Archives for Quarkslab's blog

Tue 29 April 2025 ProxyBlobing into your network

Tue 22 April 2025 Auditing Moodle's core hunting for logical bugs

Thu 10 April 2025 Security audit of PHP-SRC

Tue 08 April 2025 A small bug in the signature verification of AOSP OTA packages

Tue 25 March 2025 CCleaner Local Privilege Escalation Vulnerability on macOS

Fri 21 March 2025 Finding bugs in implementations of HQC, the fifth post-quantum standard

Tue 11 March 2025 Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies

Fri 28 February 2025 Audit of Allbridge Estrela — Round 2

Tue 25 February 2025 Pwn everything Bounce everywhere all at once (part 1)

Tue 25 February 2025 Pwn everything Bounce everywhere all at once (part 2)

Fri 14 February 2025 First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200)

Tue 11 February 2025 Being Overlord on the Steam Deck with 1 Byte

Tue 21 January 2025 Security audit of the Notary Project

Fri 25 October 2024 Bluetooth Low Energy GATT Fuzzing

Fri 18 October 2024 Internship Offers for the 2024-2025 Season

Thu 17 October 2024 Linux kernel instrumentation from Qemu and Gdb

Tue 15 October 2024 Attacking the Samsung Galaxy A* Boot Chain

Thu 10 October 2024 Bypass Apache Superset restrictions to perform SQL injections

Tue 08 October 2024 Exploiting Microsoft Teams on macOS during a Purple Team engagement

Thu 03 October 2024 Differential fuzzing for cryptography

Tue 24 September 2024 crypto-condor: a test suite for cryptographic primitives

Tue 17 September 2024 Exploiting Chamilo during a Red Team engagement

Wed 04 September 2024 Audit of Operator Fabric

Tue 27 August 2024 Audit of Airswift's Supply Chain Financing

Tue 20 August 2024 MIFARE Classic: exposing the static encrypted nonce variant... and a few hardware backdoors

Tue 30 July 2024 Heap exploitation, glibc internals and nifty tricks.

Tue 16 July 2024 Audit of Cloud Native Buildpacks

Tue 09 July 2024 Let’s Go into the rabbit hole (part 3) — the challenges of dynamically hooking Golang programs

Tue 25 June 2024 Looking for vulnerabilities in Strapi (CVE-2024-34065)

Tue 18 June 2024 Recovering an ECU firmware using disassembler and branches

Tue 11 June 2024 Let’s Go into the rabbit hole (part 2) — the challenges of dynamically hooking Golang programs

Thu 30 May 2024 How malware authors play with the LNK file format

Tue 21 May 2024 Audit of Kuksa, the open-source shared building blocks for Software Defined Vehicles

Tue 07 May 2024 Audit of Allbridge Estrela

Tue 30 April 2024 Emulating RH850 architecture with Unicorn Engine

Thu 25 April 2024 Non-Compliant, So What?

Thu 18 April 2024 Hydradancer: Faster USB Emulation for Facedancer

Wed 17 April 2024 Passbolt: a bold use of HaveIBeenPwned

Tue 26 March 2024 Reversing Windows Container, episode II: Silo to Server Silo

Fri 22 March 2024 Solving SandboxAQ's Post-Quantum Crypto CTF

Thu 21 March 2024 Exploiting GLPI during a Red Team engagement

Tue 19 March 2024 Audit of Allbridge Core

Thu 07 March 2024 Leveraging Sourcetrail to a mapping tool, meet Numbat and Pyrrha

Thu 29 February 2024 BGE Attack on AES White-Boxes: Extending Blue Galaxy Energy for Decryption and Shuffled States

Thu 22 February 2024 How I Built a Car In a Box

Tue 13 February 2024 PHP deserialization attacks and a new gadget chain in Laravel

Tue 06 February 2024 DJI - The ART of obfuscation

Tue 16 January 2024 PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.

