This article analyzes Linux memory allocation