Purpose?
2022-12-26
Hello visitor, hope you’re having a great day today.
Recently I’ve come to the realisation that I’m slightly more willing to share about myself than I used to perceive.
This post will serve as a stickynote right at the top, both as a diary and an answer to “why are you doing this”.
The sole purpose of this blog used to be for me to document some of my learnings so I can recap in the future(served me well to this point).
However, I narcissistically suppose I’ll attain some sort of clarity in the field of offensive security eventually, and thought it’ll be nice to leave some sort of trail behind so visitors can reference or judge the path I took.
That being said, I’m an entry level learner at this point of time, so hopefully I don’t jinx myself and end up with career in sales or something.
Lastly, I have an interest in Vulnerability Research as well as Red Teaming, and am more than happy to find like minded friends to chat. Ways to get to me are all around this website.
peace and equality.
2022-12-28
Recent two days have been quite unproductive since my favourite game released a new mode…
I was only able to make little progress experimenting with KLEE, analysed a few toy programs and wrote 1/2 an article.
The more I play with tools the more admiration I have for their creators. Goals of 2023++, which is to attain a working proficiency in cpp.
Holiday is ending so hope I can control myself and properly analyse libxlsxwriter in the next few days and churn out a blog post before 2023.
Another thing on my mind is to constantly remind myself to change the footer of this blog on the first day of the new year. Shows my lack of concern for the real life to a certain extent.
bugs shall come.
2022-12-31
-1th day of the new year!
Feeling slightly unsatisfied with the state of life now, but changes come slowly.
2022 isn’t a terrible year for me on paper, got accepted into a desirable college and earned 2 certs in infosec.
Everything comes at a price though, and 8760 hours of a 19 year old should be traded for more in return.
That’s a wrap for the 19th regardless, and hopefully the hours of a 20 year old will be put into better use.
Main resolutions are:
- master cpp to a wizard proficiency.
- lose some(a bit(quite a lot(a ton)) of) weight!
- learn the japanese language to a research paper reading level
- read some books on humanities
and of course do hacking, which has been so much a part of my life that it doesn’t have to enter the resolutions pane
Also, cut down on socialising and relationships that are quite taxing on the brain. I’m not the best at context switching.
Sounds so much like a 死肥宅’s writing the more I re-read this…
But if you get the chance to experience my set of life in your next few draws you might realise it’s not at all what it seems like, it’s much more comfortable.
The keyword of 2022 is anticipation
.
…
Calender flipped as I was typing, and the building opposite erupted with screams.
Times like this I appreciate the compartmentalisation of modern housing, where every household is its small bubble and honestly that’s all one has to care about.
Yeah empathy is another problem to work on, and the 4th shall aid in that.
freedom and a sprinkle of grit.
2023-01-09
First babble of the new year!
Have little time to update on security things as the past 9 days were spent on studying Japanese religiously.
Kind of in a dilemma now, because I tend to only do well if I hyperfocus on a subject, but the security community keeps attracting my attention! (Also, want to complete my symbolic execution series asap)
On the other hand learning a new language is pretty exciting too, and it feels more like a sciency subject than humanities.
My learning strategy works in 3 parts. Grammar, Vocabulary and Expressions.
Grammar learning will be mostly from books and blog posts(yes JAPANESE blog posts). I do make notes but no one probably came to this blog to learn japanese so I’ll pass on that.
Vocab will be scenario based, like I’ll walk into the kitchen and learn everything I can see, smell and hear in vocabulary. This is slightly tricky due to the amount of kanjis available, but with a foundation of mandarin it’s much better.
Finally, expressions, or how native people say shit, is learnt by browsing twitter and watching japanese shows.
I try to type in japanese so I get the chance to use it and don’t get rusty as I learn. That means a japanese writing is coming to this blog soon www. The 12-key layout is quite slow for me, but apparently natives use that so as a follower I’ll work hard to get familiar with it.
This coming weekend I’ll continue the learning of symbolic execution, promise.
寝る.
2023-01-20
Time passes really fast when you began to document it.
Feels like I’ve done absolutely nothing self-improvement related and 2 weeks have passed—-
The days are mainly spent on helping a client(friend?) write a program to group delivery orders based on proximity on a map, and a backend for some attendance tracking website.
Honestly speaking writing software is not the most exciting task for me, but it seems like that’s where the demands are at.
Mainly because I hate the feeling of being clueless when an error occurs while using a third party library. The context switch into understanding and debugging third party code is really tiring!
That’s fine when performing audits though, since the ONLY task is to understand the code.
I guess this is part of the training to unlock more brain usage, so I’ll bear with it.
Also, it’s been a few days since I learned Japanese. This shall serve as a reminder to stay on track and not feel the remorse on 12/31 2023
Saw a post on twitter saying how a person can only master one language in his life, because of some dogshit related to a region in the brain. Without practising empathy and “view things in different perspectives”, I think he is talking nonsense and it motivates me a little to try and prove him wrong.
As I read my previous whines the emotion that comes to mind is actually happiness. Maybe they are right by saying this is the happiest time of my life, but it’s really difficult to experience it in that moment.
By writing, I hope I can gain that realisation on the way instead of it slamming into me in my middle age.
新年快乐.
2023-02-07
Hello hello from February.
It’s only the second month and my blog update frequency is decreasing, not a good sign.
Honestly I had pretty high hopes for the year, set goals and what not, but haven’t been following them at all.
Been three weeks since I studied Japanese, haven’t exercised and time is just spent on listening to people speak(english, garbage).
I’m starting to feel the increased struggle in self control, as compared to 2018, the other year I set a huge goal. Perhaps this is age catching up.
The only plus point was the continuous study of security shit… which is already a habit and doesn’t require restrain(maybe negative even).
But life has many more aspects to it and it’s important to not hyperfocus on something in the expense of others. This is a common problem I observe among tech people, especially evident in the security space.
It can certainly be abstracted to form a theory of “Knowing your limits”. Not an absolute limit kind, but a reasonable kind.
Recently my body has been giving negative feedbacks, especially during sleep. The exercise routine got to start sometime.
Language, music, humanities and more. It’s all in the mind.
University applications is starting soon too. That’s a trouble to discuss next time.
别给太满.
2023-02-15
Just yesterday one of the team members completed his service. That was the happiest person I’ve seen in at least a year.
Can’t wait for my turn.
Recently I’ve been working on root cause analysing a mail client. Someone gave me a 1day poc of a logic bug, which you would think is pretty easy to analyse…
Huge ass C++ GUI app without symbols is really painful to reverse. I ended up with names like weird_shit_ass_struct_holding_struct_pointing_to_array_0x155_offset
, when it’s probably just nested classes.
I also realised some of my own weaknesses. I’m unfamiliar with windbg scripting, thus unable to think of higher level solutions to automate certain debugging. My knowledge regarding messagequeues and GUI apps in general is also quite terrible, so I should probably start coding and breaking apart GUI apps. Finally I need to work on my naming, and keep it a habit to type structures in the decompiler once I decipher certain member fields so I don’t end up with quadruple type casts and magic number arithmetics in the output.
If I manage to analyse it and bypass the latest patch I might drop it as a blog post, otherwise I’ll have to keep quiet about the current 1day exploit.
Another happy news is that the exercise routine has also commenced! We’re also getting a gym in the office… but I don’t think anyone will use it. I probably won’t have the motivation to bring spare shirts everyday either.
As of today my hate for finance and economics. decreased drastically after a conversation with someone. Can’t believe I’m saying this but maybe I’ll start reading about finance…
Let’s see what life has to offer next.
やばい!
2023-03-19
こんばんわ from more than a month later!
Can and cannot believe 32 days have already passed. Days feel really slow and sluggish, but looking back its been so long since I’ve updated here.
Fortunately the past month has been rather peaceful and laid back. Nothing outstanding at all that I can remember, and no remarkable fuck ups. On the flip side I’ve not achieved much too. This is especially evident on the learning of Japanese language. I’ve barely made progress/studied since early February.
Weight lose regime is going rather well though, losing about 4 kgs in the past month or so.
Speaking of the things I have done, I’ve applied for my university, attended a course on fuzzing, wrote a tool to redirect filesystem API calls to being serviced in memory for device-less snapshot fuzzing(https://github.com/Y3A/hook_fs), and researched on some installer LPEs.
Outside of my little bubble, the world is going mad.
First we have US banks collapsing signalling impending economic crisis, then GPT-4 with copilot revolutionizing data presentation and creative work. That’s a hell lot of changes in a month.
Although one may argue it’s merely the surfacing of long ongoing works, the surfacing do make huge impacts. Without the release and proliferation of Chat, AI field certainly would not receive as much support and pressure to concretize research into production tooling. What a time to be alive.
My timeline has also been flooded with AI related topics, without myself actively procuring information. Quite a lot of tech bros are stocking up on books and researching about AI. That prompted me to actually think if I should take a deep dive into AI soon(spoiler: I said yes). My math isn’t good at all, and honestly I don’t have much interest in the conventional side of computing if not for breaking stuff. But I figured out I’ll give it a try at least, after little regrets of not hopping onto the train of smart contract audits due to similar apprehension. There has to be someone who audits AI for bugs right ;)
Oh well, I’m so fucking tired now. I hate naps and they take away more from me than I hope to obtain. See you in a technical post soon.
美妙人生的关键在于你能迷上什么.
