Austin Hudson @ilove2pwn_ Twitter profile

Last Seen Profiles

@zolurxi

@ZorosWaves

@SocraticSatoshi

@brunosamper

@SecretAccunt18

@kentaro_tools

@raijin110th

@agooddaytodiei

@DG8ywHOUZFX7hFI

@KNarikazue79613

@ECA_OFFICIAL

@EnjoyerOfCakes

@LaVidaLoca2016

@dc6Y0XLqiigTuyI

@PUCHI456456

@kanekallaway

@earngather

@maticnetwork

@komugekki

@leeha

@Papers_app

@msmegalodon

@Ratelrock

@clubdeletoile

@LilveronicaR

@USTEsports_

@kp_my_HERO

@anarchoroses

@umi_Strawberry

@lavendervn2208

@Under_Her_Feet

@youamadasshoe

@pradabarbi2832

@sultanasharem

@CineHDFR

@forteantimes

Austin Hudson

@ilove2pwn_

10 months

Huh, never really thought I'd get this far. As mentioned before, the talk will be recorded so you can watch me flop live or online on November 16 @ 7:30 pm UTC called "The Complete Idiots Guide To UEFI Bootkits"

9

21

134

Austin Hudson

@ilove2pwn_

8 months

Since secrets are boring here's how it works: Change protections, write changes, restore protections, fork the parent, kill the child, parent will set the shared status back to normal but Shared original for regions that aren't written to will stand out Blame forking not me

Austin Hudson

@ilove2pwn_

9 months

In reality, you can still inject unsigned code into a process ( doesnt matter what ) and well also not have to perform any memory obfuscation/stack spoofing without also having to "touch the disk" as alot of people put it. I consider my experiment a success.

1

18

93

4

21

130

Austin Hudson

@ilove2pwn_

4 months

Or, building the chain differently: Heres another PoC. I call it, GrimReaper. I originally planned more, but truthfully became bored as I wish to move onto other things. Uses special/normal APC's to build and queue properly without NtContinue.

GitHub - realoriginal/grimreaper: A improved memory obfuscation primitive using a combination of...

A improved memory obfuscation primitive using a combination of special and 'normal' Asynchronous Procedural Calls - realoriginal/grimreaper

github.com

Austin Hudson

@ilove2pwn_

9 months

In reality, you can still inject unsigned code into a process ( doesnt matter what ) and well also not have to perform any memory obfuscation/stack spoofing without also having to "touch the disk" as alot of people put it. I consider my experiment a success.

1

18

93

4

39

113

Austin Hudson

@ilove2pwn_

9 months

In reality, you can still inject unsigned code into a process ( doesnt matter what ) and well also not have to perform any memory obfuscation/stack spoofing without also having to "touch the disk" as alot of people put it. I consider my experiment a success.

1

18

93

Austin Hudson

@ilove2pwn_

1 year

Finally got Cr4sh's project working for DMA using a Spartan-6 board I picked off ebay for a hundred bucks. Gonna tie into the UEFI experiments been working with

9

12

87

Austin Hudson

@ilove2pwn_

11 months

"Ghost": A poorly designed client / server architecture example. I will not support it. User interface example if shown below: Theres a race condition or two lel.

3

11

62

Austin Hudson

@ilove2pwn_

1 year

Milestone 2 complete: Basic prototype capable of dispatching requests/responses and handling input via a Packer/Parser format. Finalizing it, then working on the rootkit portion again, this time. I call it, Great Value ® Cobalt Strike. Dont sue me.

Austin Hudson

@ilove2pwn_

1 year

Finally got Cr4sh's project working for DMA using a Spartan-6 board I picked off ebay for a hundred bucks. Gonna tie into the UEFI experiments been working with

9

12

87

4

3

55

Austin Hudson

@ilove2pwn_

10 months

Fuck yeah!

GitHub - Cr4sh/SmmBackdoorNg: Updated version of System Management Mode backdoor for UEFI based...

Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks - Cr4sh/SmmBackdoorNg

github.com

1

19

45

Austin Hudson

@ilove2pwn_

1 year

Source code for now until I resume working on it. Peace for the rest of the weekend, need to get off for a few weeks.

