I came across another vulnerable driver while browsing my feed the other day. Following my research last year, I was curious how much of the methodology can be carried over. Vulnerable DriversIn this post I dive into the reverse engineering and abuse of vulnerable kernel drivers and how they are used to kill defensive solutions such as EDRs and AVs, using the example of aswArPot.sys, an anti-rootkit driver from Avast.West Side Electronics·Benjamen Lim The original research was conducted by Northwave Cyber Security: BlackoutReloaded: Exploiting antifraud software of banks to kill Microsoft DefenderBlackoutReloaded: Exploiting antifraud software of banks to kill Microsoft DefenderNorthwave Cyber Security This time I’ve only given myself the name of the driver to start with, and I’m using Binary Ninja instead of Ghidra to explore other reverse engineering tools. ...

New year, new cert. After having completed the OSEP and OSED, I felt that I was ready for a new challenge, so I decided to take on the OSWE to brush up on my web exploitation skills which I felt were a little lacking. OSEP in 2024Overcoming another challenge - the PEN-300 course by Offsec and earning the OSEP certificate!West Side Electronics·Benjamen Lim OSED in 2024Let's go ropping - the EXP-301 course by Offsec and earning the OSED certificate!West Side Electronics·Benjamen Lim And I promptly got distracted by the Hack The Box CWEE. ...

This first appeared in: https://medium.com/csg-govtech/reverse-engineering-a-smartwatch-a7cec52b29c8 Some time ago, I was assigned a consignment of smart watches with geolocating capabilities that were being mothballed after a trial. I was determined to find some use for them and thus began my journey ofreverse engineering a smartwatch! In this article, I will share the reverse engineering process by first highlighting some initial observations on the watch surface and circuitry, before going into detail as to how I reprogrammed the smartwatch,and the final step of patching the firmware so it could be repurposed. ...

The process of red teaming consists of many aspects and after exploring the technicals of malware (although I’m still continuing to explore!), I thought exploring the ingress point would be interesting. Despite the many protections that are in place for users, phishing still appears to be a highly common source of breaches. Your standard phishing page attempts to steal the user’s credentials by presenting a realistic looking login page that will hopefully capture their credentials. However, the challenge with this site is that it will deviate from the actual site in terms of the layout, and would be quite as sites changes their layouts from time to time. Additionally, with the move towards passwordless signins, tokens, and MFAs, capturing passwords is just one part of the puzzle. ...

Imagine that one day, you wake up, start scrolling through your feed, and see this: Researchers Uncover Malware Using BYOVD to Bypass Antivirus ProtectionsMalware exploits Avast driver to bypass antivirus, terminate 142 processes, and disable security protectionsThe Hacker News·The Hacker News Bypass antivirus, terminate 142 processes, disable security protections? Oh no! Sounds like trouble. Reading the original report from Trellix, it seems like the malware abuses aswArPot.sys, a kernel driver from Avast that is an anti-rootkit driver meant to dislodge the most stubborn of malware, but now used as a anti-anti virus tool; talk about a double edged sword. ...

Another one down! OSED is a penetration testing certification with an emphasis on exploit development. It is in the 300 level series of Offensive Security certifications and one of the three certs required to earn the OSCE3 qualification. EXP-301: Windows Exploit Development Course | OffSecLearn to bypass common security mitigations with exploits created from scratch. Earn your OffSec Exploit Developer (OSED) certification.Off·SecOffSec Team Since my background is in reverse engineering firmware and IoT, this certification is closest to my heart. Because I was dealing with assembly frequently, I really liked the precision that it required. You have to know exactly how many bytes to jump in order to make the exploit work, the exact size of your padding to trigger an overflow, or the values required to navigate through various header checks… I thought that was really fun! ...

I attended the Corelan Heap Exploit Development Masterclass organised by SINCON/Div0 in Singapore in March 2024. Corelan is a well-known name in the exploit development space. If you’ve ever done any sort of exploit development, it is inevitable that you would have come across mona.py, an indispensable tool for exploit development, released and maintained by Corelan. Corelan has also published many in-depth articles about exploit development over the years. While I have a bit of experience stack-based exploit development, I was entirely unfamiliar with heap exploitation. So it was with a little trepidation that I signed up for the course because I was worried that the training would be so deeply technical that I would have a hard time catching up. ...

I use a variety of languages on my computer, but most recently, I’ve wanted to use the Russian keyboard. On Windows, you can cycle between the languages using Alt + Shift, but I wanted to toggle quickly between two languages, specifically English and Russian, preferably with a single keypress. This calls for AutoHotKey! I settled on using the Right Alt key for this because I never use this key. I happily coded a simple script to toggle between two languages, and… it didn’t work. It only ever toggled to Russian, and never toggled back. ...

Tldr; I passed! The OSEP is the follow up to the taste of offensive security that is OSCP. It builds on the offensive security skills learned and extends them to a Windows-heavy environment where you’ll be tasked with not only standard enumeration and exploitation, but also evading active AV protections. My journey on the OSEP started in 2022 when I signed up for Offsec’s Learn One deal during their annual Christmas sale and I started in Feburary 2023. Due to the density and breadth of the course, I thought it would be quite challenging to complete it within 90 day option which was why I decided to take the year to learn all the material in the course. I was not wrong. ...