Ido Veltzman - Security Blog

Prologue In the last blog post, we learned some debugging concepts, understood what is IOCTL how to handle it and started to learn how to validate the data that we get from the user mode - data that cannot be trusted and a handling mistake can cause a blue screen of death. In this blog post, I’ll explain the different types of callbacks and we...

Prologue Cronos is a new sleep obfuscation technique co-authored by @idov31 and @yxel. It is based on 5pider’s Ekko and like it, it encrypts the process image with RC4 encryption and evades memory scanners by also changing memory regions permissions from RWX to RW back and forth. In this blog post, we will cover Cronos specifically and sleep ...

Prologue In the last blog post, we understood what it is a callback routine, how to get basic information from user mode and for the finale created a driver that can block access to a certain process. In this blog, we will dive into two of the most important things there are when it comes to driver development: How to debug correctly, how to cr...

Prologue In the last blog post, we had an introduction to kernel development and what are the difficulties when trying to load a driver and how to bypass it. In this blog, I will write more about callbacks, how to start writing a rootkit and the difficulties I encountered during my development of Nidhogg. As I promised to bring both defensive ...

Introduction This blog post series isn’t a thing I normally do, this will be more like a journey that I document during the development of my project Nidhogg. In this series of blogs (which I don’t know how long will it be), I’ll write about difficulties I encountered while I’m developing Nidhogg and tips & tricks for everyone that wants to...

Introduction When I first heard about Rust, my first reaction was “Why?”. The language looked to me as a “wannabe” to C and I didn’t understand why it is so popular. I started to read more and more about this language and began to like it. To challenge myself, I decided to write rustomware in Rust. Later on, I ran into trickster0’s amazing repo...

Introduction When I first heard about ModuleStomping I was charmed since it wasn’t like any other known injection method. Every other injection method has something in common: They use VirtualAllocEx to allocate a new space within the process, and ModulesStomping does something entirely different: Instead of allocating new space in the process...

UdpInspector - Getting active UDP connections without sniffing Many times I’ve wondered how comes that there are no tools to get active UDP connections. Of course, you can always sniff with Wireshark or any other tool of your choosing but, why Netstat doesn’t have it built in? That is the point that I went on a quest to investigate the matter. ...