make music, discover the world—and sleep.

In a world of freedom,
why should I limit myself to one persona?

Once, a wise man said:

“Don’t stick to anything, so you’ll have utmost freedom.”

And in Heat, someone said:

“Don’t let yourself get attached to anything you are not willing to walk out on in 30 seconds flat if you feel the heat around the corner.”

That one stuck with me.

I don’t belong anywhere—
but somehow, I belong everywhere.

In a world obsessed with fitting in,
I decided to sit in my corner.

Maybe someday I’ll stand out.
Maybe not.

~$ echo "freedom is not needing to explain yourself."

Syscalls — EDR evasion p1 (optional)

#cybersecurity  #edr  #reverse engineering  #malware  #windows internals 

What is User mode API-Hooking in EDR?

Imagine you’ve just got some great deals at a newly opened supermarket and are heading home with your transparent shopping bag. As you stroll by the neighborhood grocer, he peeks into your bag to see what you’ve bought. If he spots something he already stocks (something sus), he stops you and won’t let you pass.

User-mode API hooking allows EDRs to dynamically inspect code executed within the context of Windows APIs or Native APIs for potentially malicious content or behavior. There are various types of hooking, with most vendors using the inline hooking method. This method replaces a specific mov instruction—more specifically, the mov opcode and the eax SSN operands—with a 5-byte jmp instruction. The mov instruction typically moves the syscall number or system service number (SSN) to the eax register. The unconditional jmp instruction redirects to the EDR’s hooking DLL, allowing the EDR to examine the code executed within the context of the Native API for potentially malicious content.

[Read more]

Hunting for Stealers

#threat intelligence  #cybersecurity  #stealer  #malware  #reverse engineering 

As a Threat Intelligence Analyst, part of my job involves scrolling through darknet forums and detecting potential attacks, breaches, and leaks (not the other one). One thing that always crosses my mind is how confidential data is freely posted on these forums. Most interesting one is of course stealer logs.

A stealer is a Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network.

[Read more]