Saad AHLA
@d1rkmtr
Followers
7,130
Following
367
Media
80
Statuses
327
d1rkmtr, Security researcher @AlteredSecurity , malware dev, kickboxer
Joined December 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Happy Pride Month
• 790370 Tweets
Champions
• 305937 Tweets
Real Madrid
• 304844 Tweets
#ExitPoll
• 304757 Tweets
Dortmund
• 217616 Tweets
#UCLfinal
• 172019 Tweets
LGBTQ
• 150338 Tweets
seokjin
• 142880 Tweets
INFINITY LOVE FOR BLANK
• 99073 Tweets
#AapKaPilla
• 91679 Tweets
BTS FESTA POSTER
• 85112 Tweets
#東京タワー
• 81843 Tweets
#SixTONESANN
• 78211 Tweets
مدريد
• 47719 Tweets
Tommy Robinson
• 42944 Tweets
Reus
• 41280 Tweets
RETURN OF CAPTAIN KOREA JIN
• 36710 Tweets
Tosin
• 34218 Tweets
دورتموند
• 24124 Tweets
Mofokeng
• 23076 Tweets
#ヨルクラ
• 22902 Tweets
LIGHT HUGS
• 18560 Tweets
Vini Jr
• 16965 Tweets
#CuentaPública2024
• 15385 Tweets
Orlando Pirates
• 14321 Tweets
Sundowns
• 12989 Tweets
ジンくん
• 12917 Tweets
KALKI MONTH BEGINS
• 11265 Tweets
大倉くん
• 10445 Tweets
Pretty much it's gonna be the best initial access framework ever.
"The only way to deal with an unfree world is to become so absolutely free that your very existence is an act of rebellion."
29
138
859
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
4
183
609
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
5
192
586
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table
3
147
478
Bypass userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID, and trigger exported API from the export table
4
151
471
Loading Remote AES Encrypted PE in memory , Decrypted it and run it
6
127
465
Dropping a powershell script at %HOMEPATH%Documents\windowspowershell\ , that contains the implant's path , and whenever powershell process is created, the implant will execute too.
1
91
369
My first publicly released blog, covering in-depth:
- Indirect Dynamic Syscall, API Hashing explained using c & windbg.
Blog link:
Project link:
7
133
347
Run Fileless Remote Shellcode directly in memory with Module Unhooking , Module Stomping, No New Thread. This repository contains the TeamServer and the Stager
3
137
327
Very Powerful FUD Loader, EDR's nightmare coming soon, with dynamic indirect syscall, UUID shellcode, syscall (number/instruction) unhooking and resolving at runtime, function comparison by hash, function address resolving from the PEB by offsets, and more.
8
62
313
Working on PE obfuscator with modern memory scanners evasion in mind, with pe self dropping and infecting , the pe is sleeping all the time to avoid memory scanners , and args are submitted to the console input and waiting for the pe to be active in memory.
4
71
303
My Humble Windows Defender Undetectable: Data Exfiltration project that Exfitrate Personal Documents like: .doc .docx .xls .xlsx .ppt .pptx .pdf .jpeg .jpg .png .txt .json ...
Link to Project:
5
96
300
Explorer Persistence technique : Hijacking cscapi.dll order loading path and writing our malicious dll into C:\Windows\cscapi.dll , when it's get loaded into the explorer process , our malicoius code get executed.
7
115
287
implementation of Persistence via Recycle Bin by adding "open\command" subkey to the "HKCR\CLSID{645FF040-5081-101B-9F08-00AA002F954E}\shell" key and changing its value to the implant path
4
86
290
This repo contains : simple shellcode Loader , Encoders (base64 - custom - UUID - IPv4 - MAC), Encryptors (AES), Fileless Shellcode Loader (Winhttp, socket)
2
91
278
Blog on Advanced module stomping and Heap/Stack Encryption is now out, it bypass PE-Sieve and Moneta while sleeping
Blog :
Github Project :
4
124
271
MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to its binary format and loads it.
4
74
259
A keystroke logger targeting the Remote Desktop Protocol (RDP) related processes, It utilizes a low-level keyboard input hook, allowing it to record keystrokes in certain contexts (like in mstsc.exe and CredentialUIBroker.exe)
2
81
247
Encrypting the Heap while sleeping by hooking and modifying Sleep with our own function that encrypts the heap , sleeps for a moment then decrypts the heap :
6
70
232
I Created a ETW patching Walkthrough.
