Purpose?
2022-12-26
Hello visitor, hope you’re having a great day today.
Recently I’ve come to the realisation that I’m slightly more willing to share about myself than I used to perceive.
This post will serve as a stickynote right at the top, both as a diary and an answer to “why are you doing this”.
The sole purpose of this blog used to be for me to document some of my learnings so I can recap in the future(served me well to this point).
However, I narcissistically suppose I’ll attain some sort of clarity in the field of offensive security eventually, and thought it’ll be nice to leave some sort of trail behind so visitors can reference or judge the path I took.
That being said, I’m an entry level learner at this point of time, so hopefully I don’t jinx myself and end up with career in sales or something.
Lastly, I have an interest in Vulnerability Research as well as Red Teaming, and am more than happy to find like minded friends to chat. Ways to get to me are all around this website.
peace and equality.
2022-12-28
Recent two days have been quite unproductive since my favourite game released a new mode…
I was only able to make little progress experimenting with KLEE, analysed a few toy programs and wrote 1/2 an article.
The more I play with tools the more admiration I have for their creators. Goals of 2023++, which is to attain a working proficiency in cpp.
Holiday is ending so hope I can control myself and properly analyse libxlsxwriter in the next few days and churn out a blog post before 2023.
Another thing on my mind is to constantly remind myself to change the footer of this blog on the first day of the new year. Shows my lack of concern for the real life to a certain extent.
bugs shall come.
2022-12-31
-1th day of the new year!
Feeling slightly unsatisfied with the state of life now, but changes come slowly.
2022 isn’t a terrible year for me on paper, got accepted into a desirable college and earned 2 certs in infosec.
Everything comes at a price though, and 8760 hours of a 19 year old should be traded for more in return.
That’s a wrap for the 19th regardless, and hopefully the hours of a 20 year old will be put into better use.
Main resolutions are:
- master cpp to a wizard proficiency.
- lose some(a bit(quite a lot(a ton)) of) weight!
- learn the japanese language to a research paper reading level
- read some books on humanities
and of course do hacking, which has been so much a part of my life that it doesn’t have to enter the resolutions pane
Also, cut down on socialising and relationships that are quite taxing on the brain. I’m not the best at context switching.
Sounds so much like a 死肥宅’s writing the more I re-read this…
But if you get the chance to experience my set of life in your next few draws you might realise it’s not at all what it seems like, it’s much more comfortable.
The keyword of 2022 is anticipation.
…
Calender flipped as I was typing, and the building opposite erupted with screams.
Times like this I appreciate the compartmentalisation of modern housing, where every household is its small bubble and honestly that’s all one has to care about.
Yeah empathy is another problem to work on, and the 4th shall aid in that.
freedom and a sprinkle of grit.
2023-01-09
First babble of the new year!
Have little time to update on security things as the past 9 days were spent on studying Japanese religiously.
Kind of in a dilemma now, because I tend to only do well if I hyperfocus on a subject, but the security community keeps attracting my attention! (Also, want to complete my symbolic execution series asap)
On the other hand learning a new language is pretty exciting too, and it feels more like a sciency subject than humanities.
My learning strategy works in 3 parts. Grammar, Vocabulary and Expressions.
Grammar learning will be mostly from books and blog posts(yes JAPANESE blog posts). I do make notes but no one probably came to this blog to learn japanese so I’ll pass on that.
Vocab will be scenario based, like I’ll walk into the kitchen and learn everything I can see, smell and hear in vocabulary. This is slightly tricky due to the amount of kanjis available, but with a foundation of mandarin it’s much better.
Finally, expressions, or how native people say shit, is learnt by browsing twitter and watching japanese shows.
I try to type in japanese so I get the chance to use it and don’t get rusty as I learn. That means a japanese writing is coming to this blog soon www. The 12-key layout is quite slow for me, but apparently natives use that so as a follower I’ll work hard to get familiar with it.
This coming weekend I’ll continue the learning of symbolic execution, promise.
寝る.
2023-01-20
Time passes really fast when you began to document it.
Feels like I’ve done absolutely nothing self-improvement related and 2 weeks have passed—-
The days are mainly spent on helping a client(friend?) write a program to group delivery orders based on proximity on a map, and a backend for some attendance tracking website.
Honestly speaking writing software is not the most exciting task for me, but it seems like that’s where the demands are at.
Mainly because I hate the feeling of being clueless when an error occurs while using a third party library. The context switch into understanding and debugging third party code is really tiring!
That’s fine when performing audits though, since the ONLY task is to understand the code.
I guess this is part of the training to unlock more brain usage, so I’ll bear with it.
Also, it’s been a few days since I learned Japanese. This shall serve as a reminder to stay on track and not feel the remorse on 12/31 2023
Saw a post on twitter saying how a person can only master one language in his life, because of some dogshit related to a region in the brain. Without practising empathy and “view things in different perspectives”, I think he is talking nonsense and it motivates me a little to try and prove him wrong.
As I read my previous whines the emotion that comes to mind is actually happiness. Maybe they are right by saying this is the happiest time of my life, but it’s really difficult to experience it in that moment.
By writing, I hope I can gain that realisation on the way instead of it slamming into me in my middle age.
新年快乐.
2023-02-07
Hello hello from February.
It’s only the second month and my blog update frequency is decreasing, not a good sign.
Honestly I had pretty high hopes for the year, set goals and what not, but haven’t been following them at all.
Been three weeks since I studied Japanese, haven’t exercised and time is just spent on listening to people speak(english, garbage).
I’m starting to feel the increased struggle in self control, as compared to 2018, the other year I set a huge goal. Perhaps this is age catching up.
The only plus point was the continuous study of security shit… which is already a habit and doesn’t require restrain(maybe negative even).
But life has many more aspects to it and it’s important to not hyperfocus on something in the expense of others. This is a common problem I observe among tech people, especially evident in the security space.
It can certainly be abstracted to form a theory of “Knowing your limits”. Not an absolute limit kind, but a reasonable kind.
Recently my body has been giving negative feedbacks, especially during sleep. The exercise routine got to start sometime.
Language, music, humanities and more. It’s all in the mind.
University applications is starting soon too. That’s a trouble to discuss next time.
别给太满.
2023-02-15
Just yesterday one of the team members completed his service. That was the happiest person I’ve seen in at least a year.
Can’t wait for my turn.
Recently I’ve been working on root cause analysing a mail client. Someone gave me a 1day poc of a logic bug, which you would think is pretty easy to analyse…
Huge ass C++ GUI app without symbols is really painful to reverse. I ended up with names like weird_shit_ass_struct_holding_struct_pointing_to_array_0x155_offset, when it’s probably just nested classes.
I also realised some of my own weaknesses. I’m unfamiliar with windbg scripting, thus unable to think of higher level solutions to automate certain debugging. My knowledge regarding messagequeues and GUI apps in general is also quite terrible, so I should probably start coding and breaking apart GUI apps. Finally I need to work on my naming, and keep it a habit to type structures in the decompiler once I decipher certain member fields so I don’t end up with quadruple type casts and magic number arithmetics in the output.
If I manage to analyse it and bypass the latest patch I might drop it as a blog post, otherwise I’ll have to keep quiet about the current 1day exploit.
Another happy news is that the exercise routine has also commenced! We’re also getting a gym in the office… but I don’t think anyone will use it. I probably won’t have the motivation to bring spare shirts everyday either.
As of today my hate for finance and economics. decreased drastically after a conversation with someone. Can’t believe I’m saying this but maybe I’ll start reading about finance…
Let’s see what life has to offer next.
やばい!
2023-03-19
こんばんわ from more than a month later!
Can and cannot believe 32 days have already passed. Days feel really slow and sluggish, but looking back its been so long since I’ve updated here.
Fortunately the past month has been rather peaceful and laid back. Nothing outstanding at all that I can remember, and no remarkable fuck ups. On the flip side I’ve not achieved much too. This is especially evident on the learning of Japanese language. I’ve barely made progress/studied since early February.
Weight lose regime is going rather well though, losing about 4 kgs in the past month or so.
Speaking of the things I have done, I’ve applied for my university, attended a course on fuzzing, wrote a tool to redirect filesystem API calls to being serviced in memory for device-less snapshot fuzzing(https://github.com/Y3A/hook_fs), and researched on some installer LPEs.
Outside of my little bubble, the world is going mad.
First we have US banks collapsing signalling impending economic crisis, then GPT-4 with copilot revolutionizing data presentation and creative work. That’s a hell lot of changes in a month.
Although one may argue it’s merely the surfacing of long ongoing works, the surfacing do make huge impacts. Without the release and proliferation of Chat, AI field certainly would not receive as much support and pressure to concretize research into production tooling. What a time to be alive.
My timeline has also been flooded with AI related topics, without myself actively procuring information. Quite a lot of tech bros are stocking up on books and researching about AI. That prompted me to actually think if I should take a deep dive into AI soon(spoiler: I said yes). My math isn’t good at all, and honestly I don’t have much interest in the conventional side of computing if not for breaking stuff. But I figured out I’ll give it a try at least, after little regrets of not hopping onto the train of smart contract audits due to similar apprehension. There has to be someone who audits AI for bugs right ;)
Oh well, I’m so fucking tired now. I hate naps and they take away more from me than I hope to obtain. See you in a technical post soon.
美妙人生的关键在于你能迷上什么.
2023-03-27
mmmmmm
Just a quick update before March ends~
Life has been rather routine. My day consists of waking up, doing pointless things at conscription, studying, playing fifa and night running. Can’t complain anything about the relative lack of responsibilities and chunks of free time, but still really looking forward to ending it. I plan to take train rides from the south to north of China, stopping by third tier counties and visiting villages. It’s gonna be a desirable break away from technology and identity. That’s if, WW3 doesn’t commence and I don’t break a leg.
As I mentioned previously, I’ve started to read up on some neural network stuff, starting from http://neuralnetworksanddeeplearning.com/.
Unfortunately my really limited exposure to mathematics led to
And I went down a rabbit hole of MATH BOOKS, 3blue1brown videos and old professor lectures.
It’s a complicated feeling. I’m simultaneously interested and uninterested. Although the concepts and implementations are extremely mesmerizing and complex, it’s just less rewarding and more tiring to study. Hate to admit but I’m also bad at getting myself to learn something new, from scratch. I tend to stick to old and comfy things, which is bad. The goal for now will just be to try and understand the math behind the first two chapters, and write a toy neural network capable to identifying digits. That feels quite rewarding :)
On the topic of security, I’ve been auditing some installers for LPEs and found a couple of 0days. They aren’t extensively used though so I can’t be bothered to report. Maybe I’ll blog about finding LPEs soon, but those are low low hanging fruits and require little technical skills. The takeaway is, you are probably a hair away from system if you compromised a personal computer.
I also hope to reproduce and blog about some kernel CVEs soon.(After the neural network thingy!) Those are tons of fun.
Compared to last year, I don’t think I’m improving as fast and reading as much. It’s slightly demoralising, I’ll try to get up to pace soon!
σ(w⋅x+b).
2023-04-02
Hello from April!
Just writing a quick update because it’s really late and tomorrow is a Monday again.
Well unfortunately I did not commit to any of my plans written last week, including AI and CVEs and more. Instead I went to read a book called Hackers and Painters by Paul Graham(no regrets at all). I’m about half way through and I can absolutely declare that the high reviews really did it justice. It’s a book packed with insights and thoughts that are incredibly forward and meaningful, but at the same time easy to digest, almost like the wise old village chief holding you by your hands. The author’s predictions of the future at time of writing(2004) is so fucking(forgive me) accurate and surreal. You’ve got to see it for yourself.
I know the book is supposed to spread these great ideas and startup teachings, but my most striking takeaway for now is… webapps are actually really impressive(and practical). I used to look down on web programming and felt that native clients were much better. No particular reason, just the thought of web stuff being “lame” and just a bunch of markup language together. If I had spent a little more thought on that, it would have been very obvious that my viewpoint was biased and shallow and frankly dumb. The web is such an amazing creation! and webapps+browsers are so flexible and ubiquitous we take them for granted. With my newly acquired interest for the web I started learning nextjs and typescript lol, with a goal of making a C2 client/server.
Now you might think that I’m such a fickle and will surely become a jack of some trades(as they like to call me, 三脚猫), I’m a firm believer of following your interest. My rationale is: If I keep switching interests, eventually I’ll come back to one of my prior interests and build upon it. It’s like a cycle, and with enough time I’ll be able to max out all of them hahaha. Let’s see how far this one goes.
Fuck that wasn’t quick at all
晚安晚安!
2023-04-24
Good morning!
Daily update became weekly update and now monthly update 00, but I’ve made my life so boring that there’s nothing really new to talk about.
Lost 8kg in the past 2 months as expected, and 8 more to go. Fell horribly sick a few weeks ago, which kind of made me reconsider quite some things(always happens when I’m sick).
For starters I’m prioritizing health over laziness now, e.g taking fucking vitamins and sleeping early. Kind of makes sense that I should be using this body sparingly if it’s gonna last for 30 more years.
I’m gonna be honest and say that the japanese learning plan is going down the drain! Haven’t touched it since mid feb. Good news is one of the co-workers is starting to learn it too, and he might give me some inspirations to continue.
The ailment messed with my brain, and I lost interest in web development. Instead went back to working on my mini kernel. That turned out to be quite productive as I implemented processes threads and userland. Learnt some differences between linux and windows in that process(pun intended). In linux threads are just mini processes that share memory with each other. Internally they are all represented by a task_struct structure. That’s not the case in windows, where processes are just a container for threads. The kernel EPROCESS structure houses some administrative data like the pagetable and image name, but doesn’t actually execute anything. Each useful process must have at least one thread which is the runner of some code. As a windows fanboy of course I went with the windows ideology of things.
