I'm proud to release my first Google Chrome RCE derived from the most fascinating and mind bending exploit I have yet analyzed: CVE-2019-13720 Wizard Opium. This is a beautiful bug which I have crafted into an exploit bypassing ASLR, CFG and CET on Win10

Does anyone know what mechanisms can be used to detect suspended (non-UWP) and frozen UWP app processes, and how to programmatically wake them up in a safe and persistent way where they don't just immediately freeze again?.

Is the ability of a non admin user to obtain a full query handle to a System integrity process and unravel its ASLR considered a security boundary? I know a PROCESS_QUERY_INFORMATION handle on a PPL is considered a breach of a security boundary even if the owner is local admin.

I’m surprised to have recently learned that there does not seem to be a trivial way to receive notifications of suspended process launches in Windows via kernel proc notif callback, kernel ETW or EtwTi. Any ideas on how to do this? @zodiacon.

An example of a feature I considered including was a Chromium PartitionAlloc heap walker, as I had to code this tool separately to heap groom the Chrome UAF I wrote a few years ago. It seemed too niche of a feature to be worth implementing.

Over the years I’ve been flattered to see that my tool Moneta has picked up a following in the Infosec world and I am considering reviving the project. If you are a user of Moneta, what would you improve? Which features would you add?

Great patch, thanks for making the pull request.

Very well put together research that expands on some of the memory forensics articles I wrote several years ago, it’s excellent to see improvements are still being made to malware tradecraft in this niche.

RT @ipSlav: My first research and tool are finally out. If you want to deep dive into some CLR internals and understand how we can abuse it….

RT @brandon_shi: CVE-2021-38001: A Brief Introduction to V8 Inline Cache and Exploitating Type Confusion

RT @33y0re: Today I am releasing a blog about kernel exploitation in the age of HVCI. This post addresses calling arbitrary kernel-mode API….

Last summer I attended the Advanced Windows Heap Exploitation class given by @corelanc0d3r and cannot speak highly enough of his skill, dedication and enthusiasm for the topic. This is the training I recommend for learning memory corruption exploits. Truly one of a kind.

Excellent work, I think you’ve found (what is at present) the most optimal fusion of stealth techniques for evasion in memory. It doesn’t get any more cutting edge than this when it comes to the memory dimension of malware design these days.

Excellent work on this. Well done!.

RT @maxpl0it: Going to Blackhat USA this year? I’ll be teaching a 2-day training:.Day 1 - Browser internals (Firefox and Chrome).Day 2 - Vi….

RT @waldoirc: Already released way earlier but I'm sharing on Twitter too just because. Blog post + poc on detecting malware through retur….

Thanks for bringing this to my attention Andrew, this would be a much more elegant way of filtering CLR JIT memory in Moneta.

My personalized Windows 10 re-creation of the HYDSEVEN exploit chain used to target Coinbase. This chain involves the use of a Firefox RCE (CVE-2019-11707) and Firefox sandbox escape (CVE-2019-11708) for shellcode execution as Medium Integrity

RT @waldoirc: Full moneta bypass with 0FPs! A few more tweaks and I’m hoping peseive is next! @_ForrestOrr