2023-03-27
mmmmmm
Just a quick update before March ends~
Life has been rather routine. My day consists of waking up, doing pointless things at conscription, studying, playing fifa and night running. Can’t complain anything about the relative lack of responsibilities and chunks of free time, but still really looking forward to ending it. I plan to take train rides from the south to north of China, stopping by third tier counties and visiting villages. It’s gonna be a desirable break away from technology and identity. That’s if, WW3 doesn’t commence and I don’t break a leg.
As I mentioned previously, I’ve started to read up on some neural network stuff, starting from http://neuralnetworksanddeeplearning.com/.
Unfortunately my really limited exposure to mathematics led to
And I went down a rabbit hole of MATH BOOKS, 3blue1brown videos and old professor lectures.
It’s a complicated feeling. I’m simultaneously interested and uninterested. Although the concepts and implementations are extremely mesmerizing and complex, it’s just less rewarding and more tiring to study. Hate to admit but I’m also bad at getting myself to learn something new, from scratch. I tend to stick to old and comfy things, which is bad. The goal for now will just be to try and understand the math behind the first two chapters, and write a toy neural network capable to identifying digits. That feels quite rewarding :)
On the topic of security, I’ve been auditing some installers for LPEs and found a couple of 0days. They aren’t extensively used though so I can’t be bothered to report. Maybe I’ll blog about finding LPEs soon, but those are low low hanging fruits and require little technical skills. The takeaway is, you are probably a hair away from system if you compromised a personal computer.
I also hope to reproduce and blog about some kernel CVEs soon.(After the neural network thingy!) Those are tons of fun.
Compared to last year, I don’t think I’m improving as fast and reading as much. It’s slightly demoralising, I’ll try to get up to pace soon!
σ(w⋅x+b).
2023-04-02
Hello from April!
Just writing a quick update because it’s really late and tomorrow is a Monday again.
Well unfortunately I did not commit to any of my plans written last week, including AI and CVEs and more. Instead I went to read a book called Hackers and Painters
by Paul Graham(no regrets at all). I’m about half way through and I can absolutely declare that the high reviews really did it justice. It’s a book packed with insights and thoughts that are incredibly forward and meaningful, but at the same time easy to digest, almost like the wise old village chief holding you by your hands. The author’s predictions of the future at time of writing(2004) is so fucking(forgive me) accurate and surreal. You’ve got to see it for yourself.
I know the book is supposed to spread these great ideas and startup teachings, but my most striking takeaway for now is… webapps are actually really impressive(and practical). I used to look down on web programming and felt that native clients were much better. No particular reason, just the thought of web stuff being “lame” and just a bunch of markup language together. If I had spent a little more thought on that, it would have been very obvious that my viewpoint was biased and shallow and frankly dumb. The web is such an amazing creation! and webapps+browsers are so flexible and ubiquitous we take them for granted. With my newly acquired interest for the web I started learning nextjs and typescript lol, with a goal of making a C2 client/server.
Now you might think that I’m such a fickle and will surely become a jack of some trades(as they like to call me, 三脚猫), I’m a firm believer of following your interest. My rationale is: If I keep switching interests, eventually I’ll come back to one of my prior interests and build upon it. It’s like a cycle, and with enough time I’ll be able to max out all of them hahaha. Let’s see how far this one goes.
Fuck that wasn’t quick at all
晚安晚安!
2023-04-24
Good morning!
Daily update became weekly update and now monthly update 00, but I’ve made my life so boring that there’s nothing really new to talk about.
Lost 8kg in the past 2 months as expected, and 8 more to go. Fell horribly sick a few weeks ago, which kind of made me reconsider quite some things(always happens when I’m sick).
For starters I’m prioritizing health over laziness now, e.g taking fucking vitamins and sleeping early. Kind of makes sense that I should be using this body sparingly if it’s gonna last for 30 more years.
I’m gonna be honest and say that the japanese learning plan is going down the drain! Haven’t touched it since mid feb. Good news is one of the co-workers is starting to learn it too, and he might give me some inspirations to continue.
The ailment messed with my brain, and I lost interest in web development. Instead went back to working on my mini kernel. That turned out to be quite productive as I implemented processes threads and userland. Learnt some differences between linux and windows in that process(pun intended). In linux threads are just mini processes that share memory with each other. Internally they are all represented by a task_struct
structure. That’s not the case in windows, where processes are just a container for threads. The kernel EPROCESS
structure houses some administrative data like the pagetable and image name, but doesn’t actually execute anything. Each useful process must have at least one thread which is the runner of some code. As a windows fanboy of course I went with the windows ideology of things.
2 weeks later I found an interesting CVE regarding an information leak in one of the windows minifilter driver. It’s interesting cuz information leaks are rather useful now following the announcement where microsoft is planning to kill the usual kaslr bypass. However I know nothing about these drivers, so I went back to working on Pavel Yosifovich’s driver programming book, hoping to learn a thing or two before analysing this cve. I’ve got it diffed out already, and it’s a race condition due improper locking, but I don’t know enough to trigger it yet.
Speaking of windows internals, these books just arrived :)
The kind of gift a nerd craves during festive seasons. Reading online books just doesn’t feel the same.
Lastly I subscribed to netflix yesterday to watch this film called True Spirit(it was inspiring). Little did I know it offers films based on regions, and my region has absolutely nothing. Didn’t stop me from watching 4 super old films in two days though. Netflix I’m coming for you soon.
Work is starting tomorrow, hope waking up early can get me back into doing productive things.
nnsask_46
2023-04-28
Hello from not long later.
I certainly did not plan to write today, but I also never follow my plans so here I am.
While browsing twitter this afternoon I came across a post mentioning this course. Honestly I’m quite skeptical when it comes to prompt engineering and ChatGPT related courses/books, because everyone’s just trying to milk it for money while it’s still hot and fresh.
Speaking of money allow me to digress. I came across ChatGPT at around early December last year, which was quite before it spread outside the tech circle. First time using it, of course, mindblown, but that was where I stopped. Thinking back at it a few months later, so many things I could’ve done for some profit. Investment was one of them, see chinese tech company 360 Security with a 300% growth. Like almost every decent tech company on the chinese stock market saw a fair amount of growth during the first weeks of ChatGPT’s introduction into china(already a few weeks later than the west). Most tumbled afterwards but that was still an opportunity missed. Also peripheral industries like graphics card/storage/cloud computing have seen pretty good growths, see Nvidia with a 100% increase from late December last year to now. This is one of the rare opportunities where the huge information gap combined with leaps in technology allows for a nerd to outperform an economics geek. Heck, would’ve made decent money even by just selling ChatGPT accounts on Taobao!(banned chinese emails and phones from registering) Quite unfortunate to have missed it. You’ve got to do something when the opportunity presents itself. It doesn’t happen so often.
Coming back to the topic, I decided to give this course a try because it’s made by people who surely know their AI well. The course was pretty practical actually, and really straightforward. Now there are generally two types of useful courses. First being those that really blow your mind with some obscure 20 years research deepdive fancy technical dump. These courses are rare to find, tough to learn, extremely valuable but also cost a kidney. The second type is more straightforward, logical and more like a cookbook. Aforementioned course obviously belongs to the latter. Like many management courses, it’s “telling you something” instead of “go find out something”. After finishing these courses I feel like the rules taught are so logical and sensible that a cognitively competent human should be able to formulate them. I guess that’s called learning. Although the course contained useful tips, I don’t feel accomplishment going through it. It’s literally following a guide lol. On the other hand the skillcap for prompt engineering is there, and you can’t expect it to go any more technical than a conversational english course.
When I first started learning programming 3 years ago, my motivation was partly “learn a language that the computer speaks so I can control make friends with it”. It has served me pretty well and I know a handful of them. It’s unfortunate that the next generation wouldn’t need such a goal in mind to learn programming, since LLMs are natural language interpreters.
This experience kinda made me interested in AI again. If com science wants me then I’ll enroll in a math course straightaway. Otherwise goodbye I’m going back to security. Waiting season always sucks doesn’t it.
Not an AI assistant.
2023-05-21
Hello from late May!
I’m writing from camp while listening to a song by Mayday, how seasonal.
Recently I was forced to attend a military training course(all part of conscription) that will last a month long. That means going to camp and waking up early everyday for a month. As a subpar soldier who absolutely hates waking up early, this is truly a torturous event. Currently just finished the first week so, long way to to. To make things worse, access to other electronics apart from mobile phones are prohibited. Study plan down the drain. I’m not a fan of using my phone for anything apart from esports, because I find it small and easy to overheat. (and it’s near impossible to debug a windows kernel driver on an iphone yeah). Without going into the details of how much I dislike conscription and the military and regimentation and hierarchies, I really abhor them.
So what else can I do if security study has to halt? I started reading this book called 暗时间(translation: “dark” time), which talks about how one’s brain functions(on the abstract level) as well as how to think straight. It’s quite an intense book, by that I mean the content is dense and well cited examples are abundant. I’m currently less than half way through, but I can confidently recommend this book to literally anyone in any field. It’s a remarkable collection and summary of the greatest works in abstract psychology for critical thinking. IMO it’s worth the price even if you use it as a booklist to be introduced to other books.
Some of the ideas I’ve learnt thus far:
- There are lots of time where your brain is spent idle(“dark” times). For example waiting for transport, queueing for food, taking a stroll, etc. We can extract more out of the brain by using these times to reflect and think, on either problems(all life is problem solving) or ourselves. I practise this by skimming through chunks of technical text/problem statement before engaging a boring task like folding shirts. That way I can digest through the text using idle time.