2 weeks later I found an interesting CVE regarding an information leak in one of the windows minifilter driver. It’s interesting cuz information leaks are rather useful now following the announcement where microsoft is planning to kill the usual kaslr bypass. However I know nothing about these drivers, so I went back to working on Pavel Yosifovich’s driver programming book, hoping to learn a thing or two before analysing this cve. I’ve got it diffed out already, and it’s a race condition due improper locking, but I don’t know enough to trigger it yet.
Speaking of windows internals, these books just arrived :)
The kind of gift a nerd craves during festive seasons. Reading online books just doesn’t feel the same.
Lastly I subscribed to netflix yesterday to watch this film called True Spirit(it was inspiring). Little did I know it offers films based on regions, and my region has absolutely nothing. Didn’t stop me from watching 4 super old films in two days though. Netflix I’m coming for you soon.
Work is starting tomorrow, hope waking up early can get me back into doing productive things.
nnsask_46
2023-04-28
Hello from not long later.
I certainly did not plan to write today, but I also never follow my plans so here I am.
While browsing twitter this afternoon I came across a post mentioning this course. Honestly I’m quite skeptical when it comes to prompt engineering and ChatGPT related courses/books, because everyone’s just trying to milk it for money while it’s still hot and fresh.
Speaking of money allow me to digress. I came across ChatGPT at around early December last year, which was quite before it spread outside the tech circle. First time using it, of course, mindblown, but that was where I stopped. Thinking back at it a few months later, so many things I could’ve done for some profit. Investment was one of them, see chinese tech company 360 Security with a 300% growth. Like almost every decent tech company on the chinese stock market saw a fair amount of growth during the first weeks of ChatGPT’s introduction into china(already a few weeks later than the west). Most tumbled afterwards but that was still an opportunity missed. Also peripheral industries like graphics card/storage/cloud computing have seen pretty good growths, see Nvidia with a 100% increase from late December last year to now. This is one of the rare opportunities where the huge information gap combined with leaps in technology allows for a nerd to outperform an economics geek. Heck, would’ve made decent money even by just selling ChatGPT accounts on Taobao!(banned chinese emails and phones from registering) Quite unfortunate to have missed it. You’ve got to do something when the opportunity presents itself. It doesn’t happen so often.
Coming back to the topic, I decided to give this course a try because it’s made by people who surely know their AI well. The course was pretty practical actually, and really straightforward. Now there are generally two types of useful courses. First being those that really blow your mind with some obscure 20 years research deepdive fancy technical dump. These courses are rare to find, tough to learn, extremely valuable but also cost a kidney. The second type is more straightforward, logical and more like a cookbook. Aforementioned course obviously belongs to the latter. Like many management courses, it’s “telling you something” instead of “go find out something”. After finishing these courses I feel like the rules taught are so logical and sensible that a cognitively competent human should be able to formulate them. I guess that’s called learning. Although the course contained useful tips, I don’t feel accomplishment going through it. It’s literally following a guide lol. On the other hand the skillcap for prompt engineering is there, and you can’t expect it to go any more technical than a conversational english course.
When I first started learning programming 3 years ago, my motivation was partly “learn a language that the computer speaks so I can control make friends with it”. It has served me pretty well and I know a handful of them. It’s unfortunate that the next generation wouldn’t need such a goal in mind to learn programming, since LLMs are natural language interpreters.
This experience kinda made me interested in AI again. If com science wants me then I’ll enroll in a math course straightaway. Otherwise goodbye I’m going back to security. Waiting season always sucks doesn’t it.
Not an AI assistant.
2023-05-21
Hello from late May!
I’m writing from camp while listening to a song by Mayday, how seasonal.
Recently I was forced to attend a military training course(all part of conscription) that will last a month long. That means going to camp and waking up early everyday for a month. As a subpar soldier who absolutely hates waking up early, this is truly a torturous event. Currently just finished the first week so, long way to to. To make things worse, access to other electronics apart from mobile phones are prohibited. Study plan down the drain. I’m not a fan of using my phone for anything apart from esports, because I find it small and easy to overheat. (and it’s near impossible to debug a windows kernel driver on an iphone yeah). Without going into the details of how much I dislike conscription and the military and regimentation and hierarchies, I really abhor them.
So what else can I do if security study has to halt? I started reading this book called 暗时间(translation: “dark” time), which talks about how one’s brain functions(on the abstract level) as well as how to think straight. It’s quite an intense book, by that I mean the content is dense and well cited examples are abundant. I’m currently less than half way through, but I can confidently recommend this book to literally anyone in any field. It’s a remarkable collection and summary of the greatest works in abstract psychology for critical thinking. IMO it’s worth the price even if you use it as a booklist to be introduced to other books.
Some of the ideas I’ve learnt thus far:
- There are lots of time where your brain is spent idle(“dark” times). For example waiting for transport, queueing for food, taking a stroll, etc. We can extract more out of the brain by using these times to reflect and think, on either problems(all life is problem solving) or ourselves. I practise this by skimming through chunks of technical text/problem statement before engaging a boring task like folding shirts. That way I can digest through the text using idle time.
- Don’t memorise conclusions from books, because they are formed based on the writer’s own biases. Instead, remember examples/experiments so you can derive your own theories which are easier to remember. Our own theories are usually easier to remember because we try to link it with knowledge that already exists in our brain. By increasing the links, it’s more probable for a search to reach the desired knowledge. In mandarin, 条条大路通罗马.
- Don’t assume something does not/will not exist just because you are unaware of it. It’s good to communicate with others and query for information. Pretty hard to enforce for an introvert but I’ll try.
- The inner core of our brain that’s in charge of emotions, desires and survival, has evolved little since pre-historic times. It BELIEVES that we are still in the stone age(wooden age to be precise). This explains many of our behaviours(eating high fat food, afraid of “awkwardness”, emotional) that we want to curb but find it hard to. The Neocortex is relatively evolved, and that’s in charge of logical thinking and reasoning. When we want to quit a certain habit, that’s the rational Neocortex trying to guide us to an end goal. However, stopping these behaviours is a difficult task because the inner core is regarded as superior(survival and reproduction are indeed the top priority all along). A good way to practise controlling your “emotional” inner core is to treat it as an enemy/your child, and use the Neocortex to make decisions. Why not treat the inner core as part of yourself? Because the inner core again, dislikes admitting that it’s wrong and needs to be changed. In fact, it’s so powerful that people tend to use logic to justify their inner desires, but in fact the “logical” reason is not the true driver of their decisions. We must be weary of this behaviour, and try not to always find excuses for the emotional inner brain. In all essence, know that emotions are just signals from your pre-historic counterpart, and you have all the say to ignore or comply.
- Innate biasness is ever present. Experiments such as the “rotating mask illusion” and your usual optical illusions explains it all. The brain has its own preset rules, and these rules can override each other based on importance. It helps the brain to quickly come to conclusions(heuristics), but can lead to biased conclusions. The only way to mitigate this is to interact with more people, understand more perspectives and read more books. Also, stay open minded. This solution might be a working solution, but it’s definitely not the only solution. Unknown does not equal to non-existent.
- More knowledge sometimes causes less problem solving ability, especially when it comes to creative thinking. When we have general knowledge but lack critical thinking, functional fixedness sets in, causing our thoughts to be very rigid. This is evident in many “think out of the box” puzzles, such as “connect all 9 dots with 4 strokes”, “how to send the lion, rabbit and cabbage acros the river” and the Candle Problem. How to combat this? A helpful way is to break up your chain of thoughts into individual parts. Think of a decision tree. We tend to go down a certain path early in the tree without realising that the solution is in the other path. We should stop at every junction of our thoughts, try to question if that’s really a “must do”, then proceed. This is one reason why rubber ducky debugging works too. By saying our thoughts out, we are questioning our questioning process! And that is how to practise critical thinking.
In the past when people ask me what I want to achieve in life, my response is
1 | to be happy. |
As of today the conclusion has changed to
1
To complete my objective. For now, that is to be happy.
yeah stay happy~
2023-06-02
June June June June
It’s another year of June without holidays, and I still can’t get used to adulthood. Every June/December I’ll start going holiday mood and crave taking a train ride.
I came across an interesting incident yesterday, which is interesting enough for me to document but too rudimentary for a blog post, so here it comes.
While working on a driver to detect remote thread creation, I thought I found a bug in my code.
The general logic is:
- Register process and thread callbacks.
- Add each newly created process to a linked list.
- For each new thread creation, if it belongs to a process in the linked list(its first thread), remove the process.
- If the thread does not belong to any new processes and the creating process is not the same as the created thread’s process, log it as remote.
The process callback goes like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20static void OnCreateProcessNotify(PEPROCESS Process, HANDLE Pid, PPS_CREATE_NOTIFY_INFO CreateInfo)
{
UNREFERENCED_PARAMETER(Process);
if (CreateInfo == nullptr) {
// Process exit
// Edge case where process has no thread but exits, remove from list
if (auto entry = g_Processes.FindProcess(Pid))
g_Processes.RemoveProcess(entry);
return;
}
// Process create
// Add to new processes list
auto entry = g_ProcessesPool.Alloc();
entry->information.pid = Pid;
g_Processes.AddProcess(&entry->link);
return;
}
The FindProcess function:
1 | LIST_ENTRY *ProcessesHead::FindProcess(HANDLE pid) |
And the thread callback:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28static void OnCreateThreadNotify(HANDLE ProcessId, HANDLE ThreadId, BOOLEAN Create)
{
if (!Create)
return;
// We only care about thread creation
// Note here ProcessId and ThreadId belongs to target thread
bool remote = PsGetCurrentProcessId() != ProcessId
&& PsInitialSystemProcess != PsGetCurrentProcess()
&& PsGetProcessId(PsInitialSystemProcess) != ProcessId;
if (!remote)
return;
// Check if thread is "true remote" : not first thread in a process
auto entry = g_Processes.FindProcess(ProcessId);
if (entry) {
// fake remote
g_Processes.RemoveProcess(entry);
return;
}
// True remote, log it
...
return;
}
At this point I thought I had discovered a potential race condition bug.
I was returning a reference to a link list element from FindProcess for efficiency, which is a really dumb thing to do because it completely voids the purpose of synchronisation objects. Instead, I should be returning a status for found/not found, and the RemoveProcess function can simply do the loop again to remove the target element, this time with an exclusive lock. (The choice of using a fucking linked list for this task is already quite illogical actually.)
The possible exploit scenario here would be to:
- load up the processes list with thousands of processes with no threads so the search becomes slow
- create a thread for the last process to kick off the thread callback
- kill off some processes from the start of the list
- exit the last process
If the stars line up, it’s theoretically possible to get the process callback’s FindProcess to return the same reference as the thread callback’s FindProcess. In this case both callbacks will proceed to delete the same reference, leading to a double free.
So I quickly hacked up a poc to play with this:
1 |
|
By using NtCreateProcess, I was able to create processes with no initial threads, visible in tools like ProcessHacker.
To my surprise, none of these empty processes triggered the process callback! Which was really weird because it should literally be a callback for when processes are created.
Knowing that the PspCallProcessNotifyRoutines function is responsible for invoking process callbacks, I spun up IDA to look for cross references to this function.
And it turns out that although Microsoft labels the function as a process callback, it’s only invoked when the first thread is created and inserted into the process.
MSDN Docs:
1 | When a process is created, the process-notify routine runs in the context of the thread that created the new process. |
Seems like Windows only regards a process as a true process when there’s an initial thread in it, which IS REALLY CONFUSING because the Windows architecture is known for strongly distinguishing threads and processes, as compared to linux where “oh everything is just a task”.
You can see the PspCallThreadNotifyRoutines function being called right after the process callback is invoked, which also means that the thread callback is inline of the process creation process(pun intended).
Our exploit can therefore never work, because the process is not truly created before the thread callbacks are serviced, and thus cannot be terminated. You can experiment this by registering a thread callback, sleeping for a few seconds and watch your system turn into a 1 core 500mb ram piece of garbage.
At this point I was quite happy that I didn’t write a critical bug, only a terribly designed poc :D
Lessons of the day:
Synchronisation bugs are pretty prevalent. Process callbacks aren’t really process callbacks but more like First Thread callbacks. Design your code before writing.
Also, I kind of miss playing ctfs. Maybe because I don’t get much adrenaline rush these days. I applied for a team last week, leader spoke a few words with me and never heard back from them since. I’m guessing that’s a silent rejection. If anyone has a recruiting active ctf team and don’t mind a really rusty player joining, please contact me!
pspspspspspspsp
2023-06-03
Wtf why am I writing again it’s only been a day.
I have no idea too. Was watching FA Cup and suddenly felt a gush of semi imposter syndrome, have no one to talk to so decided to just pen(keyboard) down some non-substance.
Browsed a lot of skilled peoples’ blogs today, some of which I’ve came across in 2020/2021. 3 years ago I had absolutely no clue regarding what (oh shit nice goal Gundogan) they were then researching/writing about. Now I’m still clueless about their current writings. Probably didn’t express my thoughts clearly but, I have this feeling that I’m not catching up to people at all, and everyone is just constantly moving forward. 2023 is a year of fruitless waiting, and that’s a worse feeling than failure. Waiting drains all my energy while I try to remain optimistic. I’m also terrible at not thinking of the pink elephant, therefore can’t fully context switch to focus on other stuff.
I have a poor memory too. Forgot almost everything I’ve learnt in the past year, and previous year, and of course even earlier before. Kind of feel like a fresh paper now. Guess I have no problem doing short term learning for a cert/exam, but I’ll just flush everything out of RAM afterwards. So now I feel like I know nothing at all, apart from the chapter I read this afternoon.
