@hasherezade.bsky.social
Programmer, #malware analyst. Author of #PEbear, #PEsieve, #TinyTracer. Private account. All opinions expressed here are mine only (not of my employer etc) ; https://hasherezade.net
- option of custom parsing exports directory allows to pinpoint even the APIs that the malware author tried to hide by erasing exports table in memory: (github.com/hasherezade/...)
June 6, 2025 at 7:18 PM
- option of custom parsing exports directory allows to pinpoint even the APIs that the malware author tried to hide by erasing exports table in memory: (github.com/hasherezade/...)
- watching not only the functions arguments, but also, how they changed after the function execution, and the function return value: (github.com/hasherezade/...) - thanks to a new contributor, maxspl:
June 6, 2025 at 7:17 PM
- watching not only the functions arguments, but also, how they changed after the function execution, and the function return value: (github.com/hasherezade/...) - thanks to a new contributor, maxspl:
includes: tracing defined local functions (github.com/hasherezade/...):
June 6, 2025 at 7:15 PM
includes: tracing defined local functions (github.com/hasherezade/...):
Reposted
1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
May 6, 2025 at 10:06 PM
1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
yes, we catch it, but I cannot speak for others
April 14, 2025 at 6:59 PM
yes, we catch it, but I cannot speak for others
[DEMO] Waiting Thread Hijacking (on Windows 11 24 H2)
YouTube video by hasherezade
www.youtube.com
April 14, 2025 at 6:18 PM