Archives for Quarkslab's blog

Leveraging Sourcetrail to a mapping tool, meet Numbat and Pyrrha

BGE Attack on AES White-Boxes: Extending Blue Galaxy Energy for Decryption and Shuffled States

How I Built a Car In a Box

PHP deserialization attacks and a new gadget chain in Laravel

DJI - The ART of obfuscation

PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.

Blue Galaxy Energy: a new White-box Cryptanalysis Open Source Tool

Our Pwn2Own journey against time and randomness (part 2)

Workflow of a zkSync Era transaction: from generation to finalization

Internship Offers for the 2023-2024 Season

QBinDiff: A modular diffing toolkit

Let’s Go into the rabbit hole (part 1) — the challenges of dynamically hooking Golang programs

Reversing Windows Container, episode I: Silo

Debugging Windows Isolated User Mode (IUM) Processes

Diving into Starlink's User Terminal Firmware

Breaking Secure Boot on the Silicon Labs Gecko platform

Android Data Encryption in depth

For Science! - Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation

Security audit of Mithril Security BlindAI

PASTIS For The Win!

Introducing TritonDSE: A framework for dynamic symbolic execution in Python

Android greybox fuzzing with AFL++ Frida mode

A gentle introduction to Microsoft OMI and how to crash it

Our Pwn2Own journey against time and randomness (part 1)

Audit of Falco, the open-source cloud-native runtime security

Vulnerabilities in the TPM 2.0 reference implementation code

Dark Phoenix: a new White-box Cryptanalysis Open Source Tool

Post-Exploitation: Abusing the KeePass Plugin Cache

Digging into the OCI Image Specification

Internship Offers for the 2022-2023 Season

Quokka: A Fast and Accurate Binary Exporter

Defeating eBPF Uprobe Monitoring

Attacking Titan M with Only One Byte

Secure Messaging Apps and Group Protocols, Part 2

Binbloom blooms: introducing v2

Secure Messaging Apps and Group Protocols, Part 1

Digging Into Runtimes – runc

Commit Level Vulnerability Dataset

A Brief Overview of Auditing XCMv2

Heap Overflow in OpenBSD's slaacd via Router Advertisement

Kubernetes and HostPath, a Love-Hate Relationship

Smali the Parseltongue Language

Audit of the MimbleWimble Integration Inside Litecoin

Why is Exposing the Docker Socket a Really Bad Idea?

Status of post-quantum cryptography implementation

Digging into Linux namespaces - part 2

Digging into Linux namespaces - part 1

Mattermost End-to-End Encryption Plugin

Internship Offers for the 2021-2022 Season

kdigger: a Context Discovery Tool for Kubernetes

Introducing QBDL: how to run the NVIDIA NGX SDK under Linux

A virtual journey: From hardware virtualization to Hyper-V's Virtual Trust Levels

Hello Rewind, meet world

Guided tour inside WinDefender’s network inspection driver

RFID: Monotonic Counter Anti-Tearing Defeated

Audit of Session Secure Messaging Application

Remote Denial-of-Service on CycloneTCP : CVE-2021-26788

Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

Extending Emuroot: support for Android 10 & 11

QBDI 0.8.0

Bad Neighbor on FreeBSD: IPv6 Router Advertisement Vulnerabilities in rtsold (CVE-2020-25577)

Technical Assessment of the herumi Libraries

RFID: New Proxmark3 Tear-Off Features and New Findings

How the MSVC Compiler Generates XFG Function Prototype Hashes

Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898)

Internships at Quarkslab 2020-2021: the COVID season

Examining the August Smart Lock

Introduction to Whiteboxes and Collision-Based Attacks With QBDI

Why are Frida and QBDI a Great Blend on Android?

A Deep Dive Into Samsung's TrustZone (Part 3)

Triton v0.8 and ARMv7: A Guideline for Adding New Architectures

Playing Around With The Fuchsia Operating System

Ansible Security Assessment

How a Security Anomaly was Accidentally Found in an EAL6+ JavaCard

Reverse Engineering a VxWorks OS Based Router

Triton v0.8 is Released!

CVE-2020-0069: Autopsy of the Most Stable MediaTek Rootkit

PhD Defense of Jonathan Salwan: Use of Symbolic Execution for Binary Deobfuscation

Reverse Engineering a Philips TriMedia CPU based IP Camera - Part 3

A Deep Dive Into Samsung's TrustZone (Part 2)

A Deep Dive Into Samsung's TrustZone (Part 1)

A Glimpse Into Tencent's Legu Packer

Irma Past and Future

CM Browser: HTTPS URL Leak

EEPROM: When Tearing-Off Becomes a Security Issue

Analysis of Qualcomm Secure Boot Chains

Quarkslab Internship Offers for 2019-2020

Exploring Execution Trace Analysis

An Experimental Study of Different Binary Exporters

Epona and the Obfuscation Paradox: Transparent for Users, a Pain for Reversers

QBDI 0.7.0

Weisfeiler-Lehman Graph Kernel for Binary Function Analysis

Obfuscating Java bytecode with LLVM and Epona

Security Audit of dalek libraries

Security Audit of Monero RandomX

CVE-2018-6924: FreeBSD ELF Header Parsing Kernel Memory Disclosure

Security Audit of Particl Bulletproof and MLSAG

LLDBagility: practical macOS kernel debugging

Android Native Library Analysis with QBDI

Android Application Diffing: Analysis of Modded Version

An overview of macOS kernel debugging

Android Application Diffing: CVE-2019-10875 Inspection

Development of a training ECU

Android Application Diffing: Engine Overview

Reverse-engineering Broadcom wireless chipsets

Android Runtime Restrictions Bypass

Defeating NotPetya from your iLO

Reverse Engineering a Philips TriMedia CPU based IP camera - Part 2

Reverse Engineering a Philips TriMedia CPU based IP camera - Part 1

Android Challenge

Internship offers at Quarkslab for the 2018-2019 season

Playing with the Windows Notification Facility (WNF)