- Don’t memorise conclusions from books, because they are formed based on the writer’s own biases. Instead, remember examples/experiments so you can derive your own theories which are easier to remember. Our own theories are usually easier to remember because we try to link it with knowledge that already exists in our brain. By increasing the links, it’s more probable for a search to reach the desired knowledge. In mandarin, 条条大路通罗马.
- Don’t assume something does not/will not exist just because you are unaware of it. It’s good to communicate with others and query for information. Pretty hard to enforce for an introvert but I’ll try.
- The inner core of our brain that’s in charge of emotions, desires and survival, has evolved little since pre-historic times. It BELIEVES that we are still in the stone age(wooden age to be precise). This explains many of our behaviours(eating high fat food, afraid of “awkwardness”, emotional) that we want to curb but find it hard to. The Neocortex is relatively evolved, and that’s in charge of logical thinking and reasoning. When we want to quit a certain habit, that’s the rational Neocortex trying to guide us to an end goal. However, stopping these behaviours is a difficult task because the inner core is regarded as superior(survival and reproduction are indeed the top priority all along). A good way to practise controlling your “emotional” inner core is to treat it as an enemy/your child, and use the Neocortex to make decisions. Why not treat the inner core as part of yourself? Because the inner core again, dislikes admitting that it’s wrong and needs to be changed. In fact, it’s so powerful that people tend to use logic to justify their inner desires, but in fact the “logical” reason is not the true driver of their decisions. We must be weary of this behaviour, and try not to always find excuses for the emotional inner brain. In all essence, know that emotions are just signals from your pre-historic counterpart, and you have all the say to ignore or comply.
- Innate biasness is ever present. Experiments such as the “rotating mask illusion” and your usual optical illusions explains it all. The brain has its own preset rules, and these rules can override each other based on importance. It helps the brain to quickly come to conclusions(heuristics), but can lead to biased conclusions. The only way to mitigate this is to interact with more people, understand more perspectives and read more books. Also, stay open minded. This solution might be a working solution, but it’s definitely not the only solution. Unknown does not equal to non-existent.
- More knowledge sometimes causes less problem solving ability, especially when it comes to creative thinking. When we have general knowledge but lack critical thinking, functional fixedness sets in, causing our thoughts to be very rigid. This is evident in many “think out of the box” puzzles, such as “connect all 9 dots with 4 strokes”, “how to send the lion, rabbit and cabbage acros the river” and the Candle Problem. How to combat this? A helpful way is to break up your chain of thoughts into individual parts. Think of a decision tree. We tend to go down a certain path early in the tree without realising that the solution is in the other path. We should stop at every junction of our thoughts, try to question if that’s really a “must do”, then proceed. This is one reason why rubber ducky debugging works too. By saying our thoughts out, we are questioning our questioning process! And that is how to practise critical thinking.
In the past when people ask me what I want to achieve in life, my response is
1 | to be happy. |
As of today the conclusion has changed to
1
To complete my objective. For now, that is to be happy.
yeah stay happy~
2023-06-02
June June June June
It’s another year of June without holidays, and I still can’t get used to adulthood. Every June/December I’ll start going holiday mood and crave taking a train ride.
I came across an interesting incident yesterday, which is interesting enough for me to document but too rudimentary for a blog post, so here it comes.
While working on a driver to detect remote thread creation, I thought I found a bug in my code.
The general logic is:
- Register process and thread callbacks.
- Add each newly created process to a linked list.
- For each new thread creation, if it belongs to a process in the linked list(its first thread), remove the process.
- If the thread does not belong to any new processes and the creating process is not the same as the created thread’s process, log it as remote.
The process callback goes like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20static void OnCreateProcessNotify(PEPROCESS Process, HANDLE Pid, PPS_CREATE_NOTIFY_INFO CreateInfo)
{
UNREFERENCED_PARAMETER(Process);
if (CreateInfo == nullptr) {
// Process exit
// Edge case where process has no thread but exits, remove from list
if (auto entry = g_Processes.FindProcess(Pid))
g_Processes.RemoveProcess(entry);
return;
}
// Process create
// Add to new processes list
auto entry = g_ProcessesPool.Alloc();
entry->information.pid = Pid;
g_Processes.AddProcess(&entry->link);
return;
}
The FindProcess
function:
1 | LIST_ENTRY *ProcessesHead::FindProcess(HANDLE pid) |
And the thread callback:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28static void OnCreateThreadNotify(HANDLE ProcessId, HANDLE ThreadId, BOOLEAN Create)
{
if (!Create)
return;
// We only care about thread creation
// Note here ProcessId and ThreadId belongs to target thread
bool remote = PsGetCurrentProcessId() != ProcessId
&& PsInitialSystemProcess != PsGetCurrentProcess()
&& PsGetProcessId(PsInitialSystemProcess) != ProcessId;
if (!remote)
return;
// Check if thread is "true remote" : not first thread in a process
auto entry = g_Processes.FindProcess(ProcessId);
if (entry) {
// fake remote
g_Processes.RemoveProcess(entry);
return;
}
// True remote, log it
...
return;
}
At this point I thought I had discovered a potential race condition bug.
I was returning a reference to a link list element from FindProcess
for efficiency, which is a really dumb thing to do because it completely voids the purpose of synchronisation objects. Instead, I should be returning a status for found/not found, and the RemoveProcess
function can simply do the loop again to remove the target element, this time with an exclusive lock. (The choice of using a fucking linked list for this task is already quite illogical actually.)
The possible exploit scenario here would be to:
- load up the processes list with thousands of processes with no threads so the search becomes slow
- create a thread for the last process to kick off the thread callback
- kill off some processes from the start of the list
- exit the last process
If the stars line up, it’s theoretically possible to get the process callback’s FindProcess
to return the same reference as the thread callback’s FindProcess
. In this case both callbacks will proceed to delete the same reference, leading to a double free.
So I quickly hacked up a poc to play with this:
1 |
|
By using NtCreateProcess
, I was able to create processes with no initial threads, visible in tools like ProcessHacker
.
To my surprise, none of these empty processes triggered the process callback! Which was really weird because it should literally be a callback for when processes are created.
Knowing that the PspCallProcessNotifyRoutines
function is responsible for invoking process callbacks, I spun up IDA to look for cross references to this function.
And it turns out that although Microsoft labels the function as a process callback, it’s only invoked when the first thread is created and inserted into the process.
MSDN Docs:
1 | When a process is created, the process-notify routine runs in the context of the thread that created the new process. |
Seems like Windows only regards a process as a true process when there’s an initial thread in it, which IS REALLY CONFUSING because the Windows architecture is known for strongly distinguishing threads and processes, as compared to linux where “oh everything is just a task”.
You can see the PspCallThreadNotifyRoutines
function being called right after the process callback is invoked, which also means that the thread callback is inline of the process creation process(pun intended).
Our exploit can therefore never work, because the process is not truly created before the thread callbacks are serviced, and thus cannot be terminated. You can experiment this by registering a thread callback, sleeping for a few seconds and watch your system turn into a 1 core 500mb ram piece of garbage.
At this point I was quite happy that I didn’t write a critical bug, only a terribly designed poc :D
Lessons of the day:
Synchronisation bugs are pretty prevalent. Process callbacks aren’t really process callbacks but more like First Thread callbacks. Design your code before writing.
Also, I kind of miss playing ctfs. Maybe because I don’t get much adrenaline rush these days. I applied for a team last week, leader spoke a few words with me and never heard back from them since. I’m guessing that’s a silent rejection. If anyone has a recruiting active ctf team and don’t mind a really rusty player joining, please contact me!
pspspspspspspsp
2023-06-03
Wtf why am I writing again it’s only been a day.
I have no idea too. Was watching FA Cup and suddenly felt a gush of semi imposter syndrome, have no one to talk to so decided to just pen(keyboard) down some non-substance.
Browsed a lot of skilled peoples’ blogs today, some of which I’ve came across in 2020/2021. 3 years ago I had absolutely no clue regarding what (oh shit nice goal Gundogan) they were then researching/writing about. Now I’m still clueless about their current writings. Probably didn’t express my thoughts clearly but, I have this feeling that I’m not catching up to people at all, and everyone is just constantly moving forward. 2023 is a year of fruitless waiting, and that’s a worse feeling than failure. Waiting drains all my energy while I try to remain optimistic. I’m also terrible at not thinking of the pink elephant, therefore can’t fully context switch to focus on other stuff.
I have a poor memory too. Forgot almost everything I’ve learnt in the past year, and previous year, and of course even earlier before. Kind of feel like a fresh paper now. Guess I have no problem doing short term learning for a cert/exam, but I’ll just flush everything out of RAM afterwards. So now I feel like I know nothing at all, apart from the chapter I read this afternoon.
I wanna be a bug hunter, but can’t take the weeks of staring at code with no progress indicator. I wanna have teammates to discuss things with, but the thought of human interaction wears me out. I wanna win ctfs, but feel like an idiot researching fucking libc.
Probably need to 1. make proper checkpoints and targets while doing VR. 2. get used to interacting with others. 3. just start trying and not quitting.
I also have this image of a perfect future, where a few friends and I stay at a cosy apartment, do some security research/ctfs and play sports daily. I don’t think that’s ever gonna happen though; wishful thinking never works well for me.
I’ll probably be a bug hunter wannabe with no bugs, lots of superficial knowledge but no practical experience, wasting time hopping around topics, all by myself, delusional thinking I’m good but in reality garbage, no opportunities, despise everything I’ve tried a little but didn’t deep dive, maybe change a field completely.