Thu 21 December 2023 Blue Galaxy Energy: a new White-box Cryptanalysis Open Source Tool

Tue 07 November 2023 Our Pwn2Own journey against time and randomness (part 2)

Thu 26 October 2023 Workflow of a zkSync Era transaction: from generation to finalization

Mon 16 October 2023 Internship Offers for the 2023-2024 Season

Thu 12 October 2023 QBinDiff: A modular diffing toolkit

Tue 03 October 2023 Let’s Go into the rabbit hole (part 1) — the challenges of dynamically hooking Golang programs

Thu 21 September 2023 Reversing Windows Container, episode I: Silo

Thu 07 September 2023 Debugging Windows Isolated User Mode (IUM) Processes

Tue 29 August 2023 Diving into Starlink's User Terminal Firmware

Mon 21 August 2023 Breaking Secure Boot on the Silicon Labs Gecko platform

Mon 14 August 2023 Android Data Encryption in depth

Fri 23 June 2023 For Science! - Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation

Tue 13 June 2023 Security audit of Mithril Security BlindAI

Wed 17 May 2023 PASTIS For The Win!

Tue 02 May 2023 Introducing TritonDSE: A framework for dynamic symbolic execution in Python

Thu 27 April 2023 Android greybox fuzzing with AFL++ Frida mode

Fri 31 March 2023 A gentle introduction to Microsoft OMI and how to crash it

Fri 24 March 2023 Our Pwn2Own journey against time and randomness (part 1)

Wed 22 March 2023 Audit of Falco, the open-source cloud-native runtime security

Tue 14 March 2023 Vulnerabilities in the TPM 2.0 reference implementation code

Tue 28 February 2023 Dark Phoenix: a new White-box Cryptanalysis Open Source Tool

Tue 07 February 2023 Post-Exploitation: Abusing the KeePass Plugin Cache

Thu 24 November 2022 Digging into the OCI Image Specification

Mon 17 October 2022 Internship Offers for the 2022-2023 Season

Thu 22 September 2022 Quokka: A Fast and Accurate Binary Exporter

Tue 30 August 2022 Defeating eBPF Uprobe Monitoring

Thu 11 August 2022 Attacking Titan M with Only One Byte

Thu 16 June 2022 Secure Messaging Apps and Group Protocols, Part 2

Tue 31 May 2022 Binbloom blooms: introducing v2

Tue 24 May 2022 Secure Messaging Apps and Group Protocols, Part 1

Tue 10 May 2022 Digging Into Runtimes – runc

Tue 26 April 2022 Commit Level Vulnerability Dataset

Tue 29 March 2022 A Brief Overview of Auditing XCMv2

Tue 22 March 2022 Heap Overflow in OpenBSD's slaacd via Router Advertisement

Thu 03 March 2022 Kubernetes and HostPath, a Love-Hate Relationship

Thu 03 February 2022 Smali the Parseltongue Language

Thu 13 January 2022 Audit of the MimbleWimble Integration Inside Litecoin

Tue 14 December 2021 Why is Exposing the Docker Socket a Really Bad Idea?

Tue 07 December 2021 Status of post-quantum cryptography implementation

Thu 18 November 2021 Digging into Linux namespaces - part 2

Tue 16 November 2021 Digging into Linux namespaces - part 1

Thu 14 October 2021 Mattermost End-to-End Encryption Plugin

Tue 12 October 2021 Internship Offers for the 2021-2022 Season

Thu 07 October 2021 kdigger: a Context Discovery Tool for Kubernetes

Tue 31 August 2021 Introducing QBDL: how to run the NVIDIA NGX SDK under Linux

Thu 29 July 2021 A virtual journey: From hardware virtualization to Hyper-V's Virtual Trust Levels

Tue 20 July 2021 Hello Rewind, meet world

Tue 13 July 2021 Guided tour inside WinDefender’s network inspection driver

Tue 18 May 2021 RFID: Monotonic Counter Anti-Tearing Defeated

Thu 29 April 2021 Audit of Session Secure Messaging Application

Tue 13 April 2021 Remote Denial-of-Service on CycloneTCP : CVE-2021-26788

Wed 07 April 2021 Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

Thu 04 March 2021 Extending Emuroot: support for Android 10 & 11

Thu 11 February 2021 QBDI 0.8.0

Thu 28 January 2021 Bad Neighbor on FreeBSD: IPv6 Router Advertisement Vulnerabilities in rtsold (CVE-2020-25577)