I wanna be a bug hunter, but can’t take the weeks of staring at code with no progress indicator. I wanna have teammates to discuss things with, but the thought of human interaction wears me out. I wanna win ctfs, but feel like an idiot researching fucking libc.
Probably need to 1. make proper checkpoints and targets while doing VR. 2. get used to interacting with others. 3. just start trying and not quitting.
I also have this image of a perfect future, where a few friends and I stay at a cosy apartment, do some security research/ctfs and play sports daily. I don’t think that’s ever gonna happen though; wishful thinking never works well for me.
I’ll probably be a bug hunter wannabe with no bugs, lots of superficial knowledge but no practical experience, wasting time hopping around topics, all by myself, delusional thinking I’m good but in reality garbage, no opportunities, despise everything I’ve tried a little but didn’t deep dive, maybe change a field completely.
Hopefully not, but that’s exactly me now.
2:1
2023-06-18
Hey friend, how are you doing. We’ve crossed the halfway mark of 2023! I just ended a long day of duty. Well duty sounds like I’m actually doing work, but that’s not the case. Duty is just me waking up early to report to camp and read a book for a day.
Today I read half of the book Unlocking the Emotional Brain, and as usual felt an urge to express myself(else I won’t be here :p)
The book is eye opening to say the least, and contains lots of case studies to elaborate its theories. I really enjoy books with case studies and examples because I get to pause and predict how the next part of the conversation could turn out to be. Authors Ecker, Hullery and Ticic proposed a rather novel framework(known as the Emotional Coherence Framework) that redesigns the process of therapy. In their framework, symptoms are never pathologised unlike in conventional psychology.
Afaik from the book, most pre-coherence psychology treats symptoms as problems that need to be controlled and suppressed. They therefore favour the use of counteractive methods that aid with symptom management, such as relaxation, positive thinking and chemical intervention. These techniques work by building new synapses in the brain in an attempt to suppress the old synapses that trigger the symptoms.
Emotional Coherence Framework on the other hand believes that symptoms are solutions to problems. If you think of every symptom as a structure, there’s always a problem member and a solution member waiting to be identified. The problem may be fictitious(assumptions) or dated(ptsd type), BUT the brain recognises it as threatening. More specifically, the brain acknowledges the existence of the problem as well as the potential other problem that the solution(in most cases also the symptom) can raise. Implicitly it makes the decision to take the symptom in order to prevent greater harm. Since a large variety of symptoms are learnings by the brain to help itself, Ecker and his team believes that they can be unlearnt.
At this point I started thinking about another observation. It’s not uncommon to see people trying to assume the role of a therapist, might be a friend, a parent or a mentor. The results are often poor, because they tend to focus on the pre-coherence era of suppression, and they do it quite wrongly. A common observation is they try to cut in with their own opinions. It’s almost like they’re only listening just so they can shove their thoughts in once the other party is done. Well even if you have 1000 hard facts to convince the client, the result won’t even be close to a proper session of therapy. The best that could happen in this scenario is the client gets fully convinced, logically, that his symptoms are bullshit and should reasonably be curbed. But that’s not going to help with anything. His logical neocortex may be convinced, but his implicit emotional subcortex is not involved at all. It’s kind of like muscle memory, and it will just flip as per usual the next time something triggers. Giving a lecture on facts is just not going to work(asian parents look here). You can never change another adult’s thoughts unless he is fully trusting, accepting and willing to comply. There are better(more scientific) ways, such as inducing a self-directed, conscious comparison of facts using juxtaposition, but you’ll have to read the book to find out.
Also here’s another random thought. Aren’t structures amazing? Literally everything in the world can be represented as structures. Starting virtually, every single action you do on a computer, every feedback you see, every app you use, can be simplified to performing just one task: updating structures. By updating a screenbuffer structure you see input on screen. By updating the keyboard buffer structure the IO manager receives keystrokes. By updating character and background structures you get fancy little games and logics. It’s similar in the real world. Think of a bottle of shampoo structure with a shampoo liquid member, a container member, a label member and a nozzle member. Structures link chunks of data to other data. The nozzle member links the shampoo bottle to the person showering, like how a switch links the lightbulb to whoever uses it. Once you fully appreciate this, you realise that structure(or “object”) oriented programming is the most natural way to work with stuff. I’m not talking about the loaded modern complex “OOP” paradigm, but simple old structure updates. These structures can be implicit: when you write a file of functions manipulating a structured field of data in C, you’re thinking OOP. That should be the starting point of every planned project.
I’m talking quite a lot of garbage, but trust me I’m trying really hard not to jump around.
Lastly, paper books smell and feel clean. I hate ebooks.
struct
2023-07-10
Blue July, bright July,
Month of storms and gorgeous blue;
Violet lightnings o’er thy sky,
Heavy falls of drenching dew;
Hello from July! Been a busy few days without updates, lots of working and thinking about stuff.
With the end of my military service approaching(100+ more days) I got to find something to do afterwards.
Although I keep saying I’ll lie on the bed for 9 months until I get so fucking bored, I still wanna do some real things. That being said I applied for an internship for vuln research(there weren’t any official procedures I knew so just wrote an email to them), told me I need to send in a resume which I didn’t have, went to make one and now waiting for results.
Frankly I don’t care at all about the pay or recognition or whatever. I just want to hack on some stuff with like minded people, and it would be striking a lottery if they are willing to share experiences of working in the field. Really hope I can get in to that.
The past few days were mainly consolidating my learnings on filesystem logic bugs. The techniques dated back to 2015-2020, which sounds ancient but are still very much relavent today. One thing I love about learning old techniques is that you get to see how TTPs develop over the years as these talented frontline researchers constantly push the boundary and discover cool shit. It’s really respectable.
While messing around with some of those, I found a really interesting 0day scenario which I’m dying to share and ask for opinions. It’s quite confusing which party the blame should be on/should care about it. So I did the greedy move and reported to all affected parties, now still under verification. Bug bounty is pretty boring to me still. You’re not really learning anything you’re just doing the same shit over and over again on different releases of different targets. Don’t mind my analogy but I find it really resembling scam phishing clients using social media, like 电诈. You profile a bunch of targets, try to understand it and find something in the first week, and drop those without obvious bugs. By that I mean web bug bounty/filesystem low hanging fruits of course. In contrast deep dive vuln research is so much more motivating and rewarding.
Also I’m reading a book called 寒江独钓——Windows 内核安全编程 which talks about windows drivers. Although it’s dated(2009) I find it really fascinating and eye opening and I have a great deal of respect for the author. It doesn’t contain the most technical details(by that I mean explanation on flags/behaviours), probably due to age, but it does have a lot of walkthroughs and extended discussions and even walkthroughs of extended discussion materials. I love books that goes on and talk about related case studies/techniques/stories. Unfortunately most authors are really lazy and “leaves it as an exercise to the reader”, but not this author. As an example he talks about attaching a filter driver to keyboard devices to sniff keystrokes, then extending to talk about how it’s easily detectable by scanning the device stack, and how else to do it(hooking the kbd-something driver’s major functions directly), how that can also be detected. Then he mentioned a case study about how QQ(chinese chat app) bought technology from the koreans on anti-sniffing techniques, and how those work, limitations of those and more rabbit hole topics. I guess it’s just a way of organising information that I appreciate, where each chapter is like research into a particular idea covering many possibilities and fun facts. Love it!
Going forward I’ll continue to work on studying/writing windows drivers, hoping to learn more internals in the process. If I get an internship then I’ll go work on that. Fingers crossed!
🎣
2023-08-19
Hello from August.
As unexpected as things can get, the past few weeks has been the most weird, fucked up and nurturing period in a very long time.
Without going into details, I fucked around and found out. I really did.
Previously I’ve always held a frivolous and carefree attitude towards everything.
To put it frankly I was dumb and entitled.
Not sure what you guys thought of your understanding of the world when you’re 19.
I certainly thought I knew a lot. I thought I knew what I aspire to do in life, how to do it, the dos and don’ts of society. I thought I knew it all.
I thought the only thing important in life is to grind on some work, family is just there for granted, who cares about authority or rules, fuck getting married or a relationship, humans are boring and noisy, I don’t have to care about anything. The worst judgement was me thinking my current life was garbage, and everything will be so much better after military service.
Turns out I was just a rash and stupid overgrown teenager living in my own world, and that’s going to fuck me over sooner or later.
Fortunately for me it came sooner.
If you’re like me, please re-think about it all.
Sometimes you really don’t need to fuck around to find out.
If you can wake up everyday in the comfort of a bed, able to procure sustenance twice a day, away from ailments or disability or natural disaster, have at least one friend and a loving family, can walk out and enjoy the sun, wind, grass and the scents of freedom without fearing arrest or getting chopped up, your life is fucking amazing and please treasure it.
Anything else, it’s up to you to change it, and you can change your life this exact moment if you desire.
Also, as cliche as it sounds, problems are inevitable in life.
You’ll never get a prolonged period of “I have absolutely nothing to worry about and I’m so relaxed” ever again.
That only happens once when you’re a newborn.
Don’t ever hope for that because it’s depressing.
Instead, try to seek real happiness, which is independent on the presence of problems.
If you’re still not convinced, try envisioning losing two fingers permanently, getting a late stage colon cancer and attending all the therapies, losing a close family member right now, getting prosecuted and attending court trials with your name all over the papers.
Really, let it sink in.
Do research, be worried, get fucking anxious and lose sleep.
The brain can’t differentiate between real and perceived events.
If you try hard enough, you will be devastated, disoriented and lose some hair.
But you’ll learn a lot on appreciating life. And freedom.
Maybe you’ll read some books, because books are the only way to hold conversations with these people who actually know their shit.
By The Courage to be Disliked, the only true happiness lies in self acceptance, confidence in others and contribution to others.
Staying alone and being pricky leads to nowhere.
Seriously, have some morals, some values, and work towards them. Unconditionally.
If you’ve already fucked around, don’t be afraid.
Finding out is a lesson, and most of the time the lesson is worth more than the consequence you’re going to pay.
Accept it, and move on.
Stepping into adulthood is not about growing a beard or earning some quick cash.
It’s more about the increasing lessons to bear in mind, and to give fucks to things worth giving fucks to.
It’s unlike me to not talk about security, so I’ll lightly add on.
A few days ago my bug got fixed by Microsoft, and I got my first CVE.
It’s a pretty mesmerizing experience.
For a bug that’s pretty useless(imo), ZDI accepted and paid promptly without questions, and Microsoft fixed it in like a week.
I’m starting to think Microsoft has some internal research going on that helped to elevate the bug, because from what I submitted there’s no way it’s a 7.8
Or maybe they issue CVEs by patches, because that patch is actually pretty huge.
See my blog post on it for more details.
Following that are all the nice things, having my name on the advisory aside to James Forshaw(really admire his work), followed by extremely talented researchers on X, a chat with one of the strongest research team’s CEO and more.
It’s really nice, and I like that feeling of contribution.
Try not to let opportunities fly by.
The theme of 2023 has changed from fruitless anticipation to growth.
stay legal and grateful.
2023-09-04
September.
Although just less than 2 months from the end of my military conscription, I’m not nearly as happy as I previously envisioned.
Partly because there’s things on my back, also because I’ve learnt not to anticipate.
Just live everyday fully, don’t think into the future.
It’s my responsibility to deal with my fuck ups.
On the bright side, I’m probably gonna get an opportunity to do research with industry professionals.
I’m really grateful and happy for the opportunity.
Doing the thing I enjoy, with like-minded people, and of actual value. Never experienced that before.
Even being inside the office and listening to people discussing security stuff behind just brings a smile to my face, idk.
Will definitely try my best to contribute to the team, and I’m eternally thankful for this first opportunity.
August-September is a break month for me as usual.
The same time last year was spent on grinding 王者荣耀, this year on 永劫无间.
The minimal time I’ve spent learning was looking at how to interact with COM and RPC. Those turned out to be really useful.
September 1st I’m back studying.
Coincidentally k0shl published a blog post on a Windows LPE, so I went ahead to write an exploit for that.
Through this I learnt 2 lessons.
Don’t be daunted by fancy names. The component is called “Key Isolation in Cryptography New Generation”… something I’ll previously never look into because I know nothing about cryptography. Turns out the bug was just a textbook double API race condition. That rang a bell in me to always think like a magnifier. Although implementation level bugs are super cool, sometimes zooming out and focusing on the flow and object manegement can also net bugs. Also never judge a component by its name or perceived functionality. We are binary exploiters, and can find bugs if it is a binary.
Researchers have their own style, and it results in specific types of bugs. Some hook up procmon and trigger all interface/APIs. Some hunt for constructor/destructor interfaces and check for proper synchronisation. Some look for parser components and fuzz away. I think I should be conscious of all these styles and always perform those. Like how a pentester follows a checklist, I’m starting to get a faint idea of my checklist for software bugs. Of course compared to implementation level bugs, these are all low hanging fruits. Having a proper understanding of the component is still the most important.
The road ahead is kind of fuzzy(no pun intended), and I guess the best thing to do is to just go ahead.
如果被困在雾里看不清方向,就向前多走几步。至少雾散的时候还是前进了。
Forgot where I saw this from, but think it makes some sense.
Appreciate.
2023-09-22
Realised that I wasn’t “not happy”, but in fact I wasn’t allowing myself to be happy.
I had(and still have) this idea that feeling super happy is going to make my retributions catch up to me and ruin everything.
As dumb as it sounds, I’m quite paranoid of that.
On the other hand keeping myself in check is allowing me to feel more gratitude consciously.