Patching Event Tracing for Windows, by overwriting "call ntdll!EtwpEventWriteFull" inside ntdll!EtwEventWrite , the patched call do the actual Event Writing.
5
75
212
different ntdll unhooking techniques : unhooking ntdll from disk, from KnownDlls, from suspended process, from remote server (fileless)
3
74
174
Block any Process to open HANDLE to your process , only SYTEM is allowed to open handle to your process ,with that you can avoid remote memory scanners
3
44
157
Now the ExecRemoteAssembly ()
accept URI of type :
[+]
https://domain[.]name/PathToUri
[+]
http://domain[.]name/PathToUri
[+] [https/http]://ip:port/PathtoUri
[+] [https/http]://ip/PathtoUri
All Credits go to
@__mez0__
, I'm just improving it.
1
36
143
Very Informative Talk about EDR Evasion , Worth checking it out !!
0
39
132
Native PE & VBA browsers creds stealers
Open source it ?
* Yes
* No
19
6
130
Digging deeper into AmsiScanBuffer internals, and identifying 7 possibles AMSI patching by forcing a conditional jump to a branch that sets the return value of AmsiScanBuffer to E_INVALIDARG and makes the AmsiScanBuffer fails
0
37
117
New Project - StackCrypt :
Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads
1
33
107
VirusTotal Stealer is a FUD DATA Exfiltration tool that exfiltrates office documents and tunnels them over VirusTotal API to the Team Server .
Project :
6
35
110
FUD Loader implementing dynamic indirect syscall with syscall number/instruction Unhooking and resolving at runtime :
0
26
96
Write and Hide each UUID in the char* array of UUIDS shellcode in a registry key value location as REG_SZ (the location could be different from the other), then retrieve them and assemble them in UUIDs char* array shellcode and Run it
1
21
92
Inspired by
@_EthicalChaos_
's talk () on Threadless Process injection, created another approach using C :
If you like or rely on the work I do, please consider sponsoring me ()
1
38
96
Force the triggering of a conditional jump inside AmsiOpenSession() to close AMSI scaning session:
The 1st patch by corrupting the Amsi context header.
The 2nd patch by changing the string "AMSI" which will be compared to the Amsi context header to "D1RK".
3
38
88
This hungry baby is now detecting Hardware breakpoint patching !! it detects every single technique !!
1
8
77
dynamically resolving System Service Number (syscall number) by offsets from the PEB with API hashing
1
20
68
Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp
0
18
62
about the Data Exfiltration tool :
1
14
51
Block any userland 3rd party modules, by setting the process mitigation policy for loading only Microsoft Modules
If you're enjoying and using my projects consider sponsoring me on GitHub :
0
13
46
Sharing my journey on Discovering Internals with Windbg :
Dereferencing offsets from the PEB to get module names/Addresses and API names/Addresses Environment Variables, and much more information.
This repo for documenting my Debugging discovery journey
0
15
48
Now the D1rk-Hunter detects indirect syscalls, by scanning the .text loaded image file in the remote process for call instruction, calculates the target address from that call instruction, checks for NT API stub "mov r10 rcx", if found it checks for "syscall" instruction.
1
7
38
if you encounter the Invalid PE bugs during retrieving PE from IP:PORT i solved the problem :
1
9
37
Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and No New Thread technique
1
12
33
Now the D1rk-Hunter Detects Heap Encryption behavior. Tips to Red Team, don't encrypt the whole HEAP, encrypt just what you think is malicious.
1
6
31
Hi dear community,
@virustotal
just removed the comment's POST API as a temporary patch. so the VirusTotalC2 project is not working bcz of that , don't worry we will unpatch it !! we just play games here :
0
2
26
Write a UUIDs bytes array "*" collected to the Alternate Data Stream of the current binary , then the ADS Runner will get the DATA tranfert it into a char table nice UUIDS shellcode and Run it
0
8
22
Working on a new AMSI patch :
I will change the execution flow of AmsiOpenSession() and force a conditional jump to be triggered by a memory patching of the comparison above it, so the Amsi Session will not be opened, and the buffer will not be scanned.