Thu 17 December 2020 Technical Assessment of the herumi Libraries

Thu 19 November 2020 RFID: New Proxmark3 Tear-Off Features and New Findings

Thu 12 November 2020 How the MSVC Compiler Generates XFG Function Prototype Hashes

Fri 16 October 2020 Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898)

Thu 15 October 2020 Internships at Quarkslab 2020-2021: the COVID season

Thu 10 September 2020 Examining the August Smart Lock

Tue 18 August 2020 Introduction to Whiteboxes and Collision-Based Attacks With QBDI

Tue 04 August 2020 Why are Frida and QBDI a Great Blend on Android?

Thu 02 July 2020 A Deep Dive Into Samsung's TrustZone (Part 3)

Thu 25 June 2020 Triton v0.8 and ARMv7: A Guideline for Adding New Architectures

Tue 09 June 2020 Playing Around With The Fuchsia Operating System

Thu 28 May 2020 Ansible Security Assessment

Tue 12 May 2020 How a Security Anomaly was Accidentally Found in an EAL6+ JavaCard

Thu 07 May 2020 Reverse Engineering a VxWorks OS Based Router

Thu 23 April 2020 Triton v0.8 is Released!

Tue 24 March 2020 CVE-2020-0069: Autopsy of the Most Stable MediaTek Rootkit

Thu 13 February 2020 PhD Defense of Jonathan Salwan: Use of Symbolic Execution for Binary Deobfuscation

Thu 16 January 2020 Reverse Engineering a Philips TriMedia CPU based IP Camera - Part 3

Tue 17 December 2019 A Deep Dive Into Samsung's TrustZone (Part 2)

Tue 10 December 2019 A Deep Dive Into Samsung's TrustZone (Part 1)

Tue 26 November 2019 A Glimpse Into Tencent's Legu Packer

Tue 19 November 2019 Irma Past and Future

Thu 14 November 2019 CM Browser: HTTPS URL Leak

Tue 29 October 2019 EEPROM: When Tearing-Off Becomes a Security Issue

Thu 24 October 2019 Analysis of Qualcomm Secure Boot Chains

Thu 10 October 2019 Quarkslab Internship Offers for 2019-2020

Thu 03 October 2019 Exploring Execution Trace Analysis

Tue 24 September 2019 An Experimental Study of Different Binary Exporters

Wed 11 September 2019 Epona and the Obfuscation Paradox: Transparent for Users, a Pain for Reversers

Tue 10 September 2019 QBDI 0.7.0

Mon 09 September 2019 Weisfeiler-Lehman Graph Kernel for Binary Function Analysis

Mon 02 September 2019 Obfuscating Java bytecode with LLVM and Epona

Mon 26 August 2019 Security Audit of dalek libraries

Fri 02 August 2019 Security Audit of Monero RandomX

Mon 15 July 2019 CVE-2018-6924: FreeBSD ELF Header Parsing Kernel Memory Disclosure

Fri 05 July 2019 Security Audit of Particl Bulletproof and MLSAG

Tue 18 June 2019 LLDBagility: practical macOS kernel debugging

Mon 03 June 2019 Android Native Library Analysis with QBDI

Thu 16 May 2019 Android Application Diffing: Analysis of Modded Version

Tue 07 May 2019 An overview of macOS kernel debugging

Thu 02 May 2019 Android Application Diffing: CVE-2019-10875 Inspection

Mon 29 April 2019 Development of a training ECU

Wed 24 April 2019 Android Application Diffing: Engine Overview

Tue 16 April 2019 Reverse-engineering Broadcom wireless chipsets

Wed 27 March 2019 Android Runtime Restrictions Bypass

Thu 21 March 2019 Defeating NotPetya from your iLO

Mon 11 February 2019 Reverse Engineering a Philips TriMedia CPU based IP camera - Part 2