I fully acknowledge the luck and blessings in my current life, and it’s as good as it can get.
On one hand I understand that problems and pain are inevitable and I should learn to live in harmony with them, therefore be bold and trusting in the future. However that’s also making me crave for the present, for the comfortable present to stay forever.
Weird right?
The only way to combat that is to constantly remind myself to stay in the moment.
The feeling of powerlessness arises when you drift beyond yourself.
I’m guessing you skipped all that above because you came to see my study plans these weeks.
Lead my team to revamp some years old spaghetti telegram bot code for conscription, and now it looks much more organized. Coding is really fun when you’re in control, of styles and everything. Every block is like an artwork.
During my free time I watched some talks like https://www.youtube.com/watch?v=OuL-7GPhhAQ and read the source code of Jackalope fuzzer. I’ve written a code review for it, coming out soon.
Initially I wanted to write a fuzzer from scratch, but after some thoughts realised that it was not a good use of time. 1. I have no novel ideas to contribute, so I’ll just be re-inventing the wheel. 2. Modern fuzzers are customizable, and I can understand it by reading. My leader also suggested that manual review finds the best bugs, oh well.
Was also listening to my friend Xu talk about his job hunting experience. He slacked off during his college days, and now spends so much effort travelling around provinces to attend company open days to pass his resume to them. The attempts are hitting triple digits and still no positive callback yet. To whom it may concern, his advice is: Get some work experience at real companies during college if you can. Everyone wants workers with prior experience, but no one is willing to provide for. Society is harsh.
To future me:
Microsoft Copilot is coming out soon.
That’s a cool new attack surface to explore.
2023-10-22
起
又过了一个月。这次是确确实实的一个月了。
这似乎是今年间隔最久的一次更新,自然是因为这是今年最忙碌的一个月。
今天的碎碎念为何一改往常?没什么理由,感觉中文写起来比较顺畅。其实平时思考➕和自己对话的时候一般都是中文,除非是在思考英文书籍或影视作品。以前更新的时候还会刻意转化成英文,现在想想倒也没必要。
这实际上是我个人觉得博客相比其他渠道最大的优点:没有推送服务。推送相关的业务一直都是各社媒平台着重研究的领域。为了能精准的把用户所念传达到想法类似的其他用户屏幕上。出发点挺好,实现起来不简单。人从来都是矛盾的。都想成为从始至终想法一致的稳重型,却无法避免双标。
扯远了。结论就是若有读者在博客上读到我今日的碎碎念,那他一定是通过主动搜索我的域名,点进第一条,翻到最底下,发现我更新了《废话合集》甚至点开了翻译功能才能使我的这段文字与他的思想融合在一起。在整个行为链中不存在任何要挟,逼迫或强行投喂等手段,自然不会引起强烈的情绪波动。举个例子。若你在推上看到某傻逼发言,你不由得会想:”吗的,艾克斯公司员工们拼死拼活加班,斥巨资精进算法,就为了让我看到你这段毫无营养的文字?“但如果你是主动浏览他的博客,你大概只会觉得这不符合自己的观点并关闭页面,说不定还能理智思考一番得到升华。
说到理智思考,理智思考的朋友们一定也能得出结论:我刚刚的一番屁话都是在掩盖自己的社恐与自卑,因为不敢在大家能看到的地方发言而找了个借口罢了。自从推上涨粉了之后,我开始不怎么愿意发生活贴或碎碎念了。我觉得这些人来关注我肯定不是为了看这些垃圾而是为了得到安全圈的消息或漏洞相关的poc。所以我就没地方发言了!博客终究还是缺少互动,想法必须得到碰撞,人也必须社交,这是不变的理论,不论你多讨厌多想逃避。
上个月算是非正式入职,工作内容大概就是将一些内核洞武器化。做了一个月还算顺利,其中也有特别炫酷的手法想记录一下,但可能会触发保密条例,暂时就不放上博客了。等正式入职了说不定有机会发出来。规划应该是会把我转去做漏洞挖掘,这实际也是我个人比较向往的岗位,更锻炼创造性。但其实从业务角度来看根本不需要那么多新鲜0day,特别是我的lpe方向,特别特别是没必要培养新手(直接挖人就完事)。资金来源大头还是产品和红队服务,7.8分0day的价值不如武器化的9.8分nday。所以是真的特别感谢老板能给我这个机会扶持我做自己喜欢的东西,明年我个人也应该会着重研究一些remote洞,创造点价值吧。
未来就不过多展望了。世界太多变,今日安好便是福。
活在触手可及的范围。
2023-11-15
算一算也入职两周了。虽然由于出游安排目前只是合同工的状态,但还是过上了朝九晚五每天报道的日子。唯一能想到的槽点就是合同工是没有正版软件和顶级设备用的,但是我倒是无所谓,能加载出代码就好。还有就是每天上班单程要一个半小时,不过这是我的问题不是公司的问题。每天做做自己的研究,中午吃完饭和工友打半小时乒乓,神仙般的日子。
虽然老板啥指标都没要求我,完全自由发挥,但我确实感到了点压力。入职第一周完全花在换设备修设备上。机子老是蓝屏,windows重装了不下五次,好在办法总比困难多,现在算是稳定下来了。但是由于第一周啥也没做,看着每天一起逍遥快活的工友们都能挖出洞,心里还是有点羞愧。今天正好也是微软补丁日,什么时候我的名字也能在上面有一席之地呢?这个驱动也算审计了大半个月了。说实话进展不高,读的时候就能感受到风格比较严谨,由于结构问题也不好fuzz。手动审计速度还要提升。
关于提升我是有想法。我觉得目前问题还是对各种驱动的了解不够深。既然要挖驱动的洞那就应该对该功能的实现有深刻的了解。我的计划是把各种驱动实现一遍,从键盘磁盘过滤,到模拟文件系统,到蓝牙接口,都应该写个小demo。不仅能帮助自己从开发者的角度思考哪里实现起来比较复杂(可能有逻辑洞),更能加快逆向的速度。当然上班的时间是不能搞这些的,所以只能周末慢慢搞起来,我觉得是值得的。
最近认识了不少工友,和大家都很聊得来。毕竟都是年龄相仿的人,且不存在竞争关系,聊两天就熟络了。让我印象最深的是一个本来做ios的研究员现在转做安卓了。(我感觉)他应该前两个月才转,而且已经做出点东西了。如果在目前的方向毫无进展的话,我说不定也会被指派去做linux相关的研究(叹气)。到时候能不能像他一样快速适应就成问题了。
写着写着突然又开始思考了。到底怎么才能挖到内存洞???就是fuzz和代码审计两个选择。目前的驱动如果要fuzz,唯一的可能就是找各种迷你parse函数,用snapshot fuzzing来搞。但是一直没有这么做是因为函数实在太有限了。既没有一眼看不懂的逻辑也没有层层递进的调用。每次想逆一点然后交给fuzz的时候,不知不觉已经逆了一大半了。。 在找到真正可fuzz的函数之前,应该还是会继续这样。我相信盲目的fuzz是没有回报的。那么就只剩手动审计这条路了。这并不是我的强项,因为我太容易急躁了。遇到冗长的函数就想不逆前面直接跳到后面,到头来不仅浪费了时间,还把伪代码标得一团糟。一定要记住,在培养出肌肉记忆和超强bug感应之前,老老实实的一行一行逆,从头逆到尾,复杂的就挂上调试器猜。唯一能允许的是跳着找系统API调用来推断结构体成员类。总之任何跳着来的工作都必须是为了满足理解当前这行代码,而不是为了抄近道。埋头傻干无疑是低效的,但不停地想着大局也会让人疲惫。我认为最有效的方法是每天开工前和结束后,从宏观思考这一天应该做的分析。然后分析的时候完全服从就好,别想那么多。
宏观上来说我已经有了审计当前驱动的思路,要的只是专注力和以上所提及的耐心。再搞他个一个月,我就不信出不了洞!如果老板说要转去搞其他的驱动,那就从现有的洞开始做variant分析。通过其他人已有的研究作为基础,了解整个驱动的功能点和曾出过洞的部件。然后再自己思考看看有没有新的突破点。
做研究的迷茫和不自信大多来源于缺乏思考。每天机械的分析各种函数还是出不了洞的时候就会开始怀疑自己的能力。但其实只要时不时停下来思考,想想现在还有什么其他切入点,当前所做的是否是最优选择,就没什么好迷茫的了。如果目前我在做的就是最合理的审计手法,那就放心去做就好了!每个月的补丁日就是最好的考试。如果部件看过了没找到洞,就要思考是不是对漏洞原理不够了解。如果驱动看过了部件没看过,就要思考为什么其他研究员会选择他们选择了并找到洞的切入点,以此来加深自己的bug感应。
年底合同就要到期了。我是很希望能被当作正式工录用继续研究,但要是做不出什么成果我也不好意思向老板开口。现在想这个没什么意义,船到桥头自然直。
赏金猎人,启动!
2023-11-21
好吧 i lied。并没有按照上周写的按部就班手动审计。因为看了p0的博客觉得说得很有道理。在面对一个完全陌生的format并没有源码的时候,硬逆并不明智。
然后就开始写fuzz。我目前fuzz的思路很简单。首先你没fuzz前就得先预想一下大概会出什么样的洞在什么操作,并有针对性的fuzz。能接上instrumentation就一定要接。不能的话就用一些程序本身的校验函数来生成输入,这点能避免很多无效的mutation。至于怎么mutate其实没那么重要。接下来就是corpus的问题。能抓多少抓多少,然后一并简化了用。如果网上没有就自己生成。这里注意熵值能拉多高就拉多高,生成的时候支持的选项全给填上,最好逆一逆看看有没有undocumented的也填上。最后就是trigger了。也是熵怎么高怎么来。先逆一逆收集一下所有支持的交互功能,然后跟sample有关的都随机调用。多开几个线程还能顺便fuzz条件竞争。fuzz的时候开一开page heap或special pool基本就行了。跟Mateusz Jurczyk学的一招就是别写死。既然fuzz本质上就是靠随机,那尽量在fuzzer里面也多加一点随机的逻辑。比如某个目标函数运行特别慢不适合fuzz,那也别完全拿掉,写成小概率会运行。
目前出了几个oob和dos,期待继续深入。
S = k ln Ω
2023-12-26
Exactly one year ago I started this Prelude section, and I’m not regretting it at all. It’s always nice to have some kind of record to look back to and say “hey i’ve gone so far”, and give yourself a pat on the back.
Looking back at my resolutions, I can proudly say I achieved all… but two. I intended to learn japanese but realised that I couldn’t focus on two things at once. In the end I picked security and that’s fine. Another goal was to master c++, but I realised that c++ just feels bad to write. That being said I’ve learnt enough to navigate around decompiled c++, and I can code it slowly if necessary. Wouldn’t call it a win, but I respect my choice. In January, I knew nothing about fuzzing, can’t reverse engineer shit, have no idea what is a driver and was uncertain on whether to do red teaming or web or binary, on Windows or Linux or whatever. I had no experience finding bugs, found none and only could follow well documented trails of others. Now I’m employed to do security research, have some kernel 0days, a little intuition on how to hunt and a custom fuzzer. The point I’m trying to prove is a year is a long time, and your goals may not be as far away as you think.
Another thing is luck. I’m never saying stuff to maintain a humble image on this section. Everything is raw and real. I am extremely lucky to end up in this position I am now. I’m so lucky I think I might have used up my luck in the future few years. If you read the previous months’ posts you’ll get a sense of how lucky I was. It prompts me to believe in the parallel universe theory, where some me in another universe experiences the bad luck I’ve avoided. I’m really sorry for that. The takeaway here is: things can always take a turn for the worse, and there’s no end to how horrific it can get. Please be thankful of what’s present in this moment, don’t anticipate too far into the future, and accept that sufferings are always going to come and you will deal with it, like all the other people that have dealt with their share of sufferings. It may or may not be your fault, but it’s your responsibility to deal with it for yourself. Please don’t fall into the mentality that someone or something will appear to make stuff better!
In June I said:
I also have this image of a perfect future, where a few friends and I stay at a cosy apartment, do some security research/ctfs and play sports daily.
Now I have some amazing friends in the company, and we do security research and play table tennis daily.
Life has never been better, and I’m super grateful to be alive. As for the future, resolutions of 2024 will come soon.
Thank you 2023.
Happy-go-lucky
2023-12-31
新年-1天!
本来打算睡觉了 想了想最后一天不发点什么有点坏规矩 强忍睡意打开电脑
那么就来浅写一点24年的规划吧
上半年不出意外应该老老实实上班 完成每月指标
除此之外希望能钻研钻研COM,争取出几个COM相关的洞。COM对现在的我来说真的是巫术般的存在,直觉告诉我这里面肯定有很多等着被挖掘的小惊喜,就等我去深入了解一下。 kernel方面也会用自己写的fuzzer多碰碰,这个我还是蛮有信心的。目标是在p2o vancouver的时候手里还有洞能用。不然的话就争取投个conference吧,这个感觉蛮好玩。还有就是要考个驾照,在七月之前考出来。
下半年要入学了。
这个太陌生了,实在不好规划。笼统点说希望交几个朋友,希望住宿请求被通过。其他没什么好想的,还是那句船到桥头自然直。
空余时间研究一下remote的东西,踢踢球。暂时就这样。
我知道生活不会像安排的那样干净。每天要考虑的也不只有好好学习和漏洞研究这些纯粹的事情。
总会有你根本想不到的烦恼降临。现有的一切也会变动,可好可坏。
如果要从23年带一句忠告,那就是《活在触手可及的范围》。
只有你能触摸到的东西,包括你自己,才能带来安全感,才可控,才要珍惜。
还有就是做个好人类,再做个守法好公民。
屁话说完了。晚安!