GitHub - realoriginal/preboot: Experiment with d_olex's firmware and conducting "preboot" attack

Experiment with d_olex's firmware and conducting "preboot" attack - realoriginal/preboot

github.com

Austin Hudson

@ilove2pwn_

1 year

After several hours of screaming into the void i finally achieved my dreams and got it work on a cold boot. i think i've had enough for the rest of the year this is mentally fucking exhausting.

1

13

2

7

31

Austin Hudson

@ilove2pwn_

10 months

I have retracted my presentation and I will not be attending. It was a pleasure regardless. Peace.

Austin Hudson

@ilove2pwn_

10 months

Huh, never really thought I'd get this far. As mentioned before, the talk will be recorded so you can watch me flop live or online on November 16 @ 7:30 pm UTC called "The Complete Idiots Guide To UEFI Bootkits"

9

21

134

4

0

30

Austin Hudson

@ilove2pwn_

9 months

You can setup a piece of shellcode to more or less run outside of a CFG page using a simple jump. Its an initial step, fixing a proper 'ROP' chain to be sufficient and capture the return values Ill leave to the reader, not too difficult. Love elastic's work, one of the best.

John U

@jdu2600

1 year

Thanks for letting me talk about Finding the Footprints of Hidden Shellcode #BHASIA . You can find the slides here:

4

26

60

1

4

18

Austin Hudson

@ilove2pwn_

3 months

Heh, fun bike for the summer. 2010 CBR600RR

0

15

Austin Hudson

@ilove2pwn_

1 year

After several hours of screaming into the void i finally achieved my dreams and got it work on a cold boot. i think i've had enough for the rest of the year this is mentally fucking exhausting.

1

13

Austin Hudson

@ilove2pwn_

10 months

Success against an ASUS z590-A Prime AMI-based firmware. There is a race condition between when the bug is exploitable and when it is not, with SP605 Rev E I can with the race successfully by doing a full cold boot, first attempt tends to succeed.

Austin Hudson

@ilove2pwn_

10 months

Fuck yeah!

1

19

45

2

3

11

Austin Hudson

@ilove2pwn_

1 year

Test: Locked at a UEFI setup screen prior to OS start to disable VBS/HVCI/SL with IOMMU + ASUS's "Pre-Boot IOMMU". Host configured with BitLocker and TPM 2.0 once it boots - No issues and OS boots without the protections except Kernel DMA until I wipe DMAR Flags. SP605 REV E WIP

2

10

Austin Hudson

@ilove2pwn_

1 year

And as of early this morning, I was able to successfully register remote events using a pubsub test server and async with PyQt5 ( qasync )

5

0

10

Austin Hudson

@ilove2pwn_

4 months

Furthermore, builds its call frames to match that of a normal return for the ROP's themselves. If you want to manipulate your primary thread stack, well, have fun with NT_TIB: You can achieve by using context manipulation + manipulating NT_TIB as shown in:

0

1

10

Austin Hudson

@ilove2pwn_

2 months

@artem_i_baranov The blacklotus sources aren't the actual BlackLotus code. Its a ripped piece of source from my GitHub thrown together with a random other piece of code, non functioning

1

0

9

Austin Hudson

@ilove2pwn_

20 days

DJI Mini 4 Pro, pretty sweet. Testing out its active track, which, is aight. Gonna attempt build a drone jammer with it and document it as usual.

3

0

8

Austin Hudson

@ilove2pwn_

9 months

@d_tranman Correct

2

0

7

Austin Hudson

@ilove2pwn_

4 months

@Octoberfest73 I'll keep that in mind. I used to but found few people read it. None the less, I will keep that in mind and see about that if I choose to continue this work.

0

7

Austin Hudson

@ilove2pwn_

4 months

@shubakki Well done. I'll be happy to answer my design notes of why I chose some of the stuff mentioned in your post if you'd like Unrelated, I'll provide you an easy win to make your chain somewhat simpler to build:

GitHub - realoriginal/grimreaper: A improved memory obfuscation primitive using a combination of...

A improved memory obfuscation primitive using a combination of special and 'normal' Asynchronous Procedural Calls - realoriginal/grimreaper

github.com

1

0

7

Austin Hudson

@ilove2pwn_

3 months

@dazzyddos @KlezVirus @HackSpaceCon Was a pleasure catching ya at the con. Well done!

