After the last post on intent injection through exported activities, a few people reached out with the same kind of feedback. Their target apps had an exported activity, the activity took an extra ...

android:allowBackup defaults to true if not specified in the manifest. The setting was designed for “user can restore their app data after factory reset”. The side effect: adb backup can dump the a...

Threat Hunting Basics Threat hunting is the proactive practice of searching for hidden threats or malicious activity within an organization’s environment, before or sometimes after alerts are trigg...

I have already discussed about Early Bird APC Injection using QueueUserAPC method on this blog. On a high level, with respect to the old method, we start by creating a suspended process example Not...

In the previous blog, we discussed how to get around Windows Defender by using payload obfuscation. This time, we’ll go over how to get the beacon into our sliver C2 undetected by using shellcode ...

Shellcode We have already discussed about process injection using shellcode which pretty much explains about why and how to use it. Giving the background again, shellcode is just a collection of i...

Last month, I discovered a couple of issues related to Exported Activities and Intent Injections. These vulnerabilities were either unreported or reported in a manner that underestimated their impa...

Process Hollowing CreateProcess CreateFile VirtualAllocEx ReBaseImage64 CreateFileMapping, MapViewOfFileEx WriteProcessMemory NtQueryInformationProcess GetThreadContext, SetThreadContext ResumeThr...

Process Injection - Reflective DLL Injection

Process Injection - DLL Injection DLL Injection is a kind of process injection techniques but unlike loading shellcode into a running process, DLL Injection involves injecting and loading a malicio...