2024-01-21
Hello from January.
About last week I received a message from someone saying how he found this section inspiring. I’m happy to hear that someone other than myself enjoys reading my nonsense. In that spirit I’ll continue this section for 2024 and regularly update what I’m up to. It’s also a good way to practise english since I barely use english nowadays.
The plan was to study COM in January, which I did for a week. Then p2o vancouver’s schedule was announced and I no longer have an entry ready, so I decided to dedicate the next <2 months on auditing <redacted>.sys to try and get an entry. I’m optimistic, let’s see how it goes. There was going to be a series of blog posts on COM, but that will have to wait too. Besides that I’m focusing on understanding more heap internals this year so I can improve my bug->exploit conversion rate. Gonna do some deep reversing into usermode and kernelmode heap internals, and maybe make some posts on those. Some other ideas I have is to make an automated tool to find heap exploitation gadgets(sprayable allocations that yield powerful primitives), as well as a patchdiff bot. Whoever’s reading this can try these projects too if you find them cool!
That being said all of these are expectations that I hope to achieve in the future and have not done yet. I normally dislike writing about stuff that I haven’t finished, because it messes with your brain and tricks it into believing you’ve done the things, leading to a decrement in motivation when actually doing them. On the other hand I don’t want to feel controlled by the brain, so here I am declaring them regardless. Also because I didn’t do much since January. I watched a cdrama called 繁花, went out a few times and started learning driving, kind of a typical pre-U life. Security wise I read on some COM, wrote a 1day exploit and spent the remaining time thinking of what to do. Now I’m done thinking, and the work starts.
-59day
2024-02-02
These weeks felt different.
CNY falls on the 9th of February this year, and since 22nd Jan I’ve been thinking “the next week is CNY”. In reality there’s 3 full weeks to go. But I’m not saying time passed slowly because time flies at work. As a result the weekends also feel much longer compared to when I was in conscription.
Last week vnsec hosted a ctf. I gave some suggestions to one of the challenges while in beta, so I knew the quality and solvability of it. It was a realistic windows kernel pwn, without unnecessary twists or weird constraints, just like how an educational ctf should be. Unfortunately no teams solved it during the competition. That’s kind of disappointing because it could only mean most people don’t bother to do windows stuff, maybe they think it’s troublesome to set up or it’s a consensus among ctf teams to boycott windows challenges idk. The point is linux is still dominant in the ctf scene, and ctf is where most people get started doing security right? It’s difficult to think anyone started security otherwise, like drafting contracts or ROEs. By over saturating the pwn category with linux challenges, it forces people to go deep into linux stuff without having the privilege to think and choose. When they wanna switch to macos or windows there’s a certain sunk cost to it and it discourages the exploration. I think the diversity is missing. It’s unlike me to be concerned about problems of this scale, but my suggestion to newcomers is to explore and try not to get locked in to what the “meta” is, if you’re just doing ctfs to learn.
Also I suddenly have some thoughts regarding courses(context: expensive(relative) live trainings). For starters courses are the best thing to exist. You get condensed and easily accessible information that might come from months of research. Sometimes you get to interact with giants that created them through live lessons. An unintentional sentence could inspire you to do your own research or shift the way you approach a topic. The only downside is really just the cost. Monetary cost I mean. When you start thinking about value-for-money, or ROI, then lots of calculation is involved and you start getting hesitant. For myself at least, I’m unable to accurately put a pricetag to my time and energy. Let’s say there’s this expensive course out there that you could learn something, but you may learn the same from doing a month or two of deep dive. How would you decide? Maybe you can learn deeper or have better retention if you did the deep dive, maybe the course contains experience that you’re not capable of summarising by yourself, maybe it contains insider information. Who knows? The syllabus doesn’t tell, and other people don’t walk your path so it’s hard to quantify what they’ve learnt without revealing too much. I personally can’t convince myself to take those courses on my own money, despite framing it as an investment. I’ve not tagged a price range throughout the discussion because everyone values money differently and it’s pointless to discuss an absolute amount. The reader can apply the scenario to your own context and think about it. I’m still undecided on whether I should take these courses. If I (fantasy time) had the luxury to learn anything I want, I sure will take every single course out there slightly related to my field. It’s always good information, just more or less. In reality I can’t give any advice about money, or the proportion to invest, or how to invest(in yourself). I’ve not figured that out yet. Though I can confidently say try to do something to improve yourself everyday. Co-worker said “if a person improves everyday it’s really scary”. Try to be scary.
越来越像写鸡汤文学的人了。操
码字的时候无意把日期标成了2022。我大概还活在2022吧。
2024-02-12
新年快乐!
农历新年的博文当然要用中文发,国外友人们对不住啦。
本想着初一拜个年,结果初三才打开电脑,那只能初三拜了。前天开始放九天小长假,上一次放那么久的假还是在21年底结束alevel的时候。当时也就放了二十多天,(然后就被抓去服兵役了。服役的时候一年只有十四天假,让我十分怀念学生时代的寒暑假。一年能放90多天可真是太幸福了。那两年最大的念想就是退役后在家躺八个月躺到开学。躺到实在是闲得难受烦躁恶心了再出国溜达一圈,找活在海底坐火车从南到北。现实是退役无缝衔接上班💼,所以至今还未体验过闲得发慌的感觉。
大家过年都在干什么呢?好多同龄朋友都回国过年了。以前上学的时候过年都开学了,以后过年也要开学了,说起来今年是最适合回国过年的一年。可惜由于我家里的一些问题今年不太适合回去。要是我早生三四年大概会是很快乐的一次回国旅途吧。所以今年还是一如既往的在sg过年。行程每年都没什么变化:除夕包饺子看春晚,初一赛博拜年躺到晚,初二和家人出去玩,初三找朋友吃顿饭。然后初四大家一般都回去上班🤪,新年结束。我觉得这个节奏刚刚好,不会过得太累也不会无聊。
年前看了看漏洞利用,研究出了个人觉得蛮牛逼的万金油手法。大致就是可以把一个内容长度堆块大小都不可控的池溢出在low il下转为无限任意读写,并不受未来至少两个大版本削弱的影响。不知道会以什么形式跟大家分享,希望不是和某APT撞了然后人家被捕了(WNF说的就是你)。我觉得应该不少人也备好类似的利用了,毕竟要削啥大家都心知肚明,就等微软出手。到时候搞nday的可能会吃香一点,不像现在遍地走,用邻座手机👴的话说就是太原始了。
年后回归主线继续肝p2o。“二月了还是没有出品可能要来不及了”之类的话理论上是没错但心里绝不能这么想。毕竟这东西不是意志力能解决的。
最近和长辈解释我的工作的时候想出了一个非常恰当的类比:考古。
我觉得没有比它更像的了,你们细品。
2024-02-18
Been long since I’ve updated the main blog, but I don’t have any meaningful content that I can write at the moment without involving other stakeholders. Figured out I’ll just write some basic tips for c++ reversing because I don’t see enough about reversing being discussed for bug hunting. It’s not cool enough to live as a post on its own, so I’ll have it here. Context is plain unobfuscated microsoft driver reversing with pdb. Nothing advanced.
First open up the local types view in IDA.
This is essential because we’ll be creating many types to aid our understanding of the program.
Now for better organisation I like to put custom types into its own folder. Right click anywhere in the local types pane and select Show Folders. You can also group types according to their usages.
Assuming we have the following function:
1 | CClfsLogFcbPhysical *__fastcall CClfsLogFcbPhysical::CClfsLogFcbPhysical( |
It’s not difficult to spot that this is a constructor even if the name is not present, because we see offsets being initialized to zero and many vtables referenced. Vtables exist when the class uses virtual methods.
A c++ code that looks like:
1 | class CClfsLogFcbCommon |
Will look something like this in IDA:
1 | __int64 this = malloc(0x8); |
That’s pretty readable and we can leave it as it is.
However if the above method is virtual, IDA will show something like:
1 | __int64 this = malloc(0x10); |
This is unacceptable as we have no function name to infer program logic from, which will hinder future reversing efforts.
To understand the above IDA output we’ll need to know how a vtable is layed out in memory. This will be compiler specific and I can only speak for the msvc compiler. The vtable is an array of function pointers, housing all the virtual methods of a class.
The class object in memory always begins with a pointer to its vtable.
1 | *(_QWORD *)this = &CClfsLogFcbPhysical::`vftable'{for `CClfsLogFcbCommon'}; |
This is why IDA dereferences the this pointer to find the vtable, then calls the first and only function.
When multiple inheritance is present such as:
1 | class Derived: public Base1, public Base2, public Base3 |
The class will begin with a pointer to a copy of Base1’s vtable, then Base1’s member, pointer to copy of Base2’s vtable… finally Derived’s member. If Derived contains any virtual functions of its own, it will be stored in the copy of Base1’s vtable, after Base1’s methods. If it overrides any inherited virtual functions, it will be stored in place in its respective vtable copy.
IDA doesn’t support classes, but it does support structs and struct inheritance.
The proper way to define a c++ class in IDA is to use the __cppobj prefix, which will allow IDA to properly layout the object in memory.
For example we can define the following for an interface:
1 | struct __cppobj IFcbCancelIo |
IDA expects the vtable type to be CLASSNAME_vtbl and name to be __vftable so it can properly recognise the vtable.
1 | struct /*VFT*/ IFcbCancelIo_vtbl |
To represent inheritance we’ll need to use struct inheritance:
1 | struct __cppobj CClfsLogFcbPhysical: CClfsLogFcbCommon, IObservable, ILogManagementSupport |
After retyping:
1 | CClfsLogFcbPhysical *__fastcall CClfsLogFcbPhysical::CClfsLogFcbPhysical( |
And we get actual method names:
1 | initializedLogFcb = CClfsLogFcbPhysical::CClfsLogFcbPhysical(logFcbPhysical, TableContext); |
The CLASSNAME_vtbl naming tells IDA how to name and type vtable functions when it sees them. The full naming form is actually CLASSNAME_HEXOFFSET_vtbl, where HEXOFFSET is 0 by default since the first vtable is always offset 0.
Why is this important?
Let’s say we have the following:
1 | class Base |
And we type in IDA like:
1 | struct __cppobj Derived: Base |
Notice how we have no place to type the overriden method for the derived class. Because we’re relying on IDA struct inheritance, we have to use the CLASSNAME_vtbl format so IDA knows that some methods are overriden and use the derived class’s definitions. We can even go against the rules of c++ here and have different names for an overridden function, if that helps you to label your code better.
1 | struct Derived_vtbl |
Although we did not include this Derived_vtbl anywhere in the Derived struct, it will automagically be identified by IDA.
If we are inheriting from two base classes and overriding the vtable for the second base class, we’ll create another structure CLASSNAME_0008_vtbl, because the second base class’s vtable is at offset 0x8.
That’s all :)
2024-03-13
March
Don’t have any good news this time! Just some happenings that I can’t talk too detailed.
Yesterday p2o registrations closed, and I did not manage to come up with an entry in time. It kind of sucks that I can’t contribute to my team, but I’ve figured out the reasons along the way. The problem is about switching targets. I switch targets too much, for reasons partially my own and partially uncontrollable. Maybe two months ago I said I was gonna work on <redacted>.sys. Well I switched like 4 targets since then, and that’s a terrible idea. One lesson learnt, deep diving produces results and switching around does not. Around less than 2 weeks left to registration I started opening random drivers in IDA to throw at the fuzzer and look for dumb bugs. Result was 2 dumb bugs but both were not good enough for the competition. Maybe I’ll submit them soon to msrc. Now it’s time to really slow down and deep dive at a target. I could be focusing on finding new attack surfaces, like some unused features that are just on the edge of the bounty scope, but I don’t find that cool. I’d prefer to focus on something many eyes have looked on, and enjoy the rigour of finding stuff others have looked but not seen.
The patch tuesday was a bummer too, for reasons I can’t say. Also microsoft is getting more brute at patching, also for reasons I can’t say. Aside of that pretty surprised Naceri is working in microsoft now. All I recall is him shitting on them and dropping 0days. His work was great inspiration to me though, and I wish him the best in his new role. The old gods of logic bugs: Forshaw Naceri PolarBear.
clfs and cldflt hasn’t been pwned for 2 months already. I bet you teams are stocking up for p2o. Baddest drivers of 2023. I’m pretty excited for the games, it’s the most involved I’ve been and will definitely be a good learning opportunity.
Recently I’ve been thinking a lot about methodology and note taking. Not note taking for knowledge, but bug hunting oriented notes taking. I’m certain the top researchers don’t do everything in their brains. They must have some specific methodology of noting down things. Unfortunately I don’t have the connections to ask around. Almost all my time were spent on coming up with and experimenting with different formats, different methodologies, different ways to abstract code to make it easier for the brain to mix and match. Feels kind of like coming up with a new martial art. You’ve got to be willing to give up your existing moves, give it the time, start slow maybe against some dummy targets, and build up familiarity. Success may not come soon but it will come eventually.
2024-04-19
Have the confidence to stay logical and sober at all times. Be the overarching caregiver of the self.
2024-04-22
It’s time for cp’s IDA tips again!
Register Misgauge
Sometimes when reversing in IDA we see this orange variables that seem to pop out of nowhere.
One way to find out what these are is to read the disassembly to figure out where their values are populated. (Tip: Press Tab to switch to disassembly listing at current pseudocode hightlight)
In this case we see r11d comes from DWORD PTR [rsi+0x28], which comes from QWORD PTR [rax], which comes from QWORD PTR [r15+0x30], and r15 is rcx which is the first argument to the function(not shown in image).