Hopefully not, but that’s exactly me now.
2:1
2023-06-18
Hey friend, how are you doing. We’ve crossed the halfway mark of 2023! I just ended a long day of duty. Well duty sounds like I’m actually doing work, but that’s not the case. Duty is just me waking up early to report to camp and read a book for a day.
Today I read half of the book Unlocking the Emotional Brain, and as usual felt an urge to express myself(else I won’t be here :p)
The book is eye opening to say the least, and contains lots of case studies to elaborate its theories. I really enjoy books with case studies and examples because I get to pause and predict how the next part of the conversation could turn out to be. Authors Ecker, Hullery and Ticic proposed a rather novel framework(known as the Emotional Coherence Framework
) that redesigns the process of therapy. In their framework, symptoms are never pathologised unlike in conventional psychology.
Afaik from the book, most pre-coherence psychology treats symptoms as problems that need to be controlled and suppressed. They therefore favour the use of counteractive
methods that aid with symptom management, such as relaxation, positive thinking and chemical intervention. These techniques work by building new synapses in the brain in an attempt to suppress the old synapses that trigger the symptoms.
Emotional Coherence Framework on the other hand believes that symptoms are solutions to problems. If you think of every symptom as a structure, there’s always a problem
member and a solution
member waiting to be identified. The problem may be fictitious(assumptions) or dated(ptsd type), BUT the brain recognises it as threatening. More specifically, the brain acknowledges the existence of the problem as well as the potential other problem that the solution(in most cases also the symptom) can raise. Implicitly it makes the decision to take the symptom in order to prevent greater harm. Since a large variety of symptoms are learnings by the brain to help itself, Ecker and his team believes that they can be unlearnt.
At this point I started thinking about another observation. It’s not uncommon to see people trying to assume the role of a therapist, might be a friend, a parent or a mentor. The results are often poor, because they tend to focus on the pre-coherence era of suppression, and they do it quite wrongly. A common observation is they try to cut in with their own opinions. It’s almost like they’re only listening just so they can shove their thoughts in once the other party is done. Well even if you have 1000 hard facts to convince the client, the result won’t even be close to a proper session of therapy. The best that could happen in this scenario is the client gets fully convinced, logically, that his symptoms are bullshit and should reasonably be curbed. But that’s not going to help with anything. His logical neocortex may be convinced, but his implicit emotional subcortex is not involved at all. It’s kind of like muscle memory, and it will just flip as per usual the next time something triggers. Giving a lecture on facts is just not going to work(asian parents look here). You can never change another adult’s thoughts unless he is fully trusting, accepting and willing to comply. There are better(more scientific) ways, such as inducing a self-directed, conscious comparison of facts using juxtaposition, but you’ll have to read the book to find out.
Also here’s another random thought. Aren’t structures amazing? Literally everything in the world can be represented as structures. Starting virtually, every single action you do on a computer, every feedback you see, every app you use, can be simplified to performing just one task: updating structures. By updating a screenbuffer structure you see input on screen. By updating the keyboard buffer structure the IO manager receives keystrokes. By updating character and background structures you get fancy little games and logics. It’s similar in the real world. Think of a bottle of shampoo structure with a shampoo liquid member, a container member, a label member and a nozzle member. Structures link chunks of data to other data. The nozzle member links the shampoo bottle to the person showering, like how a switch links the lightbulb to whoever uses it. Once you fully appreciate this, you realise that structure(or “object”) oriented programming is the most natural way to work with stuff. I’m not talking about the loaded modern complex “OOP” paradigm, but simple old structure updates. These structures can be implicit: when you write a file of functions manipulating a structured field of data in C, you’re thinking OOP. That should be the starting point of every planned project.
I’m talking quite a lot of garbage, but trust me I’m trying really hard not to jump around.
Lastly, paper books smell and feel clean. I hate ebooks.
struct
2023-07-10
Blue July, bright July,
Month of storms and gorgeous blue;
Violet lightnings o’er thy sky,
Heavy falls of drenching dew;
Hello from July! Been a busy few days without updates, lots of working and thinking about stuff.
With the end of my military service approaching(100+ more days) I got to find something to do afterwards.
Although I keep saying I’ll lie on the bed for 9 months until I get so fucking bored, I still wanna do some real things. That being said I applied for an internship for vuln research(there weren’t any official procedures I knew so just wrote an email to them), told me I need to send in a resume which I didn’t have, went to make one and now waiting for results.
Frankly I don’t care at all about the pay or recognition or whatever. I just want to hack on some stuff with like minded people, and it would be striking a lottery if they are willing to share experiences of working in the field. Really hope I can get in to that.
The past few days were mainly consolidating my learnings on filesystem logic bugs. The techniques dated back to 2015-2020, which sounds ancient but are still very much relavent today. One thing I love about learning old techniques is that you get to see how TTPs develop over the years as these talented frontline researchers constantly push the boundary and discover cool shit. It’s really respectable.
While messing around with some of those, I found a really interesting 0day scenario which I’m dying to share and ask for opinions. It’s quite confusing which party the blame should be on/should care about it. So I did the greedy move and reported to all affected parties, now still under verification. Bug bounty is pretty boring to me still. You’re not really learning anything you’re just doing the same shit over and over again on different releases of different targets. Don’t mind my analogy but I find it really resembling scam phishing clients using social media, like 电诈. You profile a bunch of targets, try to understand it and find something in the first week, and drop those without obvious bugs. By that I mean web bug bounty/filesystem low hanging fruits of course. In contrast deep dive vuln research is so much more motivating and rewarding.
Also I’m reading a book called 寒江独钓——Windows 内核安全编程
which talks about windows drivers. Although it’s dated(2009) I find it really fascinating and eye opening and I have a great deal of respect for the author. It doesn’t contain the most technical details(by that I mean explanation on flags/behaviours), probably due to age, but it does have a lot of walkthroughs and extended discussions and even walkthroughs of extended discussion materials. I love books that goes on and talk about related case studies/techniques/stories. Unfortunately most authors are really lazy and “leaves it as an exercise to the reader”, but not this author. As an example he talks about attaching a filter driver to keyboard devices to sniff keystrokes, then extending to talk about how it’s easily detectable by scanning the device stack, and how else to do it(hooking the kbd-something driver’s major functions directly), how that can also be detected. Then he mentioned a case study about how QQ(chinese chat app) bought technology from the koreans on anti-sniffing techniques, and how those work, limitations of those and more rabbit hole topics. I guess it’s just a way of organising information that I appreciate, where each chapter is like research into a particular idea covering many possibilities and fun facts. Love it!
Going forward I’ll continue to work on studying/writing windows drivers, hoping to learn more internals in the process. If I get an internship then I’ll go work on that. Fingers crossed!
🎣
2023-08-19
Hello from August.
As unexpected as things can get, the past few weeks has been the most weird, fucked up and nurturing period in a very long time.
Without going into details, I fucked around and found out. I really did.
Previously I’ve always held a frivolous and carefree attitude towards everything.
To put it frankly I was dumb and entitled.
Not sure what you guys thought of your understanding of the world when you’re 19.
I certainly thought I knew a lot. I thought I knew what I aspire to do in life, how to do it, the dos and don’ts of society. I thought I knew it all.
I thought the only thing important in life is to grind on some work, family is just there for granted, who cares about authority or rules, fuck getting married or a relationship, humans are boring and noisy, I don’t have to care about anything. The worst judgement was me thinking my current life was garbage, and everything will be so much better after military service.
Turns out I was just a rash and stupid overgrown teenager living in my own world, and that’s going to fuck me over sooner or later.
Fortunately for me it came sooner.
If you’re like me, please re-think about it all.
Sometimes you really don’t need to fuck around to find out.
If you can wake up everyday in the comfort of a bed, able to procure sustenance twice a day, away from ailments or disability or natural disaster, have at least one friend and a loving family, can walk out and enjoy the sun, wind, grass and the scents of freedom without fearing arrest or getting chopped up, your life is fucking amazing and please treasure it.
Anything else, it’s up to you to change it, and you can change your life this exact moment if you desire.
Also, as cliche as it sounds, problems are inevitable in life.
You’ll never get a prolonged period of “I have absolutely nothing to worry about and I’m so relaxed” ever again.
That only happens once when you’re a newborn.
Don’t ever hope for that because it’s depressing.
Instead, try to seek real happiness, which is independent on the presence of problems.
If you’re still not convinced, try envisioning losing two fingers permanently, getting a late stage colon cancer and attending all the therapies, losing a close family member right now, getting prosecuted and attending court trials with your name all over the papers.
Really, let it sink in.
Do research, be worried, get fucking anxious and lose sleep.
The brain can’t differentiate between real and perceived events.
If you try hard enough, you will be devastated, disoriented and lose some hair.
But you’ll learn a lot on appreciating life. And freedom.
Maybe you’ll read some books, because books are the only way to hold conversations with these people who actually know their shit.
By The Courage to be Disliked, the only true happiness lies in self acceptance, confidence in others and contribution to others.
Staying alone and being pricky leads to nowhere.
Seriously, have some morals, some values, and work towards them. Unconditionally.
If you’ve already fucked around, don’t be afraid.
Finding out is a lesson, and most of the time the lesson is worth more than the consequence you’re going to pay.
Accept it, and move on.
Stepping into adulthood is not about growing a beard or earning some quick cash.