Tue 22 January 2019 Reverse Engineering a Philips TriMedia CPU based IP camera - Part 1

Mon 19 November 2018 Android Challenge

Wed 07 November 2018 Internship offers at Quarkslab for the 2018-2019 season

Thu 25 October 2018 Playing with the Windows Notification Facility (WNF)

Mon 22 October 2018 Security Audit of Monero Bulletproofs

Tue 16 October 2018 Unaligned accesses in C/C++: what, why and solutions to do it properly

Thu 11 October 2018 Back from CppCon 2018

Fri 14 September 2018 Modern Jailbreaks' Post-Exploitation

Thu 02 August 2018 Overview of Intel SGX - Part 2, SGX Externals

Tue 31 July 2018 Attacking the ARM's TrustZone

Wed 25 July 2018 A Story About Three Bluetooth Vulnerabilities in Android

Thu 12 July 2018 Symbolic Deobfuscation: From Virtualized Code Back to the Original (DIMVA 2018)

Tue 10 July 2018 Easy::jit: Just-In-Time compilation for C++

Thu 05 July 2018 Overview of Intel SGX - Part 1, SGX Internals

Thu 21 June 2018 Quarks In The Shell - Episode IV

Tue 19 June 2018 Introduction to Trusted Execution Environment: ARM's TrustZone

Mon 11 June 2018 LIEF 0.9

Thu 03 May 2018 When SideChannelMarvels meet LIEF

Thu 22 March 2018 Android Bluetooth Vulnerabilities in the March 2018 Security Bulletin

Wed 07 March 2018 Flash Dumping - Part II

Tue 20 February 2018 Frozen - zero cost initialization for immutable containers and various algorithms

Fri 02 February 2018 Reverse Engineering the Win32k Type Isolation Mitigation

Thu 25 January 2018 Slaying Dragons with QBDI

Wed 17 January 2018 Spectre is not a Bug, it is a Feature

Thu 02 November 2017 Have fun with LIEF and Executable Formats

Mon 30 October 2017 Internship offers at Quarkslab for the 2017-2018 season

Wed 11 October 2017 Reverse engineering of the Nitro OBD2

Thu 07 September 2017 Mistreating Triton

Tue 05 September 2017 Flash Dumping - Part I

Tue 18 July 2017 Vulnerabilities in High Assurance Boot of NXP i.MX microprocessors

Wed 28 June 2017 Reverse Engineering Samsung S6 SBOOT - Part II

Fri 09 June 2017 PhD defense of Ninon Eyrolles: Obfuscation with Mixed Boolean-Arithmetic Expressions: Reconstruction, Analysis and Simplification Tools

Mon 22 May 2017 Frozen - An header-only, constexpr alternative to gperf for C++14 users

Thu 11 May 2017 Security Assessment of OpenVPN

Tue 02 May 2017 Exploiting MS16-145: MS Edge TypedArray.sort Use-After-Free (CVE-2016-7288)

Tue 04 April 2017 LIEF - Library to Instrument Executable Formats

Wed 08 March 2017 Make Confide great again? No, we cannot

Tue 07 March 2017 Reverse Engineering Samsung S6 SBOOT - Part I

Thu 23 February 2017 Analysis of MS16-104: .URL files Security Feature Bypass (CVE-2016-3353)

Wed 01 February 2017 Global Dead Code Elimination for LLVM, revisited

Mon 19 December 2016 Differential Fault Analysis on White-box AES Implementations

Wed 14 December 2016 CVE-2016-7259: An empty file into the blue

Mon 24 October 2016 Internship offers at Quarkslab for the 2016-2017 season

Thu 20 October 2016 No Tears, No Fears

Mon 17 October 2016 Security Assessment of VeraCrypt: fixes and evolutions from TrueCrypt