The true reason for undefined value is because IDA wrongly assumed that one of the previous functions(in this case RtULongMult_0()) will definitely clobber r11, since it’s supposed be a volatile register and nothing stops the callee from using it. Following that assumption, IDA was not able to comprehend the direct usage of this register after the function call, leading to an undefined value.
The fix is to redefine the offending function’s signature:
1 | NTSTATUS __stdcall __spoils<rax, rcx, r9> RtlULongMult_0(ULONG ulMultiplicand, ULONG ulMultiplier, ULONG *pulResult) |
By explicitly marking the registers clobbered using the __spoils keyword, IDA knows r11 is not touched and retains the previously set value.
If we go back and refresh, the undefined orange highlight is gone, a new variable v10 is defined automatically, and everything makes sense.
This trick was shared by a coworker, grateful to him ;)
Shifted Pointers
This is quite a common problem as well because in complex software you have structures pointing into other structures for various purposes. I don’t have a sample of real code to show now, but I modelled a realistic scenario.
Assuming you have some objects that are linked together using a singly linked pointer somewhere in its body.
1 |
|
You may think the entry should be placed at the start of the object and everything will be solved, but in the real code this object can be part of many lists, thus needing many entry fields.
The issue with this code is IDA does not recognize it properly, even with proper structure definitions.
1 | int __cdecl main(int argc, const char **argv, const char **envp) |
Most of it is fine, but when dereferencing o2->Type for the second print, IDA was unable to infer that o1->Link.Next points somewhere into o2.
To solve this we just need to edit the structure definition for struct Obj.
1 | struct Obj |
The change tells IDA that the Link member points to an SLIST_ENTRY object, which resides at offset 0x10 of the Obj object.
Going back and refreshing fixes the decompilation output:
1 | int __cdecl main(int argc, const char **argv, const char **envp) |
That’s all for today, and I hope you learnt something admist my rants and fluffs.
2024-05-01
Finally May.
April is probably cursed for me. Just like last April I fell horribly sick again, I think it’s gastroenteritis. Probably caused by some rancid food, and only subsided after 4 sleepless nights and constant pain. Fuck being sick. It ruins my momentum and resets everything, and I’m really down and unmotivated now. The best thing I could do now is to reflect.
I’m really a weak individual in terms of mental strength. A bit of lasting pain is enough to get me all sad and lose the willpower to get out of the bed and do anything. Honestly full respects to those in chronic pain or disabilities. I won’t be able to stay strong for sure. Sometimes I wonder how I’ll be like if I lose my eyes or my legs. It’s a dangerous thought exercise that always leaves me in despair. On the other hand, is anything really a problem if you’re fit and healthy? It isn’t. You healthy folks should feel empowered as you are.
When I don’t reflect on myself I reflect on security stuff. Do you face a similar problem? You think a lot, read a lot, have some thoughts and ideas, have a methodology/framework derived from logical reasoning, but it’s not working as well as planned. You might think it’s because the methodology is flawed or your reasoning is wrong, but listen it might be because you’re not FOLLOWING it. Sometimes you come up with a methodology after days of trying and tweaking and thinking, and you’ve not fully internalized it yet. You got to re-read your thoughts as a whole, from the beginning, with a fresh mind. Then you can work on really understanding the core of the methodology. Sometimes you do understand the methodology, but you are a lazy person by nature and you always hope to rush to easy results. You hope to do the least work possible and pray for success. You believe you can skip certain steps or quickly go over them, or give up some options. When the results are not promising, you start doubting your methodology that’s estabilished through logic and reasoning. That’s a dumb thing to do, because you didn’t even follow it fully. You’ve got to acknowledge the core of the methodology and know which steps you should instead spend extra effort on, because doing those steps actually correlate directly to finding bugs(in a superficial way). Ask yourself if you even understand your notes, and the bug patterns you’ve seen. It’s a difference between having knowledge and internalizing knowledge, and applying knowledge.
Gonna take a break, make a trip to the US for holiday, and hope to be back soon.(sorry boss!)
2024-06-27
谈一谈挖漏洞的技术分解。
在有了基础漏洞原理知识后可以做的定向提升:
多做nday分析并记录漏洞原理。同样的漏洞规律可以出现在不同的平台,不同的部件,不同的函数。比如是否能一眼看出以下的操作有问题?
1
2OBJECT_ATTRIBUTES oa = {..., OBJ_CASE_INSENSITIVE, OBJ_KERNEL_HANDLE, ...};
ZwCreateKey(..., &oa, L“HKLM\\DoesntExist1\\DoesntExist2”, ...)找别人没看过却又有攻击意义的部件。比如很难交互或需要通过好几层调用,或环境难搭或难调试的部件,或复杂的协议。又或者鲜为人知存在但确实存在的部件。
选择了部件后,找各种部件能与可控数据交互的点。越能找到别人找不到的交互点,越好发现漏洞。一切数据类漏洞都是解析可控数据导致的。这部分的进阶还包括专注于发掘与测试可控数据熵值高的交互点。
除了数据类漏洞还有state类漏洞。这就需要专注于可控数据能改变state的操作,然后封装成一个个控制函数,比如Free(), Reset()。这和挖数据类漏洞是不同的思路。你不再关心数据是如何被解析,而是专注于如何用数据造成可控的state变化。
如果你觉得自己掌握了漏洞知识却无法挖出漏洞,不妨试一试往这几个方向努力。
2024-07-23
I think it’s important to make a point that useful stuff do not need to be 0days. This is a ranking based on usefulness for cyber warfare, doesn’t directly relate to difficulty to achieve or monetary benefits.
For Windows at least:
- 0Click 0day(Network/Proximity Based)
- Server 0Click 0day(Protocols)
- Browser Sandbox Escape 0day
- 1Click 0day(Parsing)
- 0Click 1day
- Server 0Click 1day
- Browser Sandbox Escape 1day
- 1Click 1day
- LPE 0day(Medium IL)
LPE from medium IL tends to be really overrated because that’s pretty much the only thing you’ll see constantly exposed to the public/reported. It’s important to keep in mind the usefulness tier list. In fact I think a stable KASLR bypass is more useful than LPE from medium. KASLR bypasses are kind of weird though, because they are not considered “serviceable” by definition, but msrc still service and patch information disclosures that clearly cannot be used to leak “sensitive” data other than to break KASLR. It’s all good though. We had NtQuerySystemInformation() and we have EntryBleed.
2024-08-22
August
I’m getting a feeling that every year is a repetition. For the past 3 years there are certain events that are bound to happen in a certain month of the year. And they did happen again. Although it might be because I’m manifesting unconsciously and has an impact on decisions, you really need two hands to clap. At least I’m expecting them and won’t be beating myself over things, hopefully.
Wukong launched on the 20th. I’ve been waiting for the game since day 1, August of 2020. That was the year I matriculated into fucking high school, to put things into perspective. The game is pretty fun mechanically, but the moves do get repetitive after a while. Although there are many different combat styles, you get used to one and it’s hard to switch over, unless you feel like grinding the same boss 10 times to get used to it. Maybe I’m bad? Also there’s no map so it’s easy to get lost. It’s probably intended for the player to spend time exploring and take the journey slowly, but beating the minions don’t feel rewarding due to the repetitive mechanics mentioned. I’m also bad at figuring out which path I’ve taken, so I would appreciate a marker to make things less taxing for the mind. The storyline is interesting and has lots of lore. But the plot of “searching” for things feel less rewarding after a while(personally). The goal is not reinforced and I don’t feel a strong sense of purpose anymore. Also there are some bosses that have absolutely nothing to do with the plot, and again I don’t feel rewarded beating them. Writing this I realized the problem. I’m expecting so much satisfaction from the game, and it’s just too much for a video game. Seems like I’m fucked over by anticipation once again.
Another event is matriculating into university. This isn’t eventful because I didn’t go to any orientations or clubs or hostel. So I’m just tuning in to lessons and heading home. Super disconnected from the school. That makes the university a big time waster. The main reason to pursue a degree is parental pressure, and the only saving grace to convince myself is maybe I could make some friends. I should start working towards that though. Right now I’m just wasting time and money doing math. I don’t recognize the utility of traditional tertiary education in my field of work. I’m also trying to escape from parental pressure in any form. Realistically they don’t know better and they just want to feel like they do. Just hoping to attain work life balance while doing something I recognize as purposeful.
As usual I’ve some thoughts regarding vr. Recently I’m more aware of my concentration level/effeciency everyday. I can differentiate when I’m doing conscious and directed research vs just wasting the time away clicking stuff. As much I enjoy these stuff, it’s not easy to attain many hours of directed research. Especially when there’s no tangible output and you’re just understanding stuff. You’d be tempted to do shallow research on another target. It’s important to acknowledge that there are targets of varying difficulty level even on the same platform. The target you choose should really depend on your end goal. Take Windows for example, a functionality based service/driver is much easier to manually audit than a filesystem driver. If your goal is to achieve LPE and both are of the same value, it’s only reasonable to steer away from the filesystem driver(or fuzz it and call it a day). This is part of target selection and it’s a very underrated bit of wisdom, I personally feel is more important than auditing skills. Try to choose the most obscure, edge, unheard of component that still satisfies the goal. You see the best hunters on msrc always RCEing obscure non-default protocols, that’s the reason. They’re playing smart within the rules. On the other hand if your goal is to find a crazy bug in a core subsystem, you’ve got to manage expectations. It’s probable to go half a year without output. Can you take that? More importantly can you still be committed to do directed research daily under such conditions(lack of the “shell” high). Personally I’ll try to work on target selection.
2024-09-09
九月
做漏洞挖掘九个月了,感悟是越来越深。关于技法,关于思路。
近一个月最大的收获就是对独立安全研究整个流程认知的提升。细节上面还一无所知,但能朦胧感应到那个状态,以及粗略了解没挖之前要做什么,挖的时候要看什么 ,挖到了之后要怎么拓展。在分析了cve-2023-21674之后能具象化的理解同桌曾说过的“一个漏洞打多个”这个概念。也赞同他说的认知问题。漏洞挖掘绝对是个认知活。安全研究行业没有人会跟你细细说思路,说细节。细节都在脑子里,在私人笔记里,用来换钱。认知只能通过猜测和实验来提高。看talk,看ppt,看博客,看漏洞报告,分析nday,看大佬挖的部件走向。我经常用这些公开资源来尝试猜测大佬的思维。基本上每个月我的心法都会经历翻天覆地的改变。因为在实验了过后发现这些猜想不能说不合理,但是无法高效挖漏洞,所以不正确。随着总结出来的缺陷和更多的资源,又可以摸索出新的心法,周而复始。所以我之前发的博客关于心法和思路的部分请辩证地看待,毕竟这是一个个人成长记录博客。其实有很多词大家说出来的意思都不一样。比如“攻击面”。当你无法理解大佬们为什么一直强调某些名词的时候,可能是认知出现了问题,要及时改正。
发点干货。
我这个月能给出的最有价值的忠告就是:
- 多分析nday
- 认知问题是无法通过思考弥补的,需要多上手多实践多抄袭多总结。包括多分析nday
每天进步一点,梦想不再遥远.
2024-09-16
Attempting to formularize creative work is already heading in a wrong direction!
2024-09-19
黑盒审计应该要做到逆审分离。步骤应该是逆向->理解->审计。
打第一个目标的时候逆也不会逆,逆的乱七八糟。也没想着理解,纯粹用眼找oob,啥也没找到,最后上了fuzzer瞎几把fuzz出了一波。出了洞也不会做变体分析,暴殄天物。
打第二个目标的时候时间紧迫,目标偏偏又是闭源格式,不用说了自然是没收获。不知道在干什么,选了那么傻逼的目标。按照现在的理解肯定找个功能性驱动打了。
打第三个目标的时候会逆了,但是没做到逆审分离。这目标已经出过很多洞,我也预料到了它未来漏洞的走势,但是逆的时候又想着找找漏洞,边逆变找。这只适合找low hanging fruit,而且会拖延逆向速度。结果就是花了一个月还没逆到我觉得会出洞的地方,然后放弃了。结果过两个月就验证了我的想法。如果按照现在思维,肯定是果断从后面开始逆起,或者前面就是纯逆不审,赶紧逆到后面开始审。那段时期还沉迷写文档,是个函数能写二十页pdf,太浪费时间且毫无用处。
打第四五个目标的时候也是逆审一起来的。但是这两个都是功能性驱动,且功能非常独立。这对逆向和理解的要求不高,于是出了一波洞。再加上会粗浅的变体分析了,收益还行。肯定也算low hanging fruit,是个人都挖得到,对技术的精进作用不大。
打第六个目标的时候意识到了问题,好像只能挑软柿子捏。当时的改变思路是想走捷径。尝试总结归纳分析过的所有漏洞,找出一种不用理解,光看一些特征就能找出漏洞的bottom-up策略。这么干了一个月,一个洞也没出。其实这是幸运的。幸好这个目标已经久经沙场,不然可能又会陷入错误的觉悟。我的策略本质上还是找low hanging fruit。特征能看出来的东西,自动化也能轻易找到。而且false positive太多,有太多操作需要手动排查最后发现根本不是漏洞。其实如果花时间理解了目标就根本不会觉得这些操作有问题。分析nday的时候也会觉得我操这怎么可能能想得到,但其实人家只是理解了目标而已。这其中当然也收获到了一些排查漏洞的技巧,但更重要的是又该换思路了。
现在在打第七个目标。已经找出了需要逆的几个结构体,目前在纯逆向阶段。等这一阶段搞完就可以根据功能点进一步理解了。
反思复盘才会发现,原来失败的任务本质上都是因为没达到成功的条件,只是当时不知道成功的条件是什么。而成功的任务大多数是运气使然。要多利用公开资源学习他人的思路。
2024-09-24
今日的思考是牛逼的人在打高端局的时候是不是一直在主动考虑和分析很多事情。起因是昨天突然想认真玩一个《曾经玩的很牛逼但很几年没认真玩了的》游戏。发现算费也不会算,牌序也记不住。就感觉,要花好多的精神力去特意算这个东西然后还是很容易一片空白。玩得很用力,反而影响操作。但其实回想之前,我也根本没考虑这些事情。我不会主动计费算牌,甚至从来没有主动这么思考过,但还是能很清晰的知道当前状态,亏小还是亏大,对面手里有哪些牌。像是潜意识里一直在自动处理着这些信息,而且毫不费力。当别人问我怎么记的时候我也说不出所以然,因为对自己而言完全就是《凭感觉》。我是感觉牛人打高端局不会比普通人打普通局累多少。因为普通人需要花大量精神力去处理的事情,已经在他们的脑子里形成了专门的处理器,可以被动且不费力的自动分析完。这跟天赋没半毛钱关系,因为我曾经也不会,我有段时间会了,我现在又不会了。绝对是熟练度的问题。到巅峰水平我打了三年,每天平均至少五小时。游戏和安研的难度又怎能相提并论?综合考量之下,目前菜才是合理的。只要不停的肝就完事了。有一天就会发现我好像没比之前费更多力,但产出已不是一个量级的。
2024-10-01
pwn!