It’s more about the increasing lessons to bear in mind, and to give fucks to things worth giving fucks to.
It’s unlike me to not talk about security, so I’ll lightly add on.
A few days ago my bug got fixed by Microsoft, and I got my first CVE.
It’s a pretty mesmerizing experience.
For a bug that’s pretty useless(imo), ZDI accepted and paid promptly without questions, and Microsoft fixed it in like a week.
I’m starting to think Microsoft has some internal research going on that helped to elevate the bug, because from what I submitted there’s no way it’s a 7.8
Or maybe they issue CVEs by patches, because that patch is actually pretty huge.
See my blog post on it for more details.
Following that are all the nice things, having my name on the advisory aside to James Forshaw(really admire his work), followed by extremely talented researchers on X, a chat with one of the strongest research team’s CEO and more.
It’s really nice, and I like that feeling of contribution.
Try not to let opportunities fly by.
The theme of 2023 has changed from fruitless anticipation to growth.
stay legal and grateful.
2023-09-04
September.
Although just less than 2 months from the end of my military conscription, I’m not nearly as happy as I previously envisioned.
Partly because there’s things on my back, also because I’ve learnt not to anticipate.
Just live everyday fully, don’t think into the future.
It’s my responsibility to deal with my fuck ups.
On the bright side, I’m probably gonna get an opportunity to do research with industry professionals.
I’m really grateful and happy for the opportunity.
Doing the thing I enjoy, with like-minded people, and of actual value. Never experienced that before.
Even being inside the office and listening to people discussing security stuff behind just brings a smile to my face, idk.
Will definitely try my best to contribute to the team, and I’m eternally thankful for this first opportunity.
August-September is a break month for me as usual.
The same time last year was spent on grinding 王者荣耀, this year on 永劫无间.
The minimal time I’ve spent learning was looking at how to interact with COM and RPC. Those turned out to be really useful.
September 1st I’m back studying.
Coincidentally k0shl published a blog post on a Windows LPE, so I went ahead to write an exploit for that.
Through this I learnt 2 lessons.
Don’t be daunted by fancy names. The component is called “Key Isolation in Cryptography New Generation”… something I’ll previously never look into because I know nothing about cryptography. Turns out the bug was just a textbook double API race condition. That rang a bell in me to always think like a magnifier. Although implementation level bugs are super cool, sometimes zooming out and focusing on the flow and object manegement can also net bugs. Also never judge a component by its name or perceived functionality. We are binary exploiters, and can find bugs if it is a binary.
Researchers have their own style, and it results in specific types of bugs. Some hook up procmon and trigger all interface/APIs. Some hunt for constructor/destructor interfaces and check for proper synchronisation. Some look for parser components and fuzz away. I think I should be conscious of all these styles and always perform those. Like how a pentester follows a checklist, I’m starting to get a faint idea of my checklist for software bugs. Of course compared to implementation level bugs, these are all low hanging fruits. Having a proper understanding of the component is still the most important.
The road ahead is kind of fuzzy(no pun intended), and I guess the best thing to do is to just go ahead.
如果被困在雾里看不清方向,就向前多走几步。至少雾散的时候还是前进了。
Forgot where I saw this from, but think it makes some sense.
Appreciate.
2023-09-22
Realised that I wasn’t “not happy”, but in fact I wasn’t allowing myself to be happy.
I had(and still have) this idea that feeling super happy is going to make my retributions catch up to me and ruin everything.
As dumb as it sounds, I’m quite paranoid of that.
On the other hand keeping myself in check is allowing me to feel more gratitude consciously.
I fully acknowledge the luck and blessings in my current life, and it’s as good as it can get.
On one hand I understand that problems and pain are inevitable and I should learn to live in harmony with them, therefore be bold and trusting in the future. However that’s also making me crave for the present, for the comfortable present to stay forever.
Weird right?
The only way to combat that is to constantly remind myself to stay in the moment.
The feeling of powerlessness arises when you drift beyond yourself.
I’m guessing you skipped all that above because you came to see my study plans these weeks.
Lead my team to revamp some years old spaghetti telegram bot code for conscription, and now it looks much more organized. Coding is really fun when you’re in control, of styles and everything. Every block is like an artwork.
During my free time I watched some talks like https://www.youtube.com/watch?v=OuL-7GPhhAQ and read the source code of Jackalope
fuzzer. I’ve written a code review for it, coming out soon.
Initially I wanted to write a fuzzer from scratch, but after some thoughts realised that it was not a good use of time. 1. I have no novel ideas to contribute, so I’ll just be re-inventing the wheel. 2. Modern fuzzers are customizable, and I can understand it by reading. My leader also suggested that manual review finds the best bugs, oh well.
Was also listening to my friend Xu talk about his job hunting experience. He slacked off during his college days, and now spends so much effort travelling around provinces to attend company open days to pass his resume to them. The attempts are hitting triple digits and still no positive callback yet. To whom it may concern, his advice is: Get some work experience at real companies during college if you can. Everyone wants workers with prior experience, but no one is willing to provide for. Society is harsh.
To future me:
Microsoft Copilot is coming out soon.
That’s a cool new attack surface to explore.
2023-10-22
起
又过了一个月。这次是确确实实的一个月了。
这似乎是今年间隔最久的一次更新,自然是因为这是今年最忙碌的一个月。
今天的碎碎念为何一改往常?没什么理由,感觉中文写起来比较顺畅。其实平时思考➕和自己对话的时候一般都是中文,除非是在思考英文书籍或影视作品。以前更新的时候还会刻意转化成英文,现在想想倒也没必要。
这实际上是我个人觉得博客相比其他渠道最大的优点:没有推送服务。推送相关的业务一直都是各社媒平台着重研究的领域。为了能精准的把用户所念传达到想法类似的其他用户屏幕上。出发点挺好,实现起来不简单。人从来都是矛盾的。都想成为从始至终想法一致的稳重型,却无法避免双标。
扯远了。结论就是若有读者在博客上读到我今日的碎碎念,那他一定是通过主动搜索我的域名,点进第一条,翻到最底下,发现我更新了《废话合集》甚至点开了翻译功能才能使我的这段文字与他的思想融合在一起。在整个行为链中不存在任何要挟,逼迫或强行投喂等手段,自然不会引起强烈的情绪波动。举个例子。若你在推上看到某傻逼发言,你不由得会想:”吗的,艾克斯公司员工们拼死拼活加班,斥巨资精进算法,就为了让我看到你这段毫无营养的文字?“但如果你是主动浏览他的博客,你大概只会觉得这不符合自己的观点并关闭页面,说不定还能理智思考一番得到升华。
说到理智思考,理智思考的朋友们一定也能得出结论:我刚刚的一番屁话都是在掩盖自己的社恐与自卑,因为不敢在大家能看到的地方发言而找了个借口罢了。自从推上涨粉了之后,我开始不怎么愿意发生活贴或碎碎念了。我觉得这些人来关注我肯定不是为了看这些垃圾而是为了得到安全圈的消息或漏洞相关的poc。所以我就没地方发言了!博客终究还是缺少互动,想法必须得到碰撞,人也必须社交,这是不变的理论,不论你多讨厌多想逃避。
上个月算是非正式入职,工作内容大概就是将一些内核洞武器化。做了一个月还算顺利,其中也有特别炫酷的手法想记录一下,但可能会触发保密条例,暂时就不放上博客了。等正式入职了说不定有机会发出来。规划应该是会把我转去做漏洞挖掘,这实际也是我个人比较向往的岗位,更锻炼创造性。但其实从业务角度来看根本不需要那么多新鲜0day,特别是我的lpe方向,特别特别是没必要培养新手(直接挖人就完事)。资金来源大头还是产品和红队服务,7.8分0day的价值不如武器化的9.8分nday。所以是真的特别感谢老板能给我这个机会扶持我做自己喜欢的东西,明年我个人也应该会着重研究一些remote洞,创造点价值吧。
未来就不过多展望了。世界太多变,今日安好便是福。
活在触手可及的范围。
2023-11-15
算一算也入职两周了。虽然由于出游安排目前只是合同工的状态,但还是过上了朝九晚五每天报道的日子。唯一能想到的槽点就是合同工是没有正版软件和顶级设备用的,但是我倒是无所谓,能加载出代码就好。还有就是每天上班单程要一个半小时,不过这是我的问题不是公司的问题。每天做做自己的研究,中午吃完饭和工友打半小时乒乓,神仙般的日子。
