Author: winternl
-
Unpacking the AAD Broker LocalState Cache
—
by
tl;dr: Source: https://github.com/jackullrich/AADBrokerDecrypt Intro The Azure AD Broker (AAD Broker) is a component of Entra ID that orchestrates Azure AD sign-in, device-bound primary refresh token (PRT) handling, and application token issuance exposed by Windows Runtime (WinRT) APIs. In this post, we’ll map the broker’s on-disk cache and show how to unpack its file formats. Additionally,…
-
Full Fat Shellcode
—
by
GLP-1s need not apply. There may be situations where you wish to conditionally run 32-bit or 64-bit shellcode from the same codebase. One such scenario is if you are bootstrapping some code into an ILONLY assembly. Below is valid x86 and x86-64 code that can be used for that purpose. The interesting bit is how…
-
Loader Lock Ownership Semantics
—
by
If your career as a programmer has led you here, fear not, there is still time to turn back. I will not tell you to rethink whatever disreputable sequence of instructions you intend to force feed your processor. Nor do I think it would be beneficial to re-evaluate any alternative solutions. No dear reader, I…
-
Why is there a debug directory in my release build?
—
by
(And other difficult conversations to have with your kids) If you’ve spent some time with MSVC you may have noticed your binary contains an IMAGE_DEBUG_DIRECTORY entry — even when building in release mode. This isn’t a new thing and this extra information was introduced in the 2015 release of Visual Studio. In fact, there’s a good…
-
CVE-2022-43997 – Local Privilege Escalation in Aternity Agent
—
by
Aternity is software developed by Riverbed used to monitor the performance of applications and devices from the end user perspective. Software such as Aternity is a prime target for vulnerability research. “Monitoring” software typically installs hooks and performs process injection to track analytics. Doing so safely is not a trivial task; there may be implementation…