2024-10-23
There’s this feeling very special to vuln researchers. That’s when you find an interesting condition in the code that looks like a bug (e.g unchecked arithmetic). It’s pretty deep down the callstack so you’re not 100% sure it’ll all work out as you plan. It’s a weird feeing because you think it’s a bug, so the logical brain tries to tell you to be excited. However you’ve experienced so many false positives and fake bugs that the emotional brain immediately recognizes this as a disappointment and feeds you stressful signals. Everytime I encounter such a case I get pretty stressed out. It’s worse when there’s like 3 conditions you think is buggy, and you jusy get overwhelmed. The cure is just to remember that you don’t have to do everything in one sitting. Take it easy. You can confirm one condition a week, and slowly finish everything. Same applies with life. Just do things one at a time, and take things easy. Due dates are really an arbitrary construct.
2024-10-27
Recently felt the effects of overstimulation, or the desensitization of receptors. Desensitization is the primary driver for greed amongst the well nourished population. People crave more stimulation for one simple reason, that existing stimulation is not stimulating anymore. What a sin it is. I realized the importance of combating desensitization. The body as a whole needs to be reset and refreshed every while. The sensory receptors needs to atrophy. The organs, driven by evolution, believe they are evolving for survival reasons. That’s really absurd in the modern setting. We feel the same(or less) pleasure receiving higher stimulus now, as compared to receiving a lower stimulus prior to desensitization, therefore there’s no reason at all to allow the receptors to evolve. It’s even more irrational to feed their cravings and make it a mission to seek higher stimulus. Because pleasure is not a competition, neither is it absolute. Pleasure is a delta, and it’s fully innate. The sole purpose of pleasure is to satisfy. The only rational thinking to pleasure is to reduce the lower bound every while, so the same accessible stimulus can do its work. So, do something drastically distinct from the norms. And do it for some time. Let the overworked receptors breakdown and revert. The art of body control.
2024-10-31
最近看某影视作品,里面经常出现的一个转折就是一个水平/地位/威严很高的角色,因为突发事件变得不能自理/死亡。丧失行动能力和语言能力后只能发出简单的音符,靠他人服侍。这种反差特别触动我。前一天还生龙活虎,天塌了也扛得住。转眼就连进食都得依靠别人。突然就想到我的父亲。父亲是个很有本事的人。生活上的大小事都能干。但是最让我敬佩的是他的常识。比如导航,地理知识,各种东西的价位,办很多事的流程。很多事情我得靠查询,做功课,甚至摸索才能获得的,他都熟记于心。给我的感觉就是个很能生存的人。生活中也是个大嗓门的,可以说强势的人。今天不由得代入进影视作品情节里。我觉得会非常非常可惜。当然以上的这些都是我带入了之后才突然意识到的。如果不看影视作品我应该是没法发现父亲的这些优点。看来对于人文的理解和感悟还是太初级。需要多观影多看书来丰富。这么一想,很多感觉理解不了,很傻逼的事情,或许是还没达到那个层次的思考。用自己的话说,器官还没进化。
2024-11-21
傻逼才不用AI!
2024-11-28
动物的原始追求是解决温饱。一天的行动都是为了果腹,解渴。有时候或许要花上一天,那累了可以自然的休息,隔天再继续。有时候运气好有了储备,可以休息几天。这几天它怎么度过呢?可能就是不停地睡觉。可能是与同类嬉戏打闹。可能是完全发呆,像牛一样反刍摇尾巴,可能是像猫一样到处溜达闻闻气味。按照这么看来,人本应是不断的行动去满足基础温饱的。日出而作日落而息。那在基础温饱满足了的情况下的闲暇时间是可以什么都不做的。这是完全合理的,因为没有需要做的事情。生存指标已经达成,干啥都行,不干啥都行。说这句话的目的不是说你不应该有追求,不应该上进。而是说如果你饿不死你可以没有追求,可以完全不上进。
2024-12-08
Well, I wonder. Having simple tasks—things that should be done—while continually coming up with various reasons why one can’t do them sounds like a hard way to live, doesn’t it?
2024-12-11
Will be going on holiday after the week, so it’s time to wrap up the year 2024. Under the inspiration of the company and colleagues, this year was fruitful for me in terms of output.
At around March I switched to full manual audit, because I gained a realization that fuzzing for the masses(without a million servers) is just trying to multiply lesser manual analysis effort with luck. By creating the perfect harness you have to know where the bugs are already. It was not an easy switch, because I realized, as someone said before, the human brain will do anything to avoid understanding something. That includes switching targets fast, only looking at controllable io, pattern matching etc. I spent quite some months battling these, until I reach a state to consciously to steer away from these habits. Instead, I will suggest to 1. Label/Rename/Format your code/pseudocode output as pretty as possible. Make it flow so easily into your brain like drinking water. 2. Never pattern match, don’t care about data flow, just try to reason what the program is doing. Because you don’t want to compete with fuzzers, static analyzers, developer auditors and LLMs. You cannot win on that level. Instead be on a higher level. They cannot afford to perform in depth understanding, but you can.
The best reward I received from switching to full manual is the ability visualize success metrics with respect to my methodology. If I’m not finding bugs, I know exactly why, and how far I am from it. There are certain criterias to finding bugs, and when you’re not finding bugs for a long time, it just means you haven’t hit the criterias for all the target you’re auditing.
On that note, the secrets to VR is so describable that I think a commercial LLM now(end of 2024) can certainly perform. It will make an excellent VR agent if you don’t task it to become a VR agent. Similarly, you will find great bugs if you don’t try to find bugs.
Lastly, it’s such a privilege to be able to work in vuln research.
I’m grateful to my boss Jacob for the opportunity.
2025-01-05
Holiday thoughts dump:
Goals:
One realisation I’ve gained from my holiday was to stop being goals oriented. Instead try to focus on shaping your entire force field. What I mean is have certain values, and just do things that align to them. For example curiosity, coherence, courage… etc. These are values you can demonstrate consistently, and don’t have a negative factor to it, meaning it’s not something that’s attributed with a possibility: you can always perform them without failure. This approach reduces the uncertainty of chasing goals that are not fully controllable by you, and instead focuses more on inner peace.
调理:
人内在的磁场和外貌都是相通的。人眼中好看的外貌实际上是健康的体现。需要从内至外保持健康,平稳。用科技去弥补是错误的方向。那是商业的骗局。要多运动,拉伸,运用身体的每个部位。吃的干净。冥想保持平静。
反思:
我发现自己只有在逆境之才会总结反思,想出相对更加高效的方法,并且发现用之前相对低效的方法得到的成功大多数是运气使然。细思极恐的一点是,如果不碰壁,我肯定会(错误的)誓死相信自己的方法是完全正确的。那会是多么愚昧的表现?所以第一点是不管什么方法,一定要进行大量的实践之后才能证明他是高效的,因为不可能永远运气好。而且只能证明他在当前环境是高效的。时代永远在变,不朽功法只存在小说里。第二点是在任何的成功总结出方法后,永远不要觉得自己的方法就是最好的了。很有可能还是运气。最后就是千万不要去怪环境。大概率是方法和思路出了问题而不是环境。
Back to work :)
2025-02-01
This CNY I tried to learn deobfuscation, because I realized my entire skill set is dependent on having code to understand. Obfuscation will render me useless. I followed this tutorial and did a VM crackme protected by tigress. The tutorial used symbolic execution to trace a specific execution flow of the bytecode, then instrumented it to produce disassembly output. I thought it would be cool to transpile the vm opcode into x86 assembly directly, then compile and decompile in IDA to take advantage of compiler optimization as well as IDA’s decompilation technology, so that’s what I did:
1 |
|
Original code:
1 | unsigned int fib(unsigned n) { |
My decompilation:
1 | __int64 __fastcall func(_DWORD *a1, _DWORD *a2) |
I’m pretty happy with it.
Besides this, I was looking at some automation attempts at closed source bug hunting, to see if I can enhance any existing research with AI. I took a look at Digtool by 360. The idea is basically fuzzing with enhanced detection. The tool instruments the OS by converting it into a guest VM. Then it fuzzes code paths and detects bugs based on the instrumentation. This is an addition to Driver Verifier, because verifier can only detect pool based bugs. Digtool monitors memory access events so it can detect TOCTOU and Unprobe bugs to a certain accuracy. However, the basis is still large amount of fuzzing to trigger code usage, which means only shallow bugs TOCTOU and Unprobe bugs can be found. Those deeper code will require sensible arguments to trigger, which was not possible by automation then.
I believe we can use AI to generate structure aware arguments automatically now to aid this tool. Two methods I can immediately think of is to reverse companion binaries and hooking the syscall interface to identify parameters. Then smart mutation rules for each field can be generated, so the fuzzing stage only needs to execute the rules and don’t need to pass through AI again. How do we know the success rate of our mutations? We can employ a coarse metric of hooking certain points of execution and prioritizing input that hits the hook. This can be done with little overhead if virtualization is used.
Also, I made a challenge which no one has claimed the prize yet. Hopefully my dear reader can claim it.
2025-03-09
突然想尝试一种新的记录方式。正文还是用英语写,但是需要一些旁白或带点情绪的表达就会以这种形式出现。有种说相声的感觉
Came back from reverse conf a few days ago. It’s my first conference(excluding the one hosted by my company), and also first overseas conference. It was a great first experience for me, everything was well prepared from logistics to food(and it’s their first year organizing too!). 可惜长途经济+时差导致一到饭点胃还在睡觉,只能看着美食却毫无食欲,甚至听着会也昏昏欲睡。The most inspiring talk was from Markus Gaasedelen on reversing the xbox. Markus spent 4000 hours of free time reversing the xbox, and went from a hardware noob to fully uncovering the internals of a complex proprietary machine. It’s really fascinating to see where determination and time can bring you, and the limitless potential of self learning. 4000 hours of free time over 3 years, is basically working more than 3 hours everyday after work on a hobby project. I was honestly fucking inspired, and thought I’m spending too little time on research stuff.
Also while trying to fight jetlag, I was having really frequent dreams in the day and night. One of the dreams was really bizarre. It was my granddad(who had passed on) and I standing in the kitchen of my old house. His whole body and limbs were kind of long and twisted(对不起有点恐怖了), and he was moving his hands in and out of the fire from the stove. I was trying to convince him that it’s dangerous. The point is, at no moment did dream me realize anything weird about the situation. Why is he back to life? Why are we in the old house? Why are his limbs like this? There are so many things wrong with the situation that could have made me realize “oh it’s a dream”, but I didn’t. My brain just followed right into the situation and assumed everything was normal. After waking up I start to think that the human mind is perhaps really willing to accept preset conditions injected by the brain and fall into autopilot mode. It’s pretty scary that at some point you stop questioning things and just act accordingly, like it’s always the ground truth. Dear reader are you accepting any thoughts or situations in your life on autopilot? I haven’t thought of a way to combat this yet. We could try all day awareness proposed by the lucid dreaming community. Whenever you’re put into a situation try to trace logically the events that led you to be in the situation, then ask yourself if those events are normal and why. Always give yourself the opportunity to spot uncoherent situations and act accordingly.
在长途飞机上总是会思考一些平时不会想到的问题。比如我在互联网上是否太过暴露自己内心的想法。甚至有一刻想把博客下线。但是又想了下博客已经是相当收敛的发声方式了。思想在碰撞中才被赋予意义。对不对?
2025-03-17
Today I realized I’m losing grip on the sense of adrenaline rush: the raw ecstasy that drove me to do security research. I used to feel really excited trying to research something, and like “roleplay” being a security researcher because of pure joy. I would be willing to try everything and break stuff and do everything I can to hack. Recently I’ve been just doing things methodologically, very organized and reserved, and feels like more of a “best effort” job. This is probably a drawback from trying to find a unified theory to code auditing. I would try to strictly follow my theory and guide to auditing, and it’s severely limiting the freedom of my thoughts to the point where it’s becoming a checklist. My priority became “how to come up with a guide to code audit such that everyone can follow it and hack every target given enough time”. But we all know checklists are boring and restrictive and your motivation will quickly shift from the “happiness of learning the target” to “finishing the checklist”. This is kind of a problem because it means I can’t fully tap on the unconscious brain’s processing anymore, because security research is no longer tied to a raw emotion. Maybe it’s also money and KPI and the external stuff clouding my thoughts. I only realized this from looking at one of the interns work. He would work from day to night, and only take a short lunch break. He seemed really just interested in hacking, nothing else. No money? fine. No gossip? fine. No internet fame? fine too. Just want to hack. It’s pretty inspiring. I used to be like that too, and I really want to find back the feeling of ecstasy. The abstract sense of self improvement when learning security. I can still remember that feeling, just gonna find a way to trigger it again.
