Why doesn't Mastodon / ActivityPub have an equivalent of other platform's abilities for a post author to hide certain replies for everyone, or disable replies entirely? Someone on another platform brought this up and actually I'm curious
Did you know that on 64-bit Windows you can execute x64 Assembly inside of a 32-bit process?
All you need to do is perform a FAR call or jump using the segment selector 0x33. This will transition the CPU mode from 32-bit to 64-bit, a technique commonly referred to as Heaven's Gate.
I wish someone warned me how hard having plants is in LA. I had to buy a water distiller because the tap water has so many chemicals in it that my plants just unalive themselves if I give them it. I can't even collect rain water to feed them because it doesn't rain.
Need a super simple way to make a reverse shell in C? Winsock sockets can be used as handles! When launching a process via CreateProcess() you can replace the stdin, stdout, and stderr handles with a socket. This will result in all command line I/O from the application being redirected over the socket connection. Great for CMD and PowerShell!
@malwaretech@gsuberland well AFAIK the ability to read and write to the socket handle directly has been around since at least WinXP. The wrapper driver I assume you're talking about (ws2ifsl) is the only thing that's been disabled since Win10.
The big difference though is in the "good old days" i.e. prior to Windows 8 or so the SOCKET you got back from WSASocket wasn't guaranteed to be a handle to the AFD driver. I still don't think it is guaranteed, but I think unless you've got to some old Winsock LSP installed or try and use a weird socket type then it'll almost always be a handle.
This is also why there's a WSADuplicateSocket API to ensure the data structures for the socket are copied to a new process, it wasn't always the case that the handle was sufficient.
@tiraniddo@malwaretech@gsuberland funnily enough I was looking into some of these internals a little bit recently to think about how it could be possible to get my NT 4 port to Wii to use the high-level IOS socket API (via a driver)
The high end apartment complexes here are absolute hilarious. In a regular apartment complex the landlord basically just refuses to fix your washer. In a high end apartment complex they'll be like hosting DJ'd pool parties with dinner, drinks and fireworks, but then still won't fix your washer. It's like the corporate equivalent of ADHD. They're always on some elaborate side quest instead of doing basic necessities
@malwaretech I'm too mountain to actually know but I'm assuming those are more than 1-2 feet? lol, I wonder if there is a minimum height required for it to break like that.
Did you know that malware can create separate desktop sessions that are hidden from the user?
By utilizing the CreateDesktop() API, it's possible to create a hidden desktop session where activity is not visible to the current user. This is often used by malware to provide an attacker with remote interactive access to a system while a user is logged on, all without them knowing. This is commonly referred to a HiddenVNC.
Often these desktop sessions persist until a system reboot, so can be identified through enumeration using the EnumDesktops() function.
A common technique malware uses to detect if it's running in a virtual machine is via CPUID. The 31st bit of ECX on leaf 1 is set to 1 if the OS is running on top of a hypervisor.
On leaf 0x40000000 the EBX, ECX, and EDX values combine to create a text string that identifies the hypervisor vendor.
With VMWare, both methods can be easily countered by modifying your VMX file to override the CPUID registers. Simply shut down your VM and add the following lines to your config file:
cpuid.1.ecx="0---:----:----:----:----:----:----:----"
cpuid.40000000.ebx=”0000:0000:0000:0000:0000:0000:0000:0000″
cpuid.40000000.ecx=”0000:0000:0000:0000:0000:0000:0000:0000″
cpuid.40000000.edx=”0000:0000:0000:0000:0000:0000:0000:0000″
@malwaretech If I remember correctly, this is also how Windows identifies if it is virtualized or not. Hiding the virtualization status (hypervisor.cpuid.v0 = "FALSE") should provide the same functionality you are after. As for KVM(Proxmox in my case) adding these ARGs does the same thing - args: -cpu 'host,-hypervisor'
@malwaretech I've wondered if such detections really work in the attackers interests these days when nearly every server is virtualised. Saying "nope I won't run here" restricts you to a bunch of desktops.
Ever wondered why Windows loads the same DLL at the same memory address in every processes, even if ASLR is enabled?
It's because it actually is the same memory! To save RAM, the system only loads one copy of a DLL into physical memory. This physical memory is then shared by multiple different processes. Processes aren't loading copies of the same DLL, they're all using the same exact copy.
To avoid any security issues, shared memory regions are marked as CopyOnWrite. If any process attempts to write shared memory, the system will create a copy of the memory just for that process. This enabled the process to read/write memory freely without affecting others.
Why do people keep renaming random well known malware techniques and passing them off as something new? I just came across "Hells Gate" which appears to just be directly calling syscalls, a technique known since syscalls were introduced.