1

0

7

Austin Hudson

@ilove2pwn_

1 year

Almost there :)

3

0

7

Austin Hudson

@ilove2pwn_

1 year

Works! Developing the individual teamserver messages that are broadcasted ( info, good, error ) and cleaning up the client connect/disconnect code before reworking the listener/agent/agent display

0

6

Austin Hudson

@ilove2pwn_

6 months

@Neuvik @Jean_Maes_1994 Well done Jean.

1

0

5

Austin Hudson

@ilove2pwn_

2 months

@DocStrangelove2 Same director did False Alarm's video from the Weeknd

1

0

5

Austin Hudson

@ilove2pwn_

10 months

With his project(s) as a reference even with a cursory understanding should be sufficient to construct a Hyper-V compatible bootkit that can successfully transition into the 'guest' if Hyper-V is compatible, and verify its enabled if not / perform normal hooking process

0

5

Austin Hudson

@ilove2pwn_

9 months

Example:

1

0

6

Austin Hudson

@ilove2pwn_

1 year

Source for the dialog. A basic prototype as I construct the payload. Hacky way of enabling generation upon input validation

1

0

5

Austin Hudson

@ilove2pwn_

6 months

@C5pider Was messing with this a few weeks ago - I personally issues with constexpr, switched to GNU-C++23 and was able to get guaranteed string to array & hashes. Not sure of your results.

Obfuscation Macros using C++ Metaprogramming: Useful for my projects. C++20 / C++23 off memory.

Obfuscation Macros using C++ Metaprogramming: Useful for my projects. C++20 / C++23 off memory. - Entry.c

gist.github.com

1

5

Austin Hudson

@ilove2pwn_

6 months

@GabrielLandau Honestly, I don't see the attack surface going away lol. The amount of machines I can break IOMMU with a small race ( alot of firmware I've encountered hilariously initialized PCIe prior to initializing IOMMU ) to get DMA is still quite extensive and likely will never change.

0

4

Austin Hudson

@ilove2pwn_

10 months

This thing is going to be useful again. I'll test in a few days.

1

0

4

Austin Hudson

@ilove2pwn_

23 days

@chompie1337 TLDR: Is their generic response they'll give you regardless.

1

0

4

Austin Hudson

@ilove2pwn_

9 months

@chompie1337 Looks like I'll miss this one, bummer. Nice talk

1

0

3

Austin Hudson

@ilove2pwn_

3 months

@big_polar_bear1 All-righty. Was only offering a suggestion. Do what you want lol.

0

3

Austin Hudson

@ilove2pwn_

5 months

@modexpblog @kyleavery_ @mrgretzky How I leveraged it was :

0

3

Austin Hudson

@ilove2pwn_

3 months

@big_polar_bear1 @KlezVirus Go through brokers. I've had varying success with it. Best of luck.

0

3

Austin Hudson

@ilove2pwn_

7 months

@GabrielLandau Lol you might have fun with causing it to be loaded directly using `AddSecurityPackageA` and messing with the cache that way.

0

3

Austin Hudson

@ilove2pwn_

5 months

@modexpblog @kyleavery_ @mrgretzky I leveraged this fact for SMB pipes to obfuscate during R/W & connect operations. Works great on arbitrary "object"s .

1

3

Austin Hudson

@ilove2pwn_

1 year

Not much progress. I spent way too long fucking around with QT Designer, hated the way it exported, so built it by hand. Got input validation working as well ( grey out the generation until all input is validated ).

1

0

3

Austin Hudson

@ilove2pwn_

28 days

@lcamtuf @peterwintrsmith I've got an idea.

1

0

3

Austin Hudson

@ilove2pwn_

9 months

@GabrielLandau @d_tranman Gabriel: 1 Me: 0

1

0

4

Austin Hudson

@ilove2pwn_

23 days

@chompie1337 I've done it. It wont force them to fix it

1

0

3

Austin Hudson

@ilove2pwn_

1 year

On today's episode of "I'm fucked": will this laptop crash or reach full CPU usage with 65+ agents with no delay spraying the every living fuck out of a asyncio ICMP listener infinitely in a loop. Since I'm still tweeting, I'd say its doing well?

1

0

3