Wed 05 October 2016 Back from CppCon 2016

Wed 21 September 2016 On the fly virtualization with Cappsule

Mon 12 September 2016 Arybo: cleaning obfuscation by playing with mixed boolean and arithmetic operations

Thu 04 August 2016 Xen exploitation part 3: XSA-182, Qubes escape

Wed 27 July 2016 Xen exploitation part 2: XSA-148, from guest to host

Wed 29 June 2016 A brief survey of Fully Homomorphic Encryption, computing on encrypted data

Wed 25 May 2016 Xen exploitation part 1: XSA-105, from nobody to root

Wed 20 April 2016 Reversing a Finite Field Multiplication Optimization

Mon 28 March 2016 Implementing a Custom Directive Handler in Clang

Wed 09 March 2016 Binmap: a system scanner

Fri 04 March 2016 Windows Filtering Platform: Persistent state under the hood

Fri 05 February 2016 IRMA v1.3.0

Thu 07 January 2016 Clang Hardening Cheat Sheet

Mon 30 November 2015 Offres de stages Quarkslab pour la saison 2015-2016

Thu 12 November 2015 Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2.0)

Tue 03 November 2015 llvm_dev_meeting:

Tue 27 October 2015 goto llvm_dev_meeting;

Wed 23 September 2015 What theoretical tools are needed to simplify MBA expressions?

Mon 21 September 2015 Kernel Vulnerabilities in the Samsung S4

Wed 05 August 2015 A glimpse of ext4 filesystem-level encryption

Wed 08 July 2015 Why 2FA would not have saved HT?

Thu 25 June 2015 Security assessment of instant messaging app ChatSecure: when privacy matters

Wed 10 June 2015 Triton under the hood

Mon 01 June 2015 Turning Regular Code Into Atrocities With LLVM: The Return

Fri 15 May 2015 HiTB Challenge: IRMA - Results

Fri 17 April 2015 HiTB Challenge: IRMA

Mon 23 March 2015 MongoDB vs. Elasticsearch: The Quest of the Holy Performances

Mon 23 February 2015 Writing your own Analyzer for the Open-Source Multi-Scanner IRMA

Mon 02 February 2015 Turning Regular Code Into Atrocities With LLVM

Thu 04 December 2014 Deobfuscation: recovering an OLLVM-protected program

Tue 11 November 2014 Abusing Samsung KNOX to remotely install a malicious application: story of a half patched vulnerability

Wed 22 October 2014 Stages et alternances 2014-2015

Tue 23 September 2014 Python Challenge: The End

Thu 04 September 2014 You like Python, security challenge and traveling? Win a free ticket to HITB KUL!

Mon 25 August 2014 SCAF - Source Code Analysis Framework based on Clang - Pre-alpha preview

Fri 27 June 2014 A glance at compiler internals: Keep my memset

Wed 11 June 2014 USB Fuzzing Basics: From fuzzing to bug reporting

Fri 16 May 2014 Building an obfuscated Python interpreter: we need more opcodes

Mon 12 May 2014 Convert IPv4 string representation to a 32-bit number with SSE instructions

Tue 01 April 2014 Windows 8 ate my cookie

Wed 22 January 2014 TCP backdoor 32764 or how we could patch the Internet (or part of it ;))

Tue 21 January 2014 An Angular introduction, and things to keep in mind

Thu 19 December 2013 Have you ever played with Domino?

Wed 20 November 2013 IDA processor module

Thu 17 October 2013 iMessage Privacy

Mon 09 September 2013 Unique random number set computation

Fri 02 August 2013 Evasi0n Jailbreak: Precisions on Stage 3

Sat 13 July 2013 Visual C++ RTTI Inspection

Wed 13 March 2013 qb-sync v2

Wed 15 August 2012 Bradley, hash-and-decrypt, Gauss ... a brief history of armored malware and malicious crypto

Mon 09 July 2012 qb-sync

Mon 14 May 2012 Quarks PwDump

Wed 25 April 2012 Runtime DLL name resolution: ApiSetSchema - Part II

Fri 06 April 2012 Runtime DLL name resolution: ApiSetSchema - Part I