ITSEC Newsletter 2024-08-15

Red team is best team

Author

Henrik Falk
August 15, 2024

Understanding the Process Environment Block (PEB) for Malware Analysis

PEB was one of the topics I wish I had learned more about, instead of just memorizing it the popular way, which is “FS:30 it’s PEB, it should be anti-debug.” So, in case there are others here like I was, this blog post can be helpful for you. I aim to create a baseline of practical knowledge about PEB from the aspect of malware analysis. Nonetheless, I will provide links for further reading.

metehan-bulut.medium.com/understanding-the-process-environment-block-peb-for-malware-analysis-26315453793f

You Can’t Spell WebRTC without RCE - Part 3

Part one explored Signal and WebRTC, detailing the injected vulnerabilities and the process of adding them. In part two we leverage these vulnerabilities to exfiltrate the Signal database from a victim's phone. For our final post, we’ll discuss indicators of compromise (IOCs) created by this attack, as well as IOCs that a real in-the-wild exploit might generate.

margin.re/2024/08/you-cant-spell-webrtc-without-rce-part-3

Why exploits prefer memory corruption

Some extremely good logic bugs will e.g. exec() attacker-supplied code or run an attacker-supplied script under a sufficiently-powerful interpreter to exploit the next bug in the chain. Other logic bugs are coupled with an external form of unsafety, such as JIT, and thus produce memory corruption effects. However, it’s much more common that exploiting a logic bug in a vulnerable program will remain bound by the constraints of the program’s source code and the programming language. That is a fundamentally different world than what is offered by memory corruption, where a much higher fraction of bugs can make the vulnerable program shed the constraints of the program and language to only remain bound by the constraints of the underlying CPU.

pacibsp.github.io/2024/why-exploits-prefer-memory-corruption.html