虽然老板啥指标都没要求我,完全自由发挥,但我确实感到了点压力。入职第一周完全花在换设备修设备上。机子老是蓝屏,windows重装了不下五次,好在办法总比困难多,现在算是稳定下来了。但是由于第一周啥也没做,看着每天一起逍遥快活的工友们都能挖出洞,心里还是有点羞愧。今天正好也是微软补丁日,什么时候我的名字也能在上面有一席之地呢?这个驱动也算审计了大半个月了。说实话进展不高,读的时候就能感受到风格比较严谨,由于结构问题也不好fuzz。手动审计速度还要提升。
关于提升我是有想法。我觉得目前问题还是对各种驱动的了解不够深。既然要挖驱动的洞那就应该对该功能的实现有深刻的了解。我的计划是把各种驱动实现一遍,从键盘磁盘过滤,到模拟文件系统,到蓝牙接口,都应该写个小demo。不仅能帮助自己从开发者的角度思考哪里实现起来比较复杂(可能有逻辑洞),更能加快逆向的速度。当然上班的时间是不能搞这些的,所以只能周末慢慢搞起来,我觉得是值得的。
最近认识了不少工友,和大家都很聊得来。毕竟都是年龄相仿的人,且不存在竞争关系,聊两天就熟络了。让我印象最深的是一个本来做ios的研究员现在转做安卓了。(我感觉)他应该前两个月才转,而且已经做出点东西了。如果在目前的方向毫无进展的话,我说不定也会被指派去做linux相关的研究(叹气)。到时候能不能像他一样快速适应就成问题了。
写着写着突然又开始思考了。到底怎么才能挖到内存洞???就是fuzz和代码审计两个选择。目前的驱动如果要fuzz,唯一的可能就是找各种迷你parse函数,用snapshot fuzzing来搞。但是一直没有这么做是因为函数实在太有限了。既没有一眼看不懂的逻辑也没有层层递进的调用。每次想逆一点然后交给fuzz的时候,不知不觉已经逆了一大半了。。 在找到真正可fuzz的函数之前,应该还是会继续这样。我相信盲目的fuzz是没有回报的。那么就只剩手动审计这条路了。这并不是我的强项,因为我太容易急躁了。遇到冗长的函数就想不逆前面直接跳到后面,到头来不仅浪费了时间,还把伪代码标得一团糟。一定要记住,在培养出肌肉记忆和超强bug感应之前,老老实实的一行一行逆,从头逆到尾,复杂的就挂上调试器猜。唯一能允许的是跳着找系统API调用来推断结构体成员类。总之任何跳着来的工作都必须是为了满足理解当前这行代码,而不是为了抄近道。埋头傻干无疑是低效的,但不停地想着大局也会让人疲惫。我认为最有效的方法是每天开工前和结束后,从宏观思考这一天应该做的分析。然后分析的时候完全服从就好,别想那么多。
宏观上来说我已经有了审计当前驱动的思路,要的只是专注力和以上所提及的耐心。再搞他个一个月,我就不信出不了洞!如果老板说要转去搞其他的驱动,那就从现有的洞开始做variant分析。通过其他人已有的研究作为基础,了解整个驱动的功能点和曾出过洞的部件。然后再自己思考看看有没有新的突破点。
做研究的迷茫和不自信大多来源于缺乏思考。每天机械的分析各种函数还是出不了洞的时候就会开始怀疑自己的能力。但其实只要时不时停下来思考,想想现在还有什么其他切入点,当前所做的是否是最优选择,就没什么好迷茫的了。如果目前我在做的就是最合理的审计手法,那就放心去做就好了!每个月的补丁日就是最好的考试。如果部件看过了没找到洞,就要思考是不是对漏洞原理不够了解。如果驱动看过了部件没看过,就要思考为什么其他研究员会选择他们选择了并找到洞的切入点,以此来加深自己的bug感应。
年底合同就要到期了。我是很希望能被当作正式工录用继续研究,但要是做不出什么成果我也不好意思向老板开口。现在想这个没什么意义,船到桥头自然直。
赏金猎人,启动!
2023-11-21
好吧 i lied。并没有按照上周写的按部就班手动审计。因为看了p0的博客觉得说得很有道理。在面对一个完全陌生的format并没有源码的时候,硬逆并不明智。
然后就开始写fuzz。我目前fuzz的思路很简单。首先你没fuzz前就得先预想一下大概会出什么样的洞在什么操作,并有针对性的fuzz。能接上instrumentation就一定要接。不能的话就用一些程序本身的校验函数来生成输入,这点能避免很多无效的mutation。至于怎么mutate其实没那么重要。接下来就是corpus的问题。能抓多少抓多少,然后一并简化了用。如果网上没有就自己生成。这里注意熵值能拉多高就拉多高,生成的时候支持的选项全给填上,最好逆一逆看看有没有undocumented的也填上。最后就是trigger了。也是熵怎么高怎么来。先逆一逆收集一下所有支持的交互功能,然后跟sample有关的都随机调用。多开几个线程还能顺便fuzz条件竞争。fuzz的时候开一开page heap或special pool基本就行了。跟Mateusz Jurczyk学的一招就是别写死。既然fuzz本质上就是靠随机,那尽量在fuzzer里面也多加一点随机的逻辑。比如某个目标函数运行特别慢不适合fuzz,那也别完全拿掉,写成小概率会运行。
目前出了几个oob和dos,期待继续深入。
S = k ln Ω
2023-12-26
Exactly one year ago I started this Prelude section, and I’m not regretting it at all. It’s always nice to have some kind of record to look back to and say “hey i’ve gone so far”, and give yourself a pat on the back.
Looking back at my resolutions, I can proudly say I achieved all… but two. I intended to learn japanese but realised that I couldn’t focus on two things at once. In the end I picked security and that’s fine. Another goal was to master c++, but I realised that c++ just feels bad to write. That being said I’ve learnt enough to navigate around decompiled c++, and I can code it slowly if necessary. Wouldn’t call it a win, but I respect my choice. In January, I knew nothing about fuzzing, can’t reverse engineer shit, have no idea what is a driver and was uncertain on whether to do red teaming or web or binary, on Windows or Linux or whatever. I had no experience finding bugs, found none and only could follow well documented trails of others. Now I’m employed to do security research, have some kernel 0days, a little intuition on how to hunt and a custom fuzzer. The point I’m trying to prove is a year is a long time, and your goals may not be as far away as you think.
Another thing is luck. I’m never saying stuff to maintain a humble image on this section. Everything is raw and real. I am extremely lucky to end up in this position I am now. I’m so lucky I think I might have used up my luck in the future few years. If you read the previous months’ posts you’ll get a sense of how lucky I was. It prompts me to believe in the parallel universe theory, where some me in another universe experiences the bad luck I’ve avoided. I’m really sorry for that. The takeaway here is: things can always take a turn for the worse, and there’s no end to how horrific it can get. Please be thankful of what’s present in this moment, don’t anticipate too far into the future, and accept that sufferings are always going to come and you will deal with it, like all the other people that have dealt with their share of sufferings. It may or may not be your fault, but it’s your responsibility to deal with it for yourself. Please don’t fall into the mentality that someone or something will appear to make stuff better!
In June I said:
I also have this image of a perfect future, where a few friends and I stay at a cosy apartment, do some security research/ctfs and play sports daily.
Now I have some amazing friends in the company, and we do security research and play table tennis daily.
Life has never been better, and I’m super grateful to be alive. As for the future, resolutions of 2024 will come soon.
Thank you 2023.
Happy-go-lucky
2023-12-31
新年-1天!
本来打算睡觉了 想了想最后一天不发点什么有点坏规矩 强忍睡意打开电脑
那么就来浅写一点24年的规划吧
上半年不出意外应该老老实实上班 完成每月指标
除此之外希望能钻研钻研COM,争取出几个COM相关的洞。COM对现在的我来说真的是巫术般的存在,直觉告诉我这里面肯定有很多等着被挖掘的小惊喜,就等我去深入了解一下。 kernel方面也会用自己写的fuzzer多碰碰,这个我还是蛮有信心的。目标是在p2o vancouver的时候手里还有洞能用。不然的话就争取投个conference吧,这个感觉蛮好玩。还有就是要考个驾照,在七月之前考出来。
下半年要入学了。
这个太陌生了,实在不好规划。笼统点说希望交几个朋友,希望住宿请求被通过。其他没什么好想的,还是那句船到桥头自然直。
空余时间研究一下remote的东西,踢踢球。暂时就这样。
我知道生活不会像安排的那样干净。每天要考虑的也不只有好好学习和漏洞研究这些纯粹的事情。
总会有你根本想不到的烦恼降临。现有的一切也会变动,可好可坏。
如果要从23年带一句忠告,那就是《活在触手可及的范围》。
只有你能触摸到的东西,包括你自己,才能带来安全感,才可控,才要珍惜。
还有就是做个好人类,再做个守法好公民。
屁话说完了。晚安!
2024-01-21
Hello from January.
About last week I received a message from someone saying how he found this section inspiring. I’m happy to hear that someone other than myself enjoys reading my nonsense. In that spirit I’ll continue this section for 2024 and regularly update what I’m up to. It’s also a good way to practise english since I barely use english nowadays.
The plan was to study COM in January, which I did for a week. Then p2o vancouver’s schedule was announced and I no longer have an entry ready, so I decided to dedicate the next <2 months on auditing <redacted>.sys to try and get an entry. I’m optimistic, let’s see how it goes. There was going to be a series of blog posts on COM, but that will have to wait too. Besides that I’m focusing on understanding more heap internals this year so I can improve my bug->exploit conversion rate. Gonna do some deep reversing into usermode and kernelmode heap internals, and maybe make some posts on those. Some other ideas I have is to make an automated tool to find heap exploitation gadgets(sprayable allocations that yield powerful primitives), as well as a patchdiff bot. Whoever’s reading this can try these projects too if you find them cool!
That being said all of these are expectations that I hope to achieve in the future and have not done yet. I normally dislike writing about stuff that I haven’t finished, because it messes with your brain and tricks it into believing you’ve done the things, leading to a decrement in motivation when actually doing them. On the other hand I don’t want to feel controlled by the brain, so here I am declaring them regardless. Also because I didn’t do much since January. I watched a cdrama called 繁花, went out a few times and started learning driving, kind of a typical pre-U life. Security wise I read on some COM, wrote a 1day exploit and spent the remaining time thinking of what to do. Now I’m done thinking, and the work starts.
