Readings

保存一些想要看的文章，当作简单的 Pocket。

记录想看的和已经看过的文章

• 利用 VBA 进行 IOCTL 操作，Frog Guy Rants | Ring0VBA - Getting Ring0 Using a Goddamn Word Document (disrel.com)
• 简单的 COM 教程，Step by Step COM Tutorial | CodeGuru
• Offensive IPC 系列，介绍了常用的 IPC 方法，非常细，Offensive Windows IPC Internals 1: Named Pipes · csandker.io
• 从防守方的角度看 RPC 的使用，A Voyage to Uncovering Telemetry: Identifying RPC Telemetry for Detection Engineers — IPC Research 1.0 documentation (ipc-research.readthedocs.io)
• 检测远程服务的创建，例如 Psexec，Endpoint Detection of Remote Service Creation and PsExec - F-Secure Blog
• WMI Internals 系列，详细介绍 WMI， WMI Internals Part 1. Understanding the Basics | by Jonathan Johnson | Medium
• 关于 RPC Filter，Akamai Blog | A Definitive Guide to the Remote Procedure Call (RPC) Filter
• Windows 认证机制相关内容，A Windows Authorization Guide · csandker.io，这人博客质量真的高
• The State of Exploit Development: Part 1 | CrowdStrike
• One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11 – Winsider Seminars & Solutions Inc. (windows-internals.com)
• An End to KASLR Bypasses? – Winsider Seminars & Solutions Inc. (windows-internals.com)
• A blueprint for evading industry leading endpoint protection in 2022 | Vincent Van Mieghem，翻译：[原创]2022年，工业级EDR绕过蓝图-外文翻译-看雪论坛-安全社区|安全招聘|bbs.pediy.com (kanxue.com)
• https://eversinc33.github.io/posts/avoiding-direct-syscall-instructions/
• XLM (Excel 4.0) Macro Generator for Phishing Campaigns (fortynorthsecurity.com)，Office 钓鱼
• EDR 如何实现 Hook API，以 Mcafee 为例。EDR Series : How EDR Hooks API Calls (Part-1) (cyberwarfare.live)
• Dec0ne/HWSyscalls: HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP. (github.com)，使用硬件断点进行 direct syscall
• Behind the Mask: Spoofing Call Stacks Dynamically with Timers | Cobalt Strike Blog，Call Stack Spoofing
• Writing a Debugger From Scratch - DbgRs Part 1 // TimDbg，实现调试器
• Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01 | by Olaf Hartong | FalconForce | Medium
• x64 的栈的介绍，讲解了 x64 的异常和 Stack Walking/Unwinding 等内容。The Stack Series: The X64 Stack – offensivecraft (wordpress.com)
• 与上面相关，The Stack, The Windows & The Adventures – offensivecraft (wordpress.com)
• 同上，The Stack Series: Return Address Spoofing on x64 – offensivecraft (wordpress.com)
• Let’s build a Chrome extension that steals everything (substack.com)，使用 chrome extension 窃取信息
• Sacrificial session | Unshade Security
• parameters by passing a random pop r32; ret gadget can be used for stealthy code injection. (github.com)
• https://redops.at/en/blog/a-story-about-tampering-edrs
• Windows SEH 相关，已翻译，Understanding Windows Structured Exception Handling Part 1 – The Basics | limbioliong (wordpress.com)
• 一个简单实用的后门，sc sdset scmanager D:(A;;KA;;;WD)，允许任何人创建系统服务，https://twitter.com/0gtweet/status/1628723544820416513?t=A3xfZG35DAgocTp3RMxnlg&s=19
• API Unhooking with Perun’s Fart - Blog by Dosxuz
• https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
• https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
• https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
• Lateral Movement using Excel.Application and DCOM | enigma0x3
• https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
• https://www.vx-underground.org/other.html#code_mutation
• How To Add JWT Authentication To An ASP.NET Core API | by Jacob Toftgaard Rasmussen | Geek Culture | Jan, 2023 | Medium，在 .NET Core Web API 中加入身份认证和授权。
• https://www.cobaltstrike.com/blog/arsenal-kit-update-thread-stack-spoofing/
• https://cocomelonc.github.io/malware/2023/02/20/malware-av-evasion-12.html
• https://medium.com/@levshmelevv/10-000-bounty-for-exposed-git-to-rce-304c7e1f54
• https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/
• Windows 内核驱动开发，是一个系列，似乎还在更新，养肥再看Lord Of The Ring0 - Part 1 | Introduction - Ido Veltzman - Security Blog (idov31.github.io)
• https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768
• https://valsamaras.medium.com/introduction-to-x64-linux-binary-exploitation-part-1-14ad4a27aeef
• noby0x1/Mind-Maps: Config files for my GitHub profile.
• https://mayfly277.github.io/assets/blog/pentest_ad.svg
• AD 靶场，Game Of Active Directory v2 | Mayfly (mayfly277.github.io)
• DLL Hijacking & COM Hijacking ByPass UAC - 议题解读 « 倾旋的博客 (payloads.online)
• modexp | Random posts about computer security (wordpress.com)
• LDAPSearch Reference :: malicious.link — welcome
• Persistence – Service Control Manager – Penetration Testing Lab (pentestlab.blog)
• Bypassing PPL in Userland (again) – Sec Team Blog (scrt.ch)
• Bypassing AV/EDR Hooks via Vectored Syscall - POC (cyberwarfare.live)
• Using Frida for rapid detection testing | PassTheHashBrowns
• Incursus Absconditus: Self-removing PE’s with Remote Thread Injection (0xthem.blogspot.com)