SysWhispers3 - AV/EDR Evasion Via Direct System Calls

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. Why on earth didn't I create a PR to SysWhispers2? The reason for SysWhispers3 to be a standalone version are many, but the most important are: SysWhispers3 is the de-facto "fork" used by...

HookDump - Security Product Hook Detection

EDR function hook dumping Please refer to the Zeroperil blog post for more information https://zeroperil.co.uk/hookdump/ Building source In order to build this you will need Visual Studio 2019 community edition is fine and CMake. The batch file Configure.bat will create two build directories with...

WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW Windows on Windows system wa...

CloudMe Sync 1.11.2 Buffer Overflow

Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - DEP Bypass Date: 24.01.2019 Exploit Author: Matteo Malvica Vendor Homepage:https://www.cloudme.com/en Software: https://www.cloudme.com/downloads/CloudMe1112.exe Category: Remote Contact:https://twitter.com/matteomalvica Version: Cloud...

CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)

CloudMe Sync 1.11.2 Buffer Overflow - WoW64 DEP Bypass Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - DEP Bypass Date: 24.01.2019 Exploit Author: Matteo Malvica Vendor Homepage:https://www.cloudme.com/en Software: https://www.cloudme.com/downloads/CloudMe1112.exe Category: Remote...

CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass) Exploit

Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - DEP Bypass Exploit Author: Matteo Malvica Vendor Homepage:https://www.cloudme.com/en Software: https://www.cloudme.com/downloads/CloudMe1112.exe Category: Remote Contact:https://twitter.com/matteomalvica Version: CloudMe Sync 1.11.2...

CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)

Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - DEP Bypass Date: 24.01.2019 Exploit Author: Matteo Malvica Vendor Homepage:https://www.cloudme.com/en Software: https://www.cloudme.com/downloads/CloudMe1112.exe Category: Remote Contact:https://twitter.com/matteomalvica Version: Cloud...

Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)

Windows/x64 10 - WoW64 Egghunter w00tw00t Shellcode 50 bytes. Shellcode exploit for Windowsx86-64 platform include include include include using namespace std; / Title: WoW64Egghunter for Windows 10 32bit apps on 64bit Windows 10 Size: 50 bytes Date: 26/08/2018 Author: n30m1nd -...

A coin miner with a “Heaven’s Gate”

You might call the last two years the years of ransomware. Ransomware was, without a doubt, the most popular type of malware. But at the end of last year, we started observing that ransomware was losing its popularity to coin miners. It is very much possible that this trend will grow as 2018...

CVE-2017-15244

IrfanView version 4.44 32bit with PDF plugin version 4.43 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .pdf file, related to an "Error Code 0xe06d7363 starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

CVE-2017-15244

IrfanView version 4.44 32bit with PDF plugin version 4.43 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .pdf file, related to an "Error Code 0xe06d7363 starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

CVE-2017-15244

CVE-2017-15244 affects IrfanView 4.44 (32‑bit) with PDF plugin 4.43. A crafted PDF can trigger a buffer overflow in the PDF plugin, leading to denial of service and potentially other impact. The CVSS data indicate local exploitation with the potential for high impact on confidentiality, integrity...

Design/Logic Flaw

STDU Viewer 1.6.375 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .epub file, related to an "Error Code 0xe06d7363 starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

CVE-2017-14549

STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause a denial of service via a crafted .djvu file, related to a "Heap Corruption starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

Design/Logic Flaw

XnView Classic for Windows Version 2.40 allows attackers to execute arbitrary code or cause a denial of service via a crafted .jb2 file, related to a "User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

CVE-2017-10734

IrfanView version 4.44 32bit might allow attackers to cause a denial of service or possibly have unspecified other impact via a crafted .rle file, related to an "Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

CVE-2017-10728

Winamp 5.666 Build 3516x86 might allow attackers to execute arbitrary code or cause a denial of service via a crafted .flv file, related to "Error Code 0xe06d7363 starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

CVE-2017-9925

In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attackers to execute arbitrary code or cause a denial of service via a crafted file, related to a "User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

CVE-2017-10734

IrfanView version 4.44 32bit might allow attackers to cause a denial of service or possibly have unspecified other impact via a crafted .rle file, related to an "Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d."...

Disk Savvy Enterprise 9.4.18 Buffer Overflow

Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters Date: 2017-02-22 Exploit Author: Peter Baris Vendor Homepage: www.saptech-erp.com.au Software Link: http://www.disksavvy.com/downloads.html Version: 9.4.18 Tested on: Windows 7 Pro SP1 x64...