Share this page!

Dmytro Oleksiuk Profile picture
Twitter logo
Jul 25 7 tweets 3 min read
So, what's wrong with #CosmicStrand UEFI implant from the first glance on its sample? What exactly lessons APT malware developers can learn from open source projects? 🧵⬇️
First, it is really trivial to detect this malware presence by patched nt!KiFilterFiberContext() function in order to disable PatchGuard. My UEFI rootkit is not interfering with PatchGuard at all, it also not using any permanent in-memory patches or callbacks, only temporary ones
Second, while #CosmicStrand is using pretty much standard set of hooks to hijack execution flow of the bootloader and kernel, like OslArchTransferToKernel() and so on, there's a lack of Hyper-V/HVCI presence checks in its boot stage code which is really bad ...
What happens when such boot stage hooks are going to be executed in the context of the hypervisor on Virtualization-Based Security enabled machine? It will just BSoD the box by passing an execution to the invalid code page that Hyper-V is not aware about
Since it is not that trivial to support such configurations, my UEFI rootkit is using simple check to detect enabled Hyper-V and continue an execution without causing any damage to the system. This is important check if you want to use old fashioned techniques on modern systems
I haven't performed an actual and complete analysis of #CosmicStrand sample, issues described above is just the first thing that catches your eye. I'm almost sure that its code will bring many other bugs and disadvantages if you will check it more closely
Hey, @mfa_china, you can just rip off my code to use your taxpayer money more effective 😂

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dmytro Oleksiuk

Dmytro Oleksiuk Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @d_olex

Dmytro Oleksiuk Profile picture
Jul 9
Cool project, that's how you suppose to do it right!
PS: the darkness tempts me to break my faith in the omnipotence of IDA 6.1 and Python 2.7 😂
It's not a joke, by the way. I have IDA 7.6 or something relatively recent to use plugins wrote by other people, but my main battle version is an early 6. something. On my typical test cases it did not evolved much in disassembly quality, so why bother with updates
If you going to tell me something about AArch64 support -- I'm going to tell you that IA-64 support is still unusable without custom post-processing scripts and QDSP support is still missing at all 🤓
Read 4 tweets
Dmytro Oleksiuk Profile picture
May 31
Is there any good recommendations for unofficial Apple service centers who can do complicated board-level repair of latest intel machines and accepts foreign customers? Exact country and budget doesn’t matter
This T2 chip with hardware encrypted soldered down SSD is buried few of my research projects (usually I’m not bothering to backup or preserve this crap) so I’m looking the ways to get my data back
I can spend week or two for rewriting this lost crap from the scratch but I rather want to pay the money for getting my Intel based laptop work again because now Apple is selling only useless ARM based garbage
Read 4 tweets
Dmytro Oleksiuk Profile picture
May 10, 2021
I have a new weird obsession: DAT recorders! So, here's a really long thread about this outstanding piece of obsolete tech ⬇️⬇️⬇️
DAT was introduced by Sony in 1987 as recording and playback medium for digital audio. It adopted 16-bit PCM format with 44.1, 48 or 32 kHz of sampling rate. It's like an audio CD but stored on the magnetic tape. DAT cassette is about half size of the compact cassette
Commercially available DAT cassettes was able store up to 180 minutes of stereo signal recorded with 48 kHz sample rate. Also, exactly the same cassettes was used for DDS-1 streamers to store 2 GB uncompressed or 4 GB compressed data on standard cartridge
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(