The file write primitive is an inverse of the file read primitive. Instead of getting bytes out of the target app’s private storage, you get bytes in. It is rarer than the read primitive but when p...

Intent redirection is the bug that explains why a properly permission protected internal activity can still be reached by any installed third-party app. The reason is rarely the protection on the i...

After the last post on intent injection through exported activities, a few people reached out with the same kind of feedback. Their target apps had an exported activity, the activity took an extra ...

android:allowBackup defaults to true if not specified in the manifest. The setting was designed for “user can restore their app data after factory reset”. The side effect: adb backup can dump the a...

Threat Hunting Basics Threat hunting is the proactive practice of searching for hidden threats or malicious activity within an organization’s environment, before or sometimes after alerts are trigg...

I have already discussed about Early Bird APC Injection using QueueUserAPC method on this blog. On a high level, with respect to the old method, we start by creating a suspended process example Not...

In the previous blog, we discussed how to get around Windows Defender by using payload obfuscation. This time, we’ll go over how to get the beacon into our sliver C2 undetected by using shellcode ...

Shellcode We have already discussed about process injection using shellcode which pretty much explains about why and how to use it. Giving the background again, shellcode is just a collection of i...

Last month, I discovered a couple of issues related to Exported Activities and Intent Injections. These vulnerabilities were either unreported or reported in a manner that underestimated their impa...

Process Hollowing CreateProcess CreateFile VirtualAllocEx ReBaseImage64 CreateFileMapping, MapViewOfFileEx WriteProcessMemory NtQueryInformationProcess GetThreadContext, SetThreadContext ResumeThr...