This write-up covers the internals of Chaos-Rootkit, a Ring-0 Windows rootkit I wrote to better understand kernel internals and rootkit techniques. Fun fact: Many parts of this rootkit were written during train rides 😄! The following list summarizes the implemented capabilities. Each item is explained in later sections. * Hide process: This
Summary This write-up details a local privilege escalation vulnerability that I reported to Lenovo PSIRT in January of last year. The issue affects an audio enhancement software pre-installed on many gaming laptops, including Lenovo Legion, IdeaPad Gaming, MSI, Thunderobot, and others. The vulnerability was tracked by Lenovo PSIRT as LEN-18785
While chilling in a voice chat, one of my friends suggested we play Chained Together. If you haven’t tried it, it’s a game on Steam where all players are literally chained together, and you have to climb up without dragging each other down. Sounds simple, right? Yeah… not
As always, while surfing X (formerly Twitter), I came across an interesting tweet from vx-underground that immediately caught my attention: "Shoutout to the homies at IObit Malware Fighter. Their IMFForceDelete driver is so wildly vulnerable, and poorly written, you can have their driver arbitrarily delete any file on the
During a ransomware incident response, I noticed a file with a strange name that was retrieved by the team. Upon inspection, it turned out to be a driver. This raised the question "what does a driver have to do with a ransomware incident response?" To understand this, I
The retrieved binary is a 32-bit Windows executable that contains BlackCat Ransomware, BlackCat, also known as Noberus or ALPHV, is a sophisticated ransomware family programmed in Rust and deployed as part of Ransomware as a Service (RaaS) operations on Windows, The ransomware can be configured to encrypt files using either
The first file is a 32-bit Windows executable that contains a Cobalt Strike Beacon, This executable file uses two local thread storages to conceal its main functionality, evade detection, and make its code more complex and difficult to analyze, also the file contains a malicious implant known as a Cobalt