2025-04-24
Been quite a productive April.
First of all I completely gave up on academics to do security. Not having to split my mind is boosting productivity significantly and I’m set into a good work rest routine. I think the best I’ve felt this whole year. Because pwn2own is coming, I did a sprint to find some bugs for pwn2own. Since my bug was patched right before pwn2own last year, I learnt my lesson and prepared more this year. Then went to work on some other cool stuff with my friends. Not sure how I’ll pass the exams in the coming weeks but that’s a problem for another day. That’s the smallest tradeoff for a good month of hacking, both on software and my mind. I experienced shower time inspiration again.
All of this is possible because I gained back my passion for hacking. In March I was feeling pretty dreadful because I found little joy in hacking. I was held back by my own assumptions that I had to do X Y and Z on the target before I can find bugs, and I don’t like doing those. That’s TOTALLY untrue. You don’t have to do anything to start finding bugs. In fact, don’t care about the bugs. The simple trick is just to have fun and do what feels fun. If cat /dev/urandom > target is what you’re feeling like, just do it! If you don’t feel like setting up a fuzzer, don’t! Don’t feel like exploiting this shitty bug, just find a new one that’s easier to exploit! Quit thinking about trying to maximize value out of everything. So what if you can’t exploit it? So what if you didn’t fully audit this feature? There’s so many many many bugs out there, and theres so many many many attack surfaces out there. Just do what interests you at the current point of time. Passion comes normally when you’re not suppressing fun. And actually that’s one of the plus points of hacking. The journey doesn’t matter as long as you accomplish the objective. There’s an infinite number of possible journeys. So why not pick the one that you feel like doing the most? I’m struggling to find a similar analogy in other fields, probably because I’m not experienced in those. But in hacking, there’s always the privilege to be unrestricted and free.
I want to do so many things now. I want to learn about browser exploits. I want to do mobile security. Everything is so fun and exciting again, because I don’t give a fuck about if I can do them properly, if I can do them at all, and what happens after I do them.
2025-05-30
So I have made the decision to learn browser on the side, and I’ll try to document the steps of learning browser research from zero.
Week 1:
First I seek to understand the flow and different components of browsers. The attack surface of a browser is in essence parsing untrusted data from the web, but made extremely complex by the ability to execute a dynamic scripting language called javascript. There are various different components in the browser. For example DOM parsing, interpreting javascript, compiling javascript into machine code, optimizing/deoptimizing the machine code. Seems like most recent bugs are in the JIT optimization stage.
Now from my kernel experience, I know it’s important to have a smooth and fluent debugging + source code setup. I already have v8 installed. I’ll try to follow through a blogpost on debugging an nday, focusing on the whole experience of debugging and analyzing browser source, and then think of how to improve the workflow.
Side question: why browsers? Because I can’t understand a single browser bug report and I don’t like that feeling. Of course, browser exploits seem profitable.
Recently I also have this thought on “hacking” vs “code correctness audit”. They are quite different aren’t they? I’ve been doing the latter all along, and it’s time for a change in mindset.
Future me(3rd Dec 2025): I ended up doing a 6 months long sidequest, and the browser learning journey only starts now. Oh well.
2025-06-24
过去会因为沉浸在一件不务正业的事情感到不安,主动抑制自己。现在觉得太多事都是天时地利人和,在能做的时候做一做也没什么问题。
start holiday
2025-07-24
The benefits of being in a research lab is always getting inspired by other people’s work. I’m gonna get some impactful work done too.
start work
2025-08-20
How to get good at anything from 0 and a little self reflection.
There’s kind of two parts that make up a decent vulnerability researcher.
The first part is of course your existing knowledge. For example how well do you know the internals of the target system, how well you know the bug patterns in modern systems, are you following up with the latest nday variants? These are things you can read and extract from others’ research. Frankly speaking they’re not hard to attain. Most driver developers probably have more internals knowledge than I do, and nday exploit writers probably know more about bug patterns than me. The AI too definitely knows more about these.
In the past 3 months or so, all I’ve been doing is reading the research of others, learning about system internals, extracting bug patterns etc. I didn’t really do any 0day hunting at all, for reasons I’m ashamed to share. It feels alright on the surface, since I’m updating my personal notes daily and feels like I’m still gaining knowledge, right? But it’s not the case and deep down I know I’m not advancing.
I actually can’t think of a proper term to describe the second and more important part. I’ll just call it “cognitive strength” for lack of a better term. It’s kind of like exercising. If you run daily, the leg muscles tear and repair and they become more accustomed to running. When you stop for a while, they atrophy and you need conditioning to get back to form again. The same is for bug hunting. To get good at auditing code, you just have to audit more code. When you audit a lot of code everyday, your cognitive strength stays at top quality. You get to see something and instantly feel it’s wrong, and find a bug. You also suddenly think of a buggy condition in the shower, thanks to the unconscious mind working away. All these magical things are only possible in a well conditioned brain with peak cognitive strength. I’m sure I can’t do it now, but I could do it a few months back. Did I lose any existing knowledge? Not at all. But I lost the conditioning of the mind.
When you keep working on something, the brain actually evolves physically to be good at it. Like if you’re just learning to read C, you might need to spend quite some effort to read the lines of code, and then think of them in logic. But if you read many lines of C code everyday for a year, the brain evolves to create a special hardware to process C code. The moment your eyes see it, the special hardware already processes it and outputs the logical equivalent for the mind to digest. I think I’ve mentioned this before in my posts, but when people at good at doing something, they aren’t really spend much more effort than you are when doing it. Maybe you require some effort understanding C code, and feels like it’s really tiring to first understand the C code, then try to think of the impact it has on existing code, then try to think of buggy conditions. You might think a seasoned researcher just has more effort to do all these at once. In reality they’re just looking at the code, and something just feels off. It’s not much effort because the brain has created special hardware to lift the operations such as “understanding C”, “forming contexts of code”, “comparing with existing bug patterns”, and so on. They might not be able to root cause the bug straightaway, but they sure know something feels badly implemented.
Actually, everyone can achieve this level of competency in anything. Again using the same example. After reading C code for a few months, your brain has created the hardware to process C effortlessly. Now reading C is easy to you, and you can spend the same amount of effort on trying to understand the connected contexts in various functions. That might be difficult for you now, but just keep doing it until the brain creates special hardware to do that. Then that will be easy, and you can focus the same amount of effort on something else. Eventually, you’ll be spending the same amount of effort but seeing drastically different outcomes.
What I’m saying is, being good at something should not feel difficult and you shouldn’t kill yourself over it. Just take it easy and let the brain evolve as you do more. Apart from time, there’s really nothing you can give, and that’s the same for everyone. (Oh and, the hardware gets garbage collected by the brain when you don’t use it for some time, and it gets replaced with new hardware.)
The only true way to be good at something is to just keep doing it, until the organ inside you evolves physically. All the mind can do is to force yourself to keep doing it. Bootcamps/trainings and everything else that provides existing knowledge really can’t help much other than to pass an interview.
2025-09-30
Maybe I should go to school more.
School’s boring and all, but it’s my last bet at meeting people for real.
If I keep at my current pace, I’ll probably get terminated in a semester or two. Even though I don’t enjoy going to school, the thought of getting terminated is not great too. Like what am I going to do afterwards, just work until retirement?
迷茫
The last time I felt like everything was fruitless anticipation, I almost got fucked over. I will try my best to not do anything dumb.
Please.
2025-10-31
一下子就十一月了,2025年也即将结束。今年并不是很理想,整个人都很浮躁,很功利,急于求成。表面上来看是很多想做的事没做到,想学的事没学成。但平日里感受较深的就是会经常躁动不安,静不下心去做一些阅读,思考,规划。相比于去年来说,算是相当失败。其实我还是更喜欢前几年纯粹的好奇心带来的踏实。现在的感觉更像在坐一辆超速的老爷车。前进的很快也很紧张,但心里很清楚这不是持久的生活方式,随时会分崩离析。甚至有点厌恶这种感觉。这种被很多人拖着走,和很多人和群体有瓜葛的感觉。我也意识到这个东西是能自我调节的,可我并不是个喜欢主动改变的人。慢慢来吧。希望回归平静。(并不是在说工作上的事,主要是个人的事情)
最近入了一个陪玩团,混熟了经常拉着一些哥啊妹啊给我讲故事。也算是在了解一个之前没接触的群体。这个团里好多都曾是农村/小县城的留守儿童,初中或初中毕业就辍学的,后面一直在互联网上打单子/陪玩。虽然把人归类不好,但他们的背景确实高度重合。这个团比较出名,单量挺高的。我聊的几个还都开了多个人设进不同的俱乐部接单,一天工作十几个小时,干了几年了平均月入过万。对于县城消费来说,是很滋润的。本人孤陋寡闻,之前没有机遇和这个群体接触,所以这次实际上是刷新了我的一些刻板印象。我不知道我从何得来的印象,但我原有的刻板印象是:每天懒懒散散,打打零工,空闲了就刷视频,混日子。但我发现他们其实都很有目标,都认可了目标需要经济基础达成,并在每天为了目标奋斗。那天有个兄弟跟我说,分了一部分钱买支付宝基金,又一部分钱买了黄金,收益还不错。理财观念是很先进了。其实浑浑噩噩每天什么也不想干的人我反而是接触的比较多。相比之下,与他们交流还是很愉快的。
我还是觉得,人无论在做什么事情,只要在努力完成就是很好的状态。
2025-11-21
好烦好烦好烦 诸事不顺
容易相信人真是个坏毛病
讨厌一大堆不知道什么时候才能触发的callback
谁懂
2025-12-08
2025年买了很多教训,希望可以记住。
$X学会了盲目投资的风险以及手续费的陷阱。
有点小钱真别瞎操作。一夜暴富轮不到自己。稳定的投资过点小日子就很舒服了。任何大起必须经历大落+运气,而你没那个资本换取经验。辛苦赚的钱是不会消失的除非你主动把它扔掉。
¥Y学会了信任的代价。
不要和人品卑劣的人有任何瓜葛和深交。不论是需要还是被需要,只会惹一身骚。多数时候人际交往淡一点确实是更好的选择。保持专业,独善其身。
5个月和¥Z学会了思维韧性和专注力的脆弱。
大脑是个非常容易变形的器官。若一段时间不维持专注力思考力和注意力,它们都会发散,到时候再难养成。外界太多刺激了,我需要慢下来。
往后要更稳重。
珍惜触手可及的安稳,享受已有的美好,不要好高骛远想冒险想操作。
人际关系淡一点。避免利益/情绪共生,才能减少纠葛。
保持身心好习惯。多运动,多冥想,多发呆,多阅读,多思考。练习专注力思考力注意力。抵御外界刺激,做到自发筛选信息而不是被动反应。
保持纯粹的热爱和好奇心。
最后引用自己23年8月的感悟:
If you can wake up everyday in the comfort of a bed, able to procure sustenance twice a day, away from ailments or disability or natural disaster, have at least one friend and a loving family, can walk out and enjoy the sun, wind, grass and the scents of freedom without fearing arrest or getting chopped up, your life is fucking amazing and please treasure it.
2026-03-07
2026的开端好糟糕 现在已经失去记录和思考的精力了
这逼AI怎么发展的那么快 好累
感觉明年之前肯定会失业
完全没得比
在漏洞挖掘方面 逻辑分析能力和经验已经越来越不重要了 AI时代人人都具备此能力 整个行业也在慢慢向软件工程靠拢 核心竞争力不再是对各种错综复杂条件的感应 不再是快速理解梳理代码逻辑的能力 不再是对系统内核经验的积累 现在研究组只需全力做AI基础建设 搭建自动化平台 让AI具备储存能力 调试能力 提供verifier帮AI确认当前程序状态 帮AI获取环境上下文 把这颗大脑尽量接入运行环境 然后就可以坐等它迭代更新 在假设AI的思考能力随时间线性增长的前提下 这步完成后漏洞挖掘这个领域就已经到头了
最烦的是现在已经完全没有研究漏洞技术的必要了 完全没有 手动挖掘不会再有商业价值 只能和下棋一样成为消遣 对我来说快乐来源于理解代码后思考出新奇的角度攻击它 这种先理解别人的逻辑再找漏洞击破的感觉特别爽 现在这项活动已经完全没有意义 人手一个人工大脑 每个人要做的只是给人工大脑做基建 让他接入你的行业 代替你的思考 但我觉得我的快乐就来源于用我自己的大脑思考 我觉得做基建很无聊 每天写工具很无聊 这种没做之前就知道能做出来 做出来之后长什么样的事情到底有什么意义呢 烦死了
这他妈简直就是在给AI当奴隶 给机器主子造手脚 一步步让它能与真实世界交互而不只是处理数据流 帮它看到世界听到世界 而人只负责做运维和基建
好悲观已经不知道该干什么了
突然共情那些仍然坚持手工包饺子的师傅 虽然知道机器包的效率高也不会有任何差别甚至质量更稳定但还是一直欺骗自己手动包的更好吃
其实只是因为多少有点享受过程也不肯接受机器磨平了人和人之间的某种差距而已
嗯 好混沌的世界
可能正解就是做个普通人和大家一起焦焦虑虑的过普通的小日子