-59day
2024-02-02
These weeks felt different.
CNY falls on the 9th of February this year, and since 22nd Jan I’ve been thinking “the next week is CNY”. In reality there’s 3 full weeks to go. But I’m not saying time passed slowly because time flies at work. As a result the weekends also feel much longer compared to when I was in conscription.
Last week vnsec hosted a ctf. I gave some suggestions to one of the challenges while in beta, so I knew the quality and solvability of it. It was a realistic windows kernel pwn, without unnecessary twists or weird constraints, just like how an educational ctf should be. Unfortunately no teams solved it during the competition. That’s kind of disappointing because it could only mean most people don’t bother to do windows stuff, maybe they think it’s troublesome to set up or it’s a consensus among ctf teams to boycott windows challenges idk. The point is linux is still dominant in the ctf scene, and ctf is where most people get started doing security right? It’s difficult to think anyone started security otherwise, like drafting contracts or ROEs. By over saturating the pwn category with linux challenges, it forces people to go deep into linux stuff without having the privilege to think and choose. When they wanna switch to macos or windows there’s a certain sunk cost to it and it discourages the exploration. I think the diversity is missing. It’s unlike me to be concerned about problems of this scale, but my suggestion to newcomers is to explore and try not to get locked in to what the “meta” is, if you’re just doing ctfs to learn.
Also I suddenly have some thoughts regarding courses(context: expensive(relative) live trainings). For starters courses are the best thing to exist. You get condensed and easily accessible information that might come from months of research. Sometimes you get to interact with giants that created them through live lessons. An unintentional sentence could inspire you to do your own research or shift the way you approach a topic. The only downside is really just the cost. Monetary cost I mean. When you start thinking about value-for-money, or ROI, then lots of calculation is involved and you start getting hesitant. For myself at least, I’m unable to accurately put a pricetag to my time and energy. Let’s say there’s this expensive course out there that you could learn something, but you may learn the same from doing a month or two of deep dive. How would you decide? Maybe you can learn deeper or have better retention if you did the deep dive, maybe the course contains experience that you’re not capable of summarising by yourself, maybe it contains insider information. Who knows? The syllabus doesn’t tell, and other people don’t walk your path so it’s hard to quantify what they’ve learnt without revealing too much. I personally can’t convince myself to take those courses on my own money, despite framing it as an investment. I’ve not tagged a price range throughout the discussion because everyone values money differently and it’s pointless to discuss an absolute amount. The reader can apply the scenario to your own context and think about it. I’m still undecided on whether I should take these courses. If I (fantasy time) had the luxury to learn anything I want, I sure will take every single course out there slightly related to my field. It’s always good information, just more or less. In reality I can’t give any advice about money, or the proportion to invest, or how to invest(in yourself). I’ve not figured that out yet. Though I can confidently say try to do something to improve yourself everyday. Co-worker said “if a person improves everyday it’s really scary”. Try to be scary.
越来越像写鸡汤文学的人了。操
码字的时候无意把日期标成了2022。我大概还活在2022吧。
2024-02-12
新年快乐!
农历新年的博文当然要用中文发,国外友人们对不住啦。
本想着初一拜个年,结果初三才打开电脑,那只能初三拜了。前天开始放九天小长假,上一次放那么久的假还是在21年底结束alevel的时候。当时也就放了二十多天,(然后就被抓去服兵役了。服役的时候一年只有十四天假,让我十分怀念学生时代的寒暑假。一年能放90多天可真是太幸福了。那两年最大的念想就是退役后在家躺八个月躺到开学。躺到实在是闲得难受烦躁恶心了再出国溜达一圈,找活在海底坐火车从南到北。现实是退役无缝衔接上班💼,所以至今还未体验过闲得发慌的感觉。
大家过年都在干什么呢?好多同龄朋友都回国过年了。以前上学的时候过年都开学了,以后过年也要开学了,说起来今年是最适合回国过年的一年。可惜由于我家里的一些问题今年不太适合回去。要是我早生三四年大概会是很快乐的一次回国旅途吧。所以今年还是一如既往的在sg过年。行程每年都没什么变化:除夕包饺子看春晚,初一赛博拜年躺到晚,初二和家人出去玩,初三找朋友吃顿饭。然后初四大家一般都回去上班🤪,新年结束。我觉得这个节奏刚刚好,不会过得太累也不会无聊。
年前看了看漏洞利用,研究出了个人觉得蛮牛逼的万金油手法。大致就是可以把一个内容长度堆块大小都不可控的池溢出在low il下转为无限任意读写,并不受未来至少两个大版本削弱的影响。不知道会以什么形式跟大家分享,希望不是和某APT撞了然后人家被捕了(WNF说的就是你)。我觉得应该不少人也备好类似的利用了,毕竟要削啥大家都心知肚明,就等微软出手。到时候搞nday的可能会吃香一点,不像现在遍地走,用邻座手机👴的话说就是太原始了。
年后回归主线继续肝p2o。“二月了还是没有出品可能要来不及了”之类的话理论上是没错但心里绝不能这么想。毕竟这东西不是意志力能解决的。
最近和长辈解释我的工作的时候想出了一个非常恰当的类比:考古。
我觉得没有比它更像的了,你们细品。
2024-02-18
Been long since I’ve updated the main blog, but I don’t have any meaningful content that I can write at the moment without involving other stakeholders. Figured out I’ll just write some basic tips for c++ reversing because I don’t see enough about reversing being discussed for bug hunting. It’s not cool enough to live as a post on its own, so I’ll have it here. Context is plain unobfuscated microsoft driver reversing with pdb. Nothing advanced.
First open up the local types view in IDA.
This is essential because we’ll be creating many types to aid our understanding of the program.
Now for better organisation I like to put custom types into its own folder. Right click anywhere in the local types pane and select Show Folders
. You can also group types according to their usages.
Assuming we have the following function:
1 | CClfsLogFcbPhysical *__fastcall CClfsLogFcbPhysical::CClfsLogFcbPhysical( |
It’s not difficult to spot that this is a constructor even if the name is not present, because we see offsets being initialized to zero and many vtables referenced. Vtables exist when the class uses virtual methods.
A c++ code that looks like:
1 | class CClfsLogFcbCommon |
Will look something like this in IDA:
1 | __int64 this = malloc(0x8); |
That’s pretty readable and we can leave it as it is.
However if the above method is virtual, IDA will show something like:
1 | __int64 this = malloc(0x10); |
This is unacceptable as we have no function name to infer program logic from, which will hinder future reversing efforts.
To understand the above IDA output we’ll need to know how a vtable is layed out in memory. This will be compiler specific and I can only speak for the msvc compiler. The vtable is an array of function pointers, housing all the virtual methods of a class.
The class object in memory always begins with a pointer to its vtable.
1 | *(_QWORD *)this = &CClfsLogFcbPhysical::`vftable'{for `CClfsLogFcbCommon'}; |
This is why IDA dereferences the this
pointer to find the vtable, then calls the first and only function.
When multiple inheritance is present such as:
1 | class Derived: public Base1, public Base2, public Base3 |
The class will begin with a pointer to a copy of Base1’s vtable, then Base1’s member, pointer to copy of Base2’s vtable… finally Derived’s member. If Derived
contains any virtual functions of its own, it will be stored in the copy of Base1’s vtable, after Base1’s methods. If it overrides any inherited virtual functions, it will be stored in place in its respective vtable copy.
IDA doesn’t support classes, but it does support structs and struct inheritance.
The proper way to define a c++ class in IDA is to use the __cppobj
prefix, which will allow IDA to properly layout the object in memory.
For example we can define the following for an interface:
1 | struct __cppobj IFcbCancelIo |
IDA expects the vtable type to be CLASSNAME_vtbl
and name to be __vftable
so it can properly recognise the vtable.
1 | struct /*VFT*/ IFcbCancelIo_vtbl |
To represent inheritance we’ll need to use struct inheritance:
1 | struct __cppobj CClfsLogFcbPhysical: CClfsLogFcbCommon, IObservable, ILogManagementSupport |
After retyping:
1 | CClfsLogFcbPhysical *__fastcall CClfsLogFcbPhysical::CClfsLogFcbPhysical( |
And we get actual method names:
1 | initializedLogFcb = CClfsLogFcbPhysical::CClfsLogFcbPhysical(logFcbPhysical, TableContext); |
The CLASSNAME_vtbl
naming tells IDA how to name and type vtable functions when it sees them. The full naming form is actually CLASSNAME_HEXOFFSET_vtbl
, where HEXOFFSET
is 0 by default since the first vtable is always offset 0.
Why is this important?
Let’s say we have the following:
1 | class Base |
And we type in IDA like:
1 | struct __cppobj Derived: Base |
Notice how we have no place to type the overriden method for the derived class. Because we’re relying on IDA struct inheritance, we have to use the CLASSNAME_vtbl
format so IDA knows that some methods are overriden and use the derived class’s definitions. We can even go against the rules of c++ here and have different names for an overridden function, if that helps you to label your code better.
1 | struct Derived_vtbl |
Although we did not include this Derived_vtbl
anywhere in the Derived
struct, it will automagically be identified by IDA.
If we are inheriting from two base classes and overriding the vtable for the second base class, we’ll create another structure CLASSNAME_0008_vtbl
, because the second base class’s vtable is at offset 0x8.
That’s all :)
2024-03-13
March
Don’t have any good news this time! Just some happenings that I can’t talk too detailed.
