maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced ...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-11 12:44:12 +00:00
parent b5fa7686cd
commit 5dc7c0dc1a
4 changed files with 99 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
View File

@ -169,7 +169,98 @@ If the files of a folder **shouldn't have been modified**, you can calculate the
When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**. When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**.
{{#include ../../banners/hacktricks-training.md}} ---
## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`. A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
The technique showcased by the SLOW#TEMPEST loader can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
### 1. Locate every indirect jump / call
```python
import idautils, idc
for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")
```
### 2. Extract the dispatcher byte-code
```python
import idc
def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s
start = get_dispatcher_start(jmp_ea)
size = jmp_ea + idc.get_item_size(jmp_ea) - start
code = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)
```
### 3. Emulate it twice with Unicorn
```python
from unicorn import *
from unicorn.x86_const import *
import struct
def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)
```
Run `run(code,0,0)` and `run(code,1,1)` to obtain the *false* and *true* branch targets.
### 4. Patch back a direct jump / call
```python
import struct, ida_bytes
def patch_direct(ea, target, is_call=False):
op = 0xE8 if is_call else 0xE9 # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
```
After patching, force IDA to re-analyse the function so the full CFG and Hex-Rays output are restored:
```python
import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
```
### 5. Label indirect API calls
Once the real destination of every `call rax` is known you can tell IDA what it is so parameter types & variable names are recovered automatically:
```python
idc.set_callee_name(call_ea, resolved_addr, 0) # IDA 8.3+
```
### Practical benefits
* Restores the real CFG → decompilation goes from *10* lines to thousands.
* Enables string-cross-reference & xrefs, making behaviour reconstruction trivial.
* Scripts are reusable: drop them into any loader protected by the same trick.
---
## References
- [Unit42 Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
{{#include ../../banners/hacktricks-training.md}}

8
src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
View File

@ -61,7 +61,7 @@ Java.perform(function () {
}); });
}); });
``` ```
Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later earlier versions failed to locate padding for inline hooks. citeturn5search2turn5search0 Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later earlier versions failed to locate padding for inline hooks.
--- ---
@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)
| Year | CVE | Affected library | Notes | | Year | CVE | Affected library | Notes |
|------|-----|------------------|-------| |------|-----|------------------|-------|
|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0| |2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
|2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.| |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant. When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
### References ### References
- Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/) citeturn5search0 - Frida 16.x change-log (Android hooking, tiny-function relocation) [frida.re/news](https://frida.re/news/)
- NVD advisory for `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0 - NVD advisory for `libwebp` overflow CVE-2023-4863 [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}

2
src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
View File

@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
### Automated dynamic analysis with MobSF (no jailbreak) ### Automated dynamic analysis with MobSF (no jailbreak)
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: [MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
```bash ```bash
docker pull opensecurity/mobile-security-framework-mobsf:latest docker pull opensecurity/mobile-security-framework-mobsf:latest

4
src/pentesting-web/sql-injection/ms-access-sql-injection.md
View File

@ -141,7 +141,7 @@ Point the UNC path to:
* a host that drops the TCP handshake after `SYN-ACK` * a host that drops the TCP handshake after `SYN-ACK`
* a firewall sinkhole * a firewall sinkhole
The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0 The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984.
### Other Interesting functions ### Other Interesting functions
@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
* Block outbound SMB/WebDAV at the network boundary. * Block outbound SMB/WebDAV at the network boundary.
* Sanitize / parameterise any part of a query that may end up inside an `IN` clause. * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0 The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent.
### .mdb Password Cracker ### .mdb Password Cracker