KRIe is a research project that aims to detect Linux Kernel exploits with eBPF. KRIe is far from being a bulletproof strategy: from eBPF related limitations to post exploitation detections that might rely on a compromised kernel to emit security events, it is clear that a motivated attacker will eventually be able to bypass it.Read More
Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3. Features x509 Public and Private key (PKCS #8/PKCS #1) parsing SymCrypt parsing Supported structures SYMCRYPT_RSAKEY – Determines if the key structure also has a private key Matching to public certificates found inRead More
Casper-fs is a custom Linux Kernel Module generator to work with resources to protect or hide a custom list of files. Each LKM has resources to protect or hide files following a custom list in the YAML rule file. Yes, not even the root has permission to see the files or make actions like editRead More
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted. It’s a proof-of-concept of the talk of ROOTCON & HITCON 2021, checkRead More
Speakeasy is a portable, modular, binary emulator designed to emulate Windows kernel and user mode malware. Check out the overview in the first Speakeasy blog post. Instead of attempting to perform dynamic analysis using an entire virtualized operating system, Speakeasy will emulate specific components of Windows. Specifically, by emulating operating system APIs, objects, running processes/threads,Read More
Motivation There are plenty of Linux kernel hardening config options. A lot of them are not enabled by the major distros. We have to enable these options ourselves to make our systems more secure. But nobody likes checking configs manually. So let the computers do their job! kconfig-hardened-check.py helps me to check the Linux kernelRead More
Output from the kernel log after compiling and running example/open1_hook.c xnuspy is a pongoOS module which installs a new system call, xnuspy_ctl, allowing you to hook kernel functions from userspace. It supports iOS 13.x and 14.x on checkra1n 0.12.2 and up. 4K devices are not supported. Requires libusb: brew install libusb Building Run make inRead More
GUSTAVE is a fuzzing platform for embedded OS kernels. It is based on QEMU and AFL (and all of its forkserver siblings). It allows to fuzz OS kernels like simple applications. Thanks to QEMU, it is multi-platform. One can see GUSTAVE as a AFL forkserver implementation inside QEMU, with fine grain target inspection. What areRead More
I always had an interest in reverse engineering. A few days ago I wanted to look at some game internals for fun, but it was packed & protected by EAC (EasyAntiCheat). This means its handle were stripped and I was unable to dump the process from Ring3. I decided to try to make a customRead More