Security Audit of Monero Bulletproofs

Unaligned accesses in C/C++: what, why and solutions to do it properly

Back from CppCon 2018

Modern Jailbreaks' Post-Exploitation

Overview of Intel SGX - Part 2, SGX Externals

Attacking the ARM's TrustZone

A Story About Three Bluetooth Vulnerabilities in Android

Symbolic Deobfuscation: From Virtualized Code Back to the Original (DIMVA 2018)

Easy::jit: Just-In-Time compilation for C++

Overview of Intel SGX - Part 1, SGX Internals

Quarks In The Shell - Episode IV

Introduction to Trusted Execution Environment: ARM's TrustZone

LIEF 0.9

When SideChannelMarvels meet LIEF

Android Bluetooth Vulnerabilities in the March 2018 Security Bulletin

Flash Dumping - Part II

Frozen - zero cost initialization for immutable containers and various algorithms

Reverse Engineering the Win32k Type Isolation Mitigation

Slaying Dragons with QBDI

Spectre is not a Bug, it is a Feature

Have fun with LIEF and Executable Formats

Internship offers at Quarkslab for the 2017-2018 season

Reverse engineering of the Nitro OBD2

Mistreating Triton

Flash Dumping - Part I

Vulnerabilities in High Assurance Boot of NXP i.MX microprocessors

Reverse Engineering Samsung S6 SBOOT - Part II

PhD defense of Ninon Eyrolles: Obfuscation with Mixed Boolean-Arithmetic Expressions: Reconstruction, Analysis and Simplification Tools

Frozen - An header-only, constexpr alternative to gperf for C++14 users

Security Assessment of OpenVPN

Exploiting MS16-145: MS Edge TypedArray.sort Use-After-Free (CVE-2016-7288)

LIEF - Library to Instrument Executable Formats

Make Confide great again? No, we cannot

Reverse Engineering Samsung S6 SBOOT - Part I

Analysis of MS16-104: .URL files Security Feature Bypass (CVE-2016-3353)

Global Dead Code Elimination for LLVM, revisited

Differential Fault Analysis on White-box AES Implementations

CVE-2016-7259: An empty file into the blue

Internship offers at Quarkslab for the 2016-2017 season

No Tears, No Fears

Security Assessment of VeraCrypt: fixes and evolutions from TrueCrypt

Back from CppCon 2016

On the fly virtualization with Cappsule

Arybo: cleaning obfuscation by playing with mixed boolean and arithmetic operations

Xen exploitation part 3: XSA-182, Qubes escape

Xen exploitation part 2: XSA-148, from guest to host

Xen exploitation part 1: XSA-105, from nobody to root

Implementing a Custom Directive Handler in Clang

Binmap: a system scanner

Windows Filtering Platform: Persistent state under the hood

IRMA v1.3.0

Clang Hardening Cheat Sheet

Offres de stages Quarkslab pour la saison 2015-2016

Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2.0)

llvm_dev_meeting:

goto llvm_dev_meeting;

What theoretical tools are needed to simplify MBA expressions?

Kernel Vulnerabilities in the Samsung S4

A glimpse of ext4 filesystem-level encryption

Why 2FA would not have saved HT?

Security assessment of instant messaging app ChatSecure: when privacy matters

Triton under the hood

Turning Regular Code Into Atrocities With LLVM: The Return

HiTB Challenge: IRMA - Results

HiTB Challenge: IRMA

MongoDB vs. Elasticsearch: The Quest of the Holy Performances

Writing your own Analyzer for the Open-Source Multi-Scanner IRMA

Turning Regular Code Into Atrocities With LLVM

Deobfuscation: recovering an OLLVM-protected program

Abusing Samsung KNOX to remotely install a malicious application: story of a half patched vulnerability

Stages et alternances 2014-2015

Python Challenge: The End

You like Python, security challenge and traveling? Win a free ticket to HITB KUL!

SCAF - Source Code Analysis Framework based on Clang - Pre-alpha preview

A glance at compiler internals: Keep my memset

USB Fuzzing Basics: From fuzzing to bug reporting

Building an obfuscated Python interpreter: we need more opcodes

Convert IPv4 string representation to a 32-bit number with SSE instructions

Windows 8 ate my cookie

TCP backdoor 32764 or how we could patch the Internet (or part of it ;))

An Angular introduction, and things to keep in mind

Have you ever played with Domino?

IDA processor module

iMessage Privacy

Unique random number set computation

Evasi0n Jailbreak: Precisions on Stage 3

Visual C++ RTTI Inspection

qb-sync v2

Bradley, hash-and-decrypt, Gauss ... a brief history of armored malware and malicious crypto

qb-sync

Quarks PwDump

Runtime DLL name resolution: ApiSetSchema - Part II

Runtime DLL name resolution: ApiSetSchema - Part I