ITSEC Newsletter 2024-01-18

Weggli is a blazing fast semantic search tool for C and C++ codebases, designed to help security researchers identify interesting functionality in large codebases. Its query language resembles code, making it easy to turn interesting code patterns into queries.

I've come across the term Vectored Exception Handling or Vectored Exception Handlers (VEH for short) in the context of malware development, but until now I hadn't really been able to get to grips with the term or the subject. While preparing for my upcoming Endpoint Security Insights workshop, I came across the term Vectored Exception Handling again in the following article from cyberwarfare. The article piqued my curiosity and motivated me to learn more about the topic. As always, I learn best when I write about a topic myself, prepare a presentation or something similar. Based on cyberwarfare's article, I would like to take up the topic of vectored exception handling in the context of shellcode execution via syscalls and take a closer look at the code required for this.

A lot of organizations have some sort of application development program and it is highly likely that developers will utilize Visual Studio for their development needs. Outside of the risk of from malicious .sln files which doesn’t apply Mark of the Web (MotW) and therefore can evade Microsoft controls such as SmartScreen, Visual Studio also provides an opportunity for lateral movement via the Development Tools Environment (DTE).