Coming soon.
0
7
22
Now D1rk-Hunter detects Indirect Syscalls through memory scanning looking for addresses the call is made, and if it starts with a native API stub, it looks for the presence of syscall instruction if not found , indirect syscall is implemented
4
6
23
D1rk-Hunter detects persistent malware through Run registry key by uploading it to VirusTotal
0
4
21
D1rk-Hunter:
POC of detecting/preventing Agent Sections encrption , sleep obfucation technique
1
3
18
now the D1rk-Hunter kill any process have a modules stomped with reflective PE/DLL more than 2-5k bytes in size
0
1
17
GitHub AS A C2
Abusing Github API to host our C2 traffic, usefull for bypassing blocking firewall rules if github is in the target white list , and in case you don't have C2 infrastructure , now you have a free one
0
2
16
Now the D1rk-Hunter detects Hijacked DLLs :
0
4
16
Now D1rk-Hunter detects unbacked address from the Thread Stak frame.
legitimate api call backed by a dlls , any address not resolved means that the stack is not unwinding properly which may contains shellcode, reflective dll or reflective pe
0
4
13
D1rk-Hunter now detects malicious PowerShell Profile that includes path to the malware , and gets executed whenever a PowerShell process spawned, the path to the malware in the powershell profile script gets extracted and the malware is uploaded to VirusTotal
0
2
12
[ URI/URL ] :
msedge.dll SysAllocString
libsmartscreenn.dll MultiByteToWideChar
KERNELBASE.dll RtlUTF8ToUnicodeN
crypt32.dll wcschr
crypt32.dll wcsstr
crypt32.dll RtlIpv4StringToAddressExW
crypt32.dll RtlIpv6StringToAddressExW
msedge.dll getaddrinfo
0
0
12
No comment ...
Firstly you're assuming that i copy-paste HeapCrypt from waldo , but instead i get inspired by
@waldoirc
, and i don't deny that, shout out to him.
secondly, you already blocked me and even though we don't know each other , i don't know why you hate me.
4
2
11
D1rk-Hunter update :
POC detecting lsass handles in the remote process handle set.
Red Team: make sure to close handles whenever you are done with it.
0
2
10
D1rk-Hunter now detects Stack Encryption
POC detecting Thread Stack Encryption technique
0
3
9
D1rk-Hunter Update :
POC of detecting/preventing Classical AmsiScanBuffer, AmsiOpenSession, EtwEvenWrit...
0
0
8
@M_kHomelton
Mitm proxy and keylogger that sniff HTTPS traffic and starts keylogging while some URLs are active, like stealing MS, Gmail ....
2
0
8
question to blue team : adding a PE Section, is it sus , or normal behavior ?
2
0
6
[EMAIL] :
MicrosoftAccountWAMExtension.dll _wcsicmp
KERNELBASE.dll RtlInitUnicodeStringEx
msedge.dll WindowsCreateString
[PASSWORD] :
KERNELBASE.dll RtlNormalizeString
MsSpellCheckingFacility.dll wcsncpy_s
0
0
7
I tried Ipv4Fuscation Demonstration from
@vxunderground
:
but it didn't work , so I come up with an IPv4 shellcode obfuscator and loader .
0
0
4
Execute Remote Assembly with args passing and with AMSI and ETW patching
0
2
4
a C2 feature , ScreenShot capture , the file output is a png on the current directory named "screen.png"
0
1
4
Updated to accept :
[http/https]://IPv4:[port]/PathToPE
[http/https]://Domain/PathToPE
0
0
4
And i have other way making it impossible to patch, just be submit ur soul
1
0
3
@johnxor2
RegGetValue(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"ReleaseId", RRF_RT_REG_SZ, NULL, &value, &BufferSize);
Reading the value of ReleaseId , and different switch cases, u should upload all different versions of ntdll on the web server.
0
0
3
Masquerading legitimate Windows binaries to trick the analyst while analyzing the implant using ProcessMonitor to think it's legit.
My GitHub Project :
0
0
2
@johnjhacking
they reject the VirusTotalC2 POC 🤣🤣 , i see no violation, i see emotional damaaage 🤣🤣
0
0
3