winternl https://winternl.com cybersecurity & programming Mon, 03 Nov 2025 15:21:03 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 https://winternl.com/wp-content/uploads/2024/09/w-alphabet-icon-150x150.png winternl https://winternl.com 32 32 Unpacking the AAD Broker LocalState Cache https://winternl.com/aad-broker-cache/ Tue, 30 Sep 2025 19:42:17 +0000 https://winternl.com/?p=1771 tl;dr: Source: https://github.com/jackullrich/AADBrokerDecrypt The Azure AD Broker (AAD Broker) is a component of Entra ID that orchestrates Azure AD sign-in, device-bound primary refresh token (PRT) handling, and application token issuance exposed by Windows Runtime (WinRT) APIs. In this post, we’ll map the broker’s on-disk cache and show how to unpack its file formats. Additionally…

Source

]]> Full Fat Shellcode https://winternl.com/full-fat-shellcode/ Thu, 10 Apr 2025 16:34:03 +0000 https://winternl.com/?p=1757 GLP-1s need not apply. There may be situations where you wish to conditionally run 32-bit or 64-bit shellcode from the same codebase. One such scenario is if you are bootstrapping some code into an ILONLY assembly. Below is valid x86 and x86-64 code that can be used for that purpose. The interesting bit is how the sequence 0x48, 0xff, 0xc0 is encoded differently between the two…

Source

]]> Loader Lock Ownership Semantics https://winternl.com/loader-lock-ownership-semantics/ Sat, 23 Nov 2024 20:12:59 +0000 https://winternl.com/?p=1734 If your career as a programmer has led you here, fear not, there is still time to turn back. I will not tell you to rethink whatever disreputable sequence of instructions you intend to force feed your processor. Nor do I think it would be beneficial to re-evaluate any alternative solutions. No dear reader, I trust that you have first read the litany of terrible things you are never to do…

Source

]]> Fixing a bug in donut https://winternl.com/fixing-a-bug-in-donut/ Wed, 09 Oct 2024 15:08:24 +0000 https://winternl.com/?p=1697 A client used donut to generate a reflective loader for a 64-bit PE file. The shellcode was then embedded and run from a .NET assembly. Strangely, it was not working, but only with some assemblies. After some mucking around with a debug version of donut, the loader code was exiting prematurely leaving us with the following message. Host process [abc] and file [xyz] are not compatible…

Source

]]> Why is there a debug directory in my release build? https://winternl.com/why-is-there-a-debug-directory-in-my-release-build/ Sun, 29 Sep 2024 19:40:35 +0000 https://winternl.com/?p=1647 (And other difficult conversations to have with your kids) If you’ve spent some time with MSVC you may have noticed your binary contains an IMAGE_DEBUG_DIRECTORY entry — even when building in release mode. This isn’t a new thing and this extra information was introduced in the 2015 release of Visual Studio. In fact, there’s a good reference by Adam over on their blog covering this topic.

Source

]]> CVE-2022-43997 – Local Privilege Escalation in Aternity Agent https://winternl.com/cve-2022-43997/ Mon, 23 Jan 2023 17:16:01 +0000 https://winternl.com/?p=1493 Aternity is software developed by Riverbed used to monitor the performance of applications and devices from the end user perspective. Software such as Aternity is a prime target for vulnerability research. “Monitoring” software typically installs hooks and performs process injection to track analytics. Doing so safely is not a trivial task; there may be implementation details an attacker may take…

Source

]]> Dealing with Failure: Failure Escalation Policy in Unmanaged CLR Hosts https://winternl.com/dealing-with-failure/ Tue, 10 May 2022 23:51:00 +0000 https://winternl.com/?p=1318 Offensive tooling built upon the .NET framework and its runtime environment, the Common Language Runtime (CLR), is an important part of the red teaming ecosystem. .NET tools offer rapid development times, a low barrier to entry, and are highly extensible through native interoperability. These tools have been and will continue to be used effectively on offensive engagements.

Source

]]> Detecting Manual Syscalls from User Mode https://winternl.com/detecting-manual-syscalls-from-user-mode/ Wed, 10 Feb 2021 19:17:02 +0000 https://winternl.com/?p=1139 By now direct system calls are ubiquitous in offensive tooling. Manual system calls remain effective for evading userland based EDRs. From within userland, there has been little answer to this powerful technique. Such syscalls can be effectively mitigated from kernel mode, but for many reasons, most EDRs will continue to operate exclusively from usermode. This post will present a novel method for…

Source

]]> Designing Emulation Resistant Control Flow https://winternl.com/designing-emulation-resistant-control-flow/ Thu, 17 Dec 2020 20:45:42 +0000 https://winternl.com/?p=1057 Antimalware emulators have the Sisyphean task of implementing a complete and accurate clone of the Windows environment. My previous research focused on a generic way to detect the presence of such emulators based upon Windows API artifacts. This is and will continue to be an effective technique in one’s arsenal. One of the most effective ways in which to utilize this tactic for evasion is to…

Source

]]> MemFuck: Bypassing User-Mode Hooks https://winternl.com/memfuck/ Tue, 08 Sep 2020 00:42:16 +0000 https://winternl.com/?p=920 Dynamic malware analysis is the preferred way to determine the legitimacy of an application for many AVs/EDRs/MDSs. Unlike static analysis, dynamic analysis can capture and analyze Windows API calls made during the course of execution. This method of analysis provides far superior detection rates than static analysis. There are many techniques to capture such system calls…

Source

]]>