winternl

cybersecurity & programming

Author: winternl

  • Fixing a bug in donut

    by

    winternl

    Exploring platform neutral assemblies and CLR internals

  • Why is there a debug directory in my release build?

    by

    winternl

    (And other difficult conversations to have with your kids) If you’ve spent some time with MSVC you may have noticed your binary contains an IMAGE_DEBUG_DIRECTORY entry — even when building in release mode. This isn’t a new thing and this extra information was introduced in the 2015 release of Visual Studio. In fact, there’s a good…

  • CVE-2022-43997 – Local Privilege Escalation in Aternity Agent

    by

    winternl

    Aternity is software developed by Riverbed used to monitor the performance of applications and devices from the end user perspective. Software such as Aternity is a prime target for vulnerability research. “Monitoring” software typically installs hooks and performs process injection to track analytics. Doing so safely is not a trivial task; there may be implementation…

  • Dealing with Failure: Failure Escalation Policy in Unmanaged CLR Hosts

    by

    winternl

    Offensive tooling built upon the .NET framework and its runtime environment, the Common Language Runtime (CLR), is an important part of the red teaming ecosystem. .NET tools offer rapid development times, a low barrier to entry, and are highly extensible through native interoperability. These tools have been and will continue to be used effectively on…

  • Detecting Manual Syscalls from User Mode

    by

    winternl

    By now direct system calls are ubiquitous in offensive tooling. Manual system calls remain effective for evading userland based EDRs. From within userland, there has been little answer to this powerful technique. Such syscalls can be effectively mitigated from kernel mode, but for many reasons, most EDRs will continue to operate exclusively from usermode. This…

  • Designing Emulation Resistant Control Flow

    by

    winternl

    Antimalware emulators have the Sisyphean task of implementing a complete and accurate clone of the Windows environment. My previous research focused on a generic way to detect the presence of such emulators based upon Windows API artifacts. This is and will continue to be an effective technique in one’s arsenal. One of the most effective…