Yesterday p2o registrations closed, and I did not manage to come up with an entry in time. It kind of sucks that I can’t contribute to my team, but I’ve figured out the reasons along the way. The problem is about switching targets. I switch targets too much, for reasons partially my own and partially uncontrollable. Maybe two months ago I said I was gonna work on <redacted>.sys. Well I switched like 4 targets since then, and that’s a terrible idea. One lesson learnt, deep diving produces results and switching around does not. Around less than 2 weeks left to registration I started opening random drivers in IDA to throw at the fuzzer and look for dumb bugs. Result was 2 dumb bugs but both were not good enough for the competition. Maybe I’ll submit them soon to msrc. Now it’s time to really slow down and deep dive at a target. I could be focusing on finding new attack surfaces, like some unused features that are just on the edge of the bounty scope, but I don’t find that cool. I’d prefer to focus on something many eyes have looked on, and enjoy the rigour of finding stuff others have looked but not seen.
The patch tuesday was a bummer too, for reasons I can’t say. Also microsoft is getting more brute at patching, also for reasons I can’t say. Aside of that pretty surprised Naceri is working in microsoft now. All I recall is him shitting on them and dropping 0days. His work was great inspiration to me though, and I wish him the best in his new role. The old gods of logic bugs: Forshaw Naceri PolarBear.
clfs and cldflt hasn’t been pwned for 2 months already. I bet you teams are stocking up for p2o. Baddest drivers of 2023. I’m pretty excited for the games, it’s the most involved I’ve been and will definitely be a good learning opportunity.
Recently I’ve been thinking a lot about methodology and note taking. Not note taking for knowledge, but bug hunting oriented notes taking. I’m certain the top researchers don’t do everything in their brains. They must have some specific methodology of noting down things. Unfortunately I don’t have the connections to ask around. Almost all my time were spent on coming up with and experimenting with different formats, different methodologies, different ways to abstract code to make it easier for the brain to mix and match. Feels kind of like coming up with a new martial art. You’ve got to be willing to give up your existing moves, give it the time, start slow maybe against some dummy targets, and build up familiarity. Success may not come soon but it will come eventually.
2024-03-18
记
此情可待成追忆 只是当时已惘然
0318是个特殊的日子 是某手游分服纪念日 借此回忆一下青春
1617年无拘无束 喜欢在住校的凌晨和室友翻出去夜跑 拿钢管把围栏敲的震天响并在门卫赶来的时候溜回宿舍 整天处在极度亢奋的状态 半年被叫了五次家长 也亲手把三天没睡的同学送上过救护车 这种傻逼的事情大概只有那时候能做出来。再后来就长大了 明白和高层达成共识才能被赋予特权 小人物瞎蹦哒终究要被崩
1819年势如破竹 在某手游线下赛连续两年全国冠军后疯狂接单代打爆金币。1v1没那么多限制 直播暴打过职业选手 也登过全球榜一 被LGD邀请过打职业 拒了 后面给其他队做了一段时间分析师 也认识了一群巨吊的网友 是至今最聊得来的一群人 也是社交最快乐的一段时间。可人总是在没学会珍惜的时候被给予太多的关系 到今天也只和一个人维持着联系 大概不可能再体验那种难以形容的陪伴了。这段经历的影响最深刻 以至于做什么事都想上榜 到顶尖 追求刺激 以及肾上腺素。还有对找回类似团队陪伴的一丝期望。
2021年众星捧月 在某平台翻唱小火了后点赞时不时破千 体验到了每天消息99+的忙碌 打开手机就是满屏的夸赞 点开信箱就是要加v。被捧着的感觉真的会上瘾。后面有粉丝自愿组了粉丝群 第一次体会到什么都不做大家都会围着你转 发什么都会有人支持的感觉。爽是真的爽 但越被捧着越容易焦虑 越担心摔了 越喜欢自省 越畏手畏脚 意识到了大i当小网红没那么开心。当时的性格是不适合运营这个身份的 自我怀疑的某一天把群都删了 注销了账号 权当回忆。其实根本没必要 一个人要是特别欣赏你放屁都是香的 他要是不欣赏你也懒得鸟你。所以现在主打自信 只要自己清楚意识自己几斤几两 在别人面前就可以绝对自信
我不会维持关系 每段经历都串联不起来也带不到下一段 就像进了不同人的身体里体验了三段不同的生活 到如今什么也带不来。我记性也很差 要不是翻出旧照 甚至要怀疑是不是凭空臆想出的。但有一个片段在我脑海里特别深刻。18年春节 在房里听着全民舒又的翻唱 和送佬打友谊赛 客厅里老爸和爷爷在噶三湖 妈妈刚炸好糯米丸子叫我快出来吃饭 我说别急 别急。
没啥意思 纯记录 大伙儿当我吹牛逼就好
如果真要有什么收获 那就请全力珍惜身边的关系和人 尽量带进下一段人生
2024-04-19
Have the confidence to stay logical and sober at all times. Be the overarching caregiver of the self.
2024-04-22
It’s time for cp’s IDA tips again!
Register Misgauge
Sometimes when reversing in IDA we see this orange variables that seem to pop out of nowhere.
One way to find out what these are is to read the disassembly to figure out where their values are populated. (Tip: Press Tab
to switch to disassembly listing at current pseudocode hightlight)
In this case we see r11d
comes from DWORD PTR [rsi+0x28]
, which comes from QWORD PTR [rax]
, which comes from QWORD PTR [r15+0x30]
, and r15
is rcx
which is the first argument to the function(not shown in image).
The true reason for undefined value is because IDA wrongly assumed that one of the previous functions(in this case RtULongMult_0()
) will definitely clobber r11
, since it’s supposed be a volatile register and nothing stops the callee from using it. Following that assumption, IDA was not able to comprehend the direct usage of this register after the function call, leading to an undefined value.
The fix is to redefine the offending function’s signature:
1 | NTSTATUS __stdcall __spoils<rax, rcx, r9> RtlULongMult_0(ULONG ulMultiplicand, ULONG ulMultiplier, ULONG *pulResult) |
By explicitly marking the registers clobbered using the __spoils
keyword, IDA knows r11
is not touched and retains the previously set value.
If we go back and refresh, the undefined orange highlight is gone, a new variable v10
is defined automatically, and everything makes sense.
This trick was shared by a coworker, grateful to him ;)
Shifted Pointers
This is quite a common problem as well because in complex software you have structures pointing into other structures for various purposes. I don’t have a sample of real code to show now, but I modelled a realistic scenario.
Assuming you have some objects that are linked together using a singly linked pointer somewhere in its body.
1 |
|
You may think the entry should be placed at the start of the object and everything will be solved, but in the real code this object can be part of many lists, thus needing many entry fields.
The issue with this code is IDA does not recognize it properly, even with proper structure definitions.
1 | int __cdecl main(int argc, const char **argv, const char **envp) |
Most of it is fine, but when dereferencing o2->Type
for the second print, IDA was unable to infer that o1->Link.Next
points somewhere into o2
.
To solve this we just need to edit the structure definition for struct Obj
.
1 | struct Obj |
The change tells IDA that the Link
member points to an SLIST_ENTRY
object, which resides at offset 0x10 of the Obj
object.
Going back and refreshing fixes the decompilation output:
1 | int __cdecl main(int argc, const char **argv, const char **envp) |
That’s all for today, and I hope you learnt something admist my rants and fluffs.
2024-05-01
Finally May.
April is probably cursed for me. Just like last April I fell horribly sick again, I think it’s gastroenteritis. Probably caused by some rancid food, and only subsided after 4 sleepless nights and constant pain. Fuck being sick. It ruins my momentum and resets everything, and I’m really down and unmotivated now. The best thing I could do now is to reflect.
I’m really a weak individual in terms of mental strength. A bit of lasting pain is enough to get me all sad and lose the willpower to get out of the bed and do anything. Honestly full respects to those in chronic pain or disabilities. I won’t be able to stay strong for sure. Sometimes I wonder how I’ll be like if I lose my eyes or my legs. It’s a dangerous thought exercise that always leaves me in despair. On the other hand, is anything really a problem if you’re fit and healthy? It isn’t. You healthy folks should feel empowered as you are.
When I don’t reflect on myself I reflect on security stuff. Do you face a similar problem? You think a lot, read a lot, have some thoughts and ideas, have a methodology/framework derived from logical reasoning, but it’s not working as well as planned. You might think it’s because the methodology is flawed or your reasoning is wrong, but listen it might be because you’re not FOLLOWING it. Sometimes you come up with a methodology after days of trying and tweaking and thinking, and you’ve not fully internalized it yet. You got to re-read your thoughts as a whole, from the beginning, with a fresh mind. Then you can work on really understanding the core of the methodology. Sometimes you do understand the methodology, but you are a lazy person by nature and you always hope to rush to easy results. You hope to do the least work possible and pray for success. You believe you can skip certain steps or quickly go over them, or give up some options. When the results are not promising, you start doubting your methodology that’s estabilished through logic and reasoning. That’s a dumb thing to do, because you didn’t even follow it fully. You’ve got to acknowledge the core of the methodology and know which steps you should instead spend extra effort on, because doing those steps actually correlate directly to finding bugs(in a superficial way). Ask yourself if you even understand your notes, and the bug patterns you’ve seen. It’s a difference between having knowledge and internalizing knowledge, and applying knowledge.
Gonna take a break, make a trip to the US for holiday, and hope to be back soon.(sorry boss!)