BC INTERNET
Saved by @Mollyycolllinss

Linux code injection paint-by-numbers.

Can we launch a process that looks one way to (superficial) auditors but is, in fact, entirely different? (Think process hollowing and the like on Windows).

Firstly, how are processes created and what does related auditing look like?

 The most common pattern is fork() → execve(). Where the fork() syscall create a duplicate of the running process context and execve() overlays a copy of the target program onto that context.
After calling fork(), we’ll have two processes, the original one and a new - duplicated - one (with a new pid).

Control will return from fork() to both process instances. In the child process, the return value will simply by 0, in the parent it will hold the pid of the child.
Thus we can determine whether we are running in the child context and call execv() accordingly, while allowing the parent to continue.
Now, let’s take a look at where the auditing hooks lie. From calling execve(), we’ll eventually land up in exec_binrpm().
Without delving too deeply, this function resolves the interpreter handler for the target we’re trying to execute. (Here we’re executing an ELF binary, so we’ll get the relevant ELF handler). But that is a topic for another day.
Prior to exec_binrpm() returning, audit hooks will be called.
In our scenario, we *want* these hooks to be called so the original target executable is identified, but we don’t want the target to actually execute.
On Windows, all processes are created suspended; CreateProcess could be called with the CREATE_SUSPENDED flag in order to instruct Kernel32.dll not to get the kernel to resume the target after process setup.
On Linux, process execution will continue immediately after execv() so we must do something different. We can use ptrace() to control execution of the child target.
This is set up by first instructing the kernel from the child context that it wants to be traced (PTRACE_TRACEME) and then instructing the parent process to wait on the first trap.

By default, this will happen on exit of the execve() syscall.
Now that we have a form of suspended process creation, we need to decide what to do with it.

The options here are numerous. In this example, we want to chose a strategy that doesn’t require us doing any image/reloc fix-up foo.

We can use dlopen() to do all the heavy lifting.
The first issue is that we have suspended execution in a state prior to libc being mapped in and made available to the target process. As (almost?) all dynamically linked processes will require libc, we can let this happen naturally by letting the target run until this is done.
It is important to ensure that (1) the execution progresses to a point where libc is mapped and (2) the process is in a state where we can safely hijack execution flow, but (3) is prior to actual target execution (+ generic enough to support various targets).
I initially tried trapping target execution after libc is mapped (executing until relevant close()).
Naturally this failed as the process was not yet sufficiently set up to support stable execution (for e.g. stack sentinel storage via mov    rax,QWORD PTR fs:0x28 in the function prologue would fail; fs is not yet sane).
To achieve a state where (1), (2), and (3) are all honoured, we can trap a little further down. I chose to target brk().
To recap:

We’ve created a child process and halted execution prior to anything too process-specific having been run but after basic setup has taken place.
Now we need to get inject our code.
As mentioned earlier, the plan is to use bog-standard dlopen() to get the code staged in the target.
But how to locate dlopen()?

A cursory glance shows that dlopen() is exported by libdl. But alas this library is not loaded in our process address space.
Ultimately, however, __libc_dlopen_mode() is the underlying libc function that will do the work and that is available to us.
First, we’re going to need to get the offset of the __libc_dlopen_mode() function within libc.
The easiest way I could think of, of doing this programmatically was simply to use the dynamic linker within the parent process context + calculating the offset from the loaded library address.

dlopen(libc) → dlsym(__libc_dlopen_mode)
The library address can be obtained from the link_map structure returned by dlopen().
A caveat to keep in mind here is that taking the fcn_addr - lm->l_addr yields an offset which includes the difference between the address in the ELF binary and where address where it was loaded in memory.

We will account for this offset skew shortly.
Next, we’ll obtain the address of the libc instance that is mapped in our target process.
Procfs exposes mapping info in /proc//maps. We can look up the mapped address of the executable section of libc, accounting for the offset of the in-memory address of the mapped ELF and calculate a final value for __libc_dlopen_mode() in the target.
My implementation of this bit is, regrettably, quick & dirty.
Finally, we need to set the necessary arguments for __libc_dlopen_mode() and call the function within the target process context.
Remembering that we don’t care to continue with the original target flow at any point, we can hijack execution by pointing rip to the address of __libcdl_open_mode() that we just calculated.
The function signature for __libcdl_open_mode() matches that of dlopen() - with the addition of an explicit *dl_caller which I just set to NULL.

x86_64 calling convention dictates that we’ll be using registers rdi (library path), rsi (mode), rdx (dl caller).
rdi holds a pointer to the library path. We need somewhere writeable to put it.

The easy choice here is just to dump it somewhere on the stack (we’re not interested in a sane return from __libc_dlopen_mode() after all).
Everything is now set up. Releasing target execution will result in our code being loaded into the target address space via __libc_dlopen_mode().
At some point, something will break in the target application (remember, we have hijacked rip and corrupted the stack).

This is a great outcome as it’ll trap back into the parent process and allow us to redirect control to our injected code.
(I did initially mess around with getting better control over the return from libc but honestly it didn’t seem worth the bother.)
Calling our injected code is as simple as pointing rip at it and resuming execution. (We discover its loaded address in the very same way that we discovered that of __libc_dlopen_mode() previously.)
Finally we can detach the parent process.

And we’re done.
Now in terms of forensics:

Auditing ptrace() is the obvious go-to for real-time process injection determination

Beyond that; process memory space anomalies (in this example, the injected code will appear as a mapped image) + the usual gamut of behavioural analysis opportunities

More from Internet

Jonas L
Jonas L
@jonasLyk
Wanna disable Defender when enabled Isolated Core and Tamper protection?

Its a bit more trouble- but doable, without ruining Isolated Core/Secureboot etc.

Defenders process will run as a unkillable protected service- so new tricks needed.

Here we go:

Ok- tamper protection is easy, just make .bat - run as adm:
:again
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter\Instances\WdFilter Instance" /v altitude /t REG_SZ /d -1 /f
goto again

Then unload minifilter with process hacker:


The registry key will be changed while the minifilter do not protect it, when tamper protection makes the driver load again it cannot attach to volumes nor protect registry keys.

Removing it will make it recreate, but invalid altitude do the trick

Notice now the service is: Protected light(antimalware)
Now we cant do anything to the service/process- not even see its open handles.


Lets start by elevating to SYSTEM- just launch a command prompt, then close process hacker- and run it again from the command prompt.
Now process hacker runs as SYSTEM
INTERNET , TECH
Marko \u26a1 Denic
Marko ⚡ Denic
@denicmarko
50 free tools and resources you're gonna love!

🧵

1. UI Garage
Daily UI inspiration & patterns for designers, developers to find inspiration, tools and the best resources for your project.

Link:

2. Remove bg
Remove Image Background: 100% automatically – in 5 seconds – without a single click – for free.

Link:

3. uiGradients
A handpicked collection of beautiful color gradients for designers and developers.

Link:

4. Blender
Free and Open 3D Creation Software.

Link:
INTERNET
Advertisement
Richard Geldreich
Richard Geldreich
@richgel999
Porting vanilla (minimal external API usage, no SIMD, no threading) C++ code to work in the browser with emscripten and WebAssembly is amazingly simple now. The Emscripten docs are excellent, but here are some things that could speed up the process of getting started:

1. Beware of code which does unaligned memory reads/writes (which "may be slow on some CPU architectures")
2. Test with -fsanitize=undefined -fsanitize=address
3. Link with "-s ALLOW_MEMORY_GROWTH=1" and "-s INITIAL_MEMORY=X", X is a multiple of 64k, allows the C++ heap to grow.

(I completely avoid unaligned memory reads/writes because when compiled to asm.js they "can fail silently".)

4. Link with "-s MALLOC=emmalloc" to reduce compiled size.
5. I usually test with -O1 because -O0 can take very long to load/execute.
6. For debugging link with -s DEMANGLE_SUPPORT=1 and -s ASSERTIONS=1

7. C++ printf() outputs to the Developer Console: Chrome Settings->More tools->Developer tools
8. If something crashes, try running in Firefox which may explain the error differently.
9. I use Web Server for Chrome for
INTERNET
Alex Stamos
Alex Stamos
@alexstamos
Dear journalists, venture capitalists, TikTok teens and other ThinkFluencers: before hot-taking on how to regulate online speech, please consider reading some of the foundational work in this area.

Start with @Klonick's groundbreaking

Follow with @daphnehk on the overall regulatory structure of online

Read @jkosseff's book before ever typing 2-3-0 on your

Read @evelyndouek on the risks of coordinated

Pre-order @jilliancyork to understand the global human-rights
INTERNET
\U0001f1fa\U0001f1f8\u2694\ufe0f\u03b1\u0432\u0455\u03c3\u2113\u03c5\u0442\u0454\xa2\u03c3\u03b7\u03bd\u03b9\xa2\u0442\u03b9\u03c3\u03b7\u2694\ufe0f\U0001f1fa\U0001f1f8
🇺🇸⚔️αвѕσℓυтє¢σηνι¢тιση...
@Absolute1776
(1) Let’s get one thing straight right now;

I was a mod on r/watchpeopledie.

Ive taken part in uncovering evidence of p3d0’s to reveal to LEO.

I have seen some *dark* sh*t in my day.

Unless you are used to it; you will NOT be able to handle “seeing the truth”. I promise ➡️
INTERNET

You May Also Like

Anastasis
Anastasis
@OrdersofM
https://t.co/6cRR2B3jBE
Viruses and other pathogens are often studied as stand-alone entities, despite that, in nature, they mostly live in multispecies associations called biofilms—both externally and within the host.

https://t.co/FBfXhUrH5d


Microorganisms in biofilms are enclosed by an extracellular matrix that confers protection and improves survival. Previous studies have shown that viruses can secondarily colonize preexisting biofilms, and viral biofilms have also been described.


...we raise the perspective that CoVs can persistently infect bats due to their association with biofilm structures. This phenomenon potentially provides an optimal environment for nonpathogenic & well-adapted viruses to interact with the host, as well as for viral recombination.


Biofilms can also enhance virion viability in extracellular environments, such as on fomites and in aquatic sediments, allowing viral persistence and dissemination.
ALL
Emperor\U0001f451
Emperor👑
@EmperorBTC
Technical Analysis Masterclass- Part 2

'Entering the trade'

Entering a trade without ascertaining a certain things is gambling.

In this masterclass we will learn the pre-requisites to enter a trade.

DON'T ENTER A TRADE WITHOUT DETERMINNG THE FOLLOWING.

Please share.

We understand what reward to risk (popularly called risk to reward) is.
It will be denoted by R:R.

We will also try to bust a few myths about R:R and how to avoid losing trades.

Before entering a trade, you need to determine 3 things.

1. Entry trigger
2. Stop loss
3. Target

1. Entry trigger = Reasons for entering a trade. There could be multiple reasons or a single reason for entry.

Generally a set of reasons AKA confluence is a higher probability trade and a generally a safer entry.

Example of an entry trigger.


2. Stop Loss.

The price in the opposite direction of the trade where the trade is exited, at a loss.

At this level, the reason for the entry becomes invalidated according to TA and the price can then move in the opposite direction, probabilistically.


3. Target is the possible price level that the asset might touch based on previous trends or confluence AND where a possible reversal could occur.

Target is the next path of least resistance from where the price might reverse.

We will always ONLY use TA to determine all 3.
TRADING
Advertisement
Noah Smith
Noah Smith
@Noahpinion
Remember: Just because an idea is old doesn't mean it's good.

Knowing whether old ideas are more likely to be good requires understanding whether conditions have changed in important ways.

Horse archery was an amazing method of warfare for over a thousand years...then people invented guns, and suddenly this great idea that had stood the test of time became obsolete.

Then again, when underlying conditions don't change much, tried-and-true approaches are probably better.

"Learning the lessons of history" usually just means assuming ergodicity and stationarity in an informal time-series model...

(end)
SOCIETY
Andrew Chen
Andrew Chen
@andrewchen
👇Thread.

Published a new essay: The red flags and magic numbers that investors look for in your startup’s metrics – 80 slide deck included!


This was a deck that I created on my (longish) interview process with @a16z. It was a long path, starting with meeting folks at the firm 10 years ago. But the purpose of the deck was to explain how I would use my superpower in an investing context

Here's what I explain in the deck. As investors (whether angel or VC) we're often confronted with an up-and-to-the-right graph. Is it going to go up? Or down?


One solution to forecast these growth curves is the Growth Accounting Framework, where you add up New+Reactivated and subtract churned users. In each time period that gives you the difference in monthly actives.


The problem with this is that it's a lagging metric, not a leading one. We need to go one level deeper and look at the underlying loops that drive these numbers, to understand the quality.
STARTUPS
Pegasus of Dharma
Pegasus of Dharma
@HarduttSuhas
The BATTLE OF PAVAN KHIND (13 July 1660)

300 MARATHAS against 10000+ ADIL SHAHI TROOPS

A Sparta style last man stand at a mountain pass which ensured Shivaji Maharaj's safety.

Valour, loyalty and sacrifice!


Baji Prabhu Deshpande was one of the most able lieutenants of Shivaji. He sacrificed his life defending Shivaji in a heroic last stand known as the "Battle of Pavan Khind" in which his force was hugely outnumbered.(1)

In this battle he became a martyr, but managed to halt the enemy forces for several hours, which secured Shivaji’s safety and victory on another front. Without this heroic last stand Shivaji’s glorious career may have been cut short.(2)


Baji Prabhu was senior to Shivaji. In the beginning he opposed Shivaji being from a rival Maratha clan, but realised that Shivaji stood for national resurgence. Henceforth he became a friend and loyal supporter of Shivaji.(3)

In 1660, Shivaji was trapped in the fort of Panhala, under siege and vastly outnumbered by an Adilshahi army led by general Siddhi Jauhar.(4)
HISTORY