By now direct system calls are ubiquitous in offensive tooling. Manual system calls remain effective for evading userland based EDRs. From within userland, there has… Read More »Detecting Manual Syscalls from User Mode
Antimalware emulators have the Sisyphean task of implementing a complete and accurate clone of the Windows environment. My previous research focused on a generic way… Read More »Designing Emulation Resistant Control Flow
Preface Dynamic malware analysis is the preferred way to determine the legitimacy of an application for many AVs/EDRs/MDSs. Unlike static analysis, dynamic analysis can capture… Read More »MemFuck: Bypassing User-Mode Hooks
Preface The cat and mouse game of the AV industry lives on into another decade. All AVs, operate on essentially three modes of detection. Static… Read More »Static Detection of Portable Executable Files
What is emulation? Malware Detection Systems (MDSs) use a technique called emulation as perhaps their most effective weapon against novel malware threats. Emulation does not… Read More »Fuzzing the Windows API for AV Evasion
is a modified process hollowing technique capable of injecting entire PE files. What is process hollowing? Process hollowing or RunPE is a code injection technique… Read More »TRunPE
is an extensible framework for easily writing debuggable, compiler optimized, position-independent, x86 and x64 shellcode for windows platforms. I will be demonstrating how to write… Read More »ShellcodeStdio