Saad AHLA's banner
Saad AHLA's profile picture

Saad AHLA

@d1rkmtr7,815 subscribers

Instructor @AlteredSecurity || Author of Evasion Lab (CETP) || Learner

Videos

LIVE
1.2k

Anya Rossi

sweetdream.ai

SweetDream.aiSponsoredLivecam
Streaming Now

Watch Anya Live

Anya is streaming live right now! Join her private show and enjoy exclusive content.

HD live stream
Exclusive private shows
1.2k viewers online

Free preview available • Premium content

Project : Smart keylogging capability to steal SSH Credentials including password & Private Key
0:26
d1rkmtr's profile picture

Project : Smart keylogging capability to steal SSH Credentials including password & Private Key

Saad AHLA

26,908 görüntüleme • 1 yıl önce

Very stealthy way of dumping LSASS, is done from the kernel, doesn't matter if LSASS is LSA Protected. Once loaded, the rootkit creates a system thread (PsCreateSystemThread) for dumping LSASS, iterates over all processes gets its EPROCESS (PsLookupProcessByProcessId ), then its name (PsGetProcessImageFileName), attaches to LSASS with (KeStackAttachProcess), once attached a file on disk (C:\dump.dmp) to receive memory pages dump, then the memory dumping process starts with (ZwQueryVirtualMemory) to query each virtual memory page info, including its base address and size, then (ZwWriteFile) is used to write that page to the dump file on disk. ====== For Professional Inquiries, freelance, contact on LinkedIn or Gmail (saaad.ahla@gmail[.]com), looking forward to new opportunities.
0:28
d1rkmtr's profile picture

Very stealthy way of dumping LSASS, is done from the kernel, doesn't matter if LSASS is LSA Protected. Once loaded, the rootkit creates a system thread (PsCreateSystemThread) for dumping LSASS, iterates over all processes gets its EPROCESS (PsLookupProcessByProcessId ), then its name (PsGetProcessImageFileName), attaches to LSASS with (KeStackAttachProcess), once attached a file on disk (C:\dump.dmp) to receive memory pages dump, then the memory dumping process starts with (ZwQueryVirtualMemory) to query each virtual memory page info, including its base address and size, then (ZwWriteFile) is used to write that page to the dump file on disk. ====== For Professional Inquiries, freelance, contact on LinkedIn or Gmail (saaad.ahla@gmail[.]com), looking forward to new opportunities.

d1rkmtr

22,041 görüntüleme • 11 ay önce

Detecting AnyRun sandbox more sandbox detection coming out in the future. Link :
0:25
d1rkmtr's profile picture

Detecting AnyRun sandbox more sandbox detection coming out in the future. Link :

d1rkmtr

13,573 görüntüleme • 6 ay önce

🚨 I'm looking for a Job🚨 A user-mode code and its rootkit that will Kill EDR Processes permanently by leveraging the power of Process Creation Blocking Kernel Callback Routine registering and ZwTerminateProcess. Project : =========== Looking for roles in User/Kernel mode Malware Dev, Evasion, Reverse Eng, Kernel Exploit Weaponization, Red Team dev/operation, APT Emulation (Ransomware/Stealer/C2 tooling Emulation) ... Can do Blue Team also.
0:28
d1rkmtr's profile picture

🚨 I'm looking for a Job🚨 A user-mode code and its rootkit that will Kill EDR Processes permanently by leveraging the power of Process Creation Blocking Kernel Callback Routine registering and ZwTerminateProcess. Project : =========== Looking for roles in User/Kernel mode Malware Dev, Evasion, Reverse Eng, Kernel Exploit Weaponization, Red Team dev/operation, APT Emulation (Ransomware/Stealer/C2 tooling Emulation) ... Can do Blue Team also.

Saad AHLA

17,113 görüntüleme • 1 yıl önce

Daha fazla içerik yok.