An Unsafest Journey

In life there are often times when I take on quests that I have absolutely no right in touching. Sometimes I do complete those quests and othertimes (More often) I fail completely having fallen chased the rabbit a little too deep into the hole. Regardless, I always end up learning something.

Traditionally, I haven’t ever documented these quests. Since I was often treading well trodded ground, I felt that it wasn’t worth sharing unless I could demonstrate something new. I figure this was due to an combination of imposter syndrome and crippling anxiety (Something I’m sure all 2 of my readers can relate to).

I realise now what a mistake this has been. As cliche as it might sound blogs should really be about the journey rather than the destination. While I might not be able to share any ground breaking research perhaps I can provide the interesting story as I set off on these quests and what I learn along the way.

There will be mistakes and I will surely spend far too much time diving down rabbit holes but if I can share that journey then I will consider it a success regardless of whether we complete the quest.

Hopefully you the reader will find my quests and journey engaging and relatable as well.

Leading up to the decision to start this blog I took some time exploring using Zig to build some proof of concept malware.

I’ll admit, it wasn’t much. It was just as much a Zig learning project as much as it was a chance to dip my toes into the malware development world.

The features were basic. It could connect to a web server both through raw TCP as well as HTTP. It could execute commands and return the results. I implemented some basic functionality to fingerprint the host which was used as an indentifier. It also had some features which let me encrypt the strings using xor encoding at compile time (Okay maybe not encrypt…) and decrypt them during run time.

Pretty basic stuff as far as malware goes. But, I am not a developer. Nor am I a red teamer. I’m a pentester - and not even the cool kind. I do web apps and web APIs. Okay, web apps aren’t that bad but they don’t scratch the itch.

See I like the low level stuff. Or maybe its the idea of the low level stuff I like? There is something that draws me to the really low level stuff that results in me banging my head against the metaphorical wall of assembly and bland documentation until one of us breaks.

Spongebob 'Standing there menacingly' meme except its the intel developer manual — Thats right, I do subpar memes to compliment my subpar code.

Anyways back to the present. My next quest begins off the back of that project and that is the quest to write a shellcode loader that will allow us to run basic Meterpreter reverse shell shellcode without being detected by Defender.

If that sounds interesting please follow me into part 1 of my Quest to Evade Defender.

Current Quests

The Quest to Evade Defender

Building shellcode loaders to evade Windows Defender using Zig, exploring everything from basic VirtualAlloc calls to advanced obfuscation techniques.

Currently, the code for part 2 and 3 has been completed but the actual writing for this is still underway however I have left part 2 available anyways as an early preview.

VM Detection Research

Diving into the world of virtual machine detection using hardware-based methods like CPUID instructions. Currently early on in the series. We look at detection through CPUID leaves.

Memory Allocation Techniques - Draft

Exploring how custom allocators can be used to obfuscate payload allocations and improve evasion techniques.

Welcome to UnsafestBlog

Follow my journey through security research, malware development, and the quest to understand the unsafest corners of computing.

The Quest to Evade Defender - Part 2: XOR Encryption

In part 1 we demonstrated how our basic shellcode loader would work in order to pop calc.exe. Now we have our basic proof of concept working and a baseline detection rate. But if you take another look at the VirusTotal detections you’ll see that one of the primary detection flags is for ‘Meterpreter’. Well thats expected and also not very fun! Currently AVs are able to easily identify the meterpreter shellcode which blows our cover straight away. Although, it is somewhat concerning that a good portion of AVs did not detect it. ...

The Quest to Detect KVM QEMU - Part 1: The CPUID Instruction

This one is a little side quest I went on when trying to evade defender. After spending some time using Windows as my host I decided I wanted to go back to linux. Now I had a lab setup in HyperV but nothing of real importance so I decided to just start fresh this time (Using arch btw). Now something that had always attracted my attention is VM detection. I previously had a VFIO gaming setup which meant I was able to pass through a GPU and some other components directly to my VM giving it near native performance. This setup was great however the main downside was that you still couldn’t play majority of competitive games because they would detect the VM and stop it all there. Interestingly enough there were always people who claimed to have bypassed this but it was always kept pretty hush hush as the methods woulds be patched. ...

The Quest to Evade Defender - Part 1: A Basic Loader

This quest begins like many others. From a quest giver. In this case that quest giver is me in a temporary state of overconfidence. So the idea was simple. After having played around with Zig and getting some basic malware functionality working I decided I wanted to dive further into the world of maldev. Particularly around the world of obfuscation and evasion. I figured a good starting point would be to write a simple shellcode loader which can execute a basic Meterpreter payload without being detected by Windows Defender. ...

An Unsafest Journey#

Current Quests#

The Quest to Evade Defender#

VM Detection Research#

Memory Allocation Techniques - Draft#

An Unsafest Journey

Current Quests

The Quest to Evade Defender

VM Detection Research

Memory Allocation Techniques - Draft