Skip to main content

Posts

Bypassing IAT Hooking via Dynamic Resolution

Let's suppose we’re conducting an offensive security exercise and need to bypass a security appliance--and need to call VirtualAlloc. We could do it in a less than optimal way, like this: #include <windows.h> int main() { void* mem = VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); return 0; } Why is this suboptimal? If we were to load the compiled binary into a tool like PE-bear, or if a security appliance or EDR were monitoring Import Address Table (IAT) entries, the VirtualAlloc function call would be trivial to detect, since the IAT contains pointers to all statically imported functions, making them easy to inspect or hook. Various security solutions and EDRs occasionally inspect these IAT functions by first scanning the binary and seeing what functions are exported. It then hooks those functions. But we can conceal this information (at least from a static point of view) and avoid such hooks. A better idiom is to perform dynam...

Using Python To Access archive.today, July 2025

It seems like a lot of the previous software wrappers to interact with archive.today (and archive.is, archive.ph, etc) via the command-line are either outdated or broken. So, here's a Python script to automatically submit links from the command-line to archive.today and retrieve their archived URLs. From testing, it seems like it's best to keep the delay around 8 to 10 seconds. If you go too fast, Cloudflare will begin to yell at you and start throwing 429 errors. As long as you've received a "WIP" URL from archive.today, it should be archived shortly after, though it may not appear immediately. Add your own random user-agent. :) ''' % python3 archiveToday.py --help usage: archiveToday.py [-h] --urls URLS [--delay DELAY] [--output OUTPUT] Batch archive URLs with archive.today options: -h, --help show this help message and exit --urls URLS Path to file containing URLs (one per line) --delay DELAY Delay between submissions in...

Metaphors, Models, and Theories

I've written about metaphors in the past  and how they are useful because they allow us to transfer information across unrelated domains. Currently I am reading Julian Jaynes' The Origin of Consciousness , and the topic is brought up and expanded upon very nicely here: We are trying to understand consciousness, but what are we really trying to do when we try to understand anything? Like children trying to describe nonsense objects, so in trying to understand a thing we are trying to find a metaphor for that thing. Not just any metaphor, but one with something more familiar and easy to our attention. Understanding a thing is to arrive at a metaphor for that thing by substituting something more familiar to us. And the feeling of familiarity is the feeling of understanding. Generations ago we would understand thunderstorms perhaps as the roaring and rumbling about in battle of superhuman gods. We would have reduced the racket that follows the streak of lightning to familiar bat...

Toast Notifications from PowerShell or C++

I’m currently working on a project that involves sending alerts and notifications to users on Windows 11 systems. During development, I learned that--for local testing purposes--it’s possible to generate toast notifications using built-in PowerShell functionality. Specifically, the ToastNotificationManager and CreateToastNotifier APIs make it straightforward to display dead simple, native notifications without any external dependencies. $body = 'Hello from PowerShell! Behold, a toast notification.' $toastXml = [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime]::GetTemplateContent([Windows.UI.Notifications.ToastTemplateType]::ToastText01) $toastXml.SelectSingleNode('//text[@id="1"]').InnerText = $body $appId = 'App' $toast = [Windows.UI.Notifications.ToastNotification]::new($toastXml) [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($appId).Show($toast) Of course,...

A Security Trilemma

Playing around with writing malware proof-of-concepts, running red and blue team simulations in my computer lab against Windows Home edition, I feel sort of bad for Windows Home users. Such users probably constitute the majority of Microsoft's userbase. And most security mitigations for that edition are not exactly effective against attackers. Commercial-grade versions of Windows and commercial-grade security products are a different story in some circumstances. Commercial editions of Windows include a lot of nice mitigations and security features. But I think it's kind of an economic trilemma. You have three potential strategies for security--and a few different potential tradeoffs. You can only optimize for two out of three. If it's cheap and convenient, it won't be secure. If it's cheap and secure, it won't be convenient. If it's secure and convenient, it won't be cheap. There are certainly exceptions to this model, though. ...

Latin1 vs UTF8

Latin1 was the early default character set for encoding documents delivered via HTTP for MIME types beginning with /text . Today, only around only 1.1% of websites on the internet use the encoding, along with some older applications. However, it is still the most popular single-byte character encoding scheme in use today. A funny thing about Latin1 encoding is that it maps every byte from 0 to 255 to a valid character. This means that literally any sequence of bytes can be interpreted as a valid string. The main drawback is that it only supports characters from Western European languages. The same is not true for UTF8. Unlike Latin1, UTF8 supports a vastly broader range of characters from different languages and scripts. But as a consequence, not every byte sequence is valid. This fact is due to UTF8's added complexity, using multi-byte sequences for characters beyond the general ASCII range. This is also why you can't just throw any sequence of bytes at it and ex...

Too much efficiency makes everything worse

From "Overfitting and the strong version of Goodhart's law" : Increased efficiency can sometimes, counterintuitively, lead to worse outcomes. This is true almost everywhere. We will name this phenomenon the strong version of Goodhart's law. As one example, more efficient centralized tracking of student progress by standardized testing seems like such a good idea that well-intentioned laws mandate it. However, testing also incentivizes schools to focus more on teaching students to test well, and less on teaching broadly useful skills. As a result, it can cause overall educational outcomes to become worse. Similar examples abound, in politics, economics, health, science, and many other fields. [...] This same counterintuitive relationship between efficiency and outcome occurs in machine learning, where it is called overfitting. [...] If we keep on optimizing the proxy objective, even after our goal stops improving, something more worrying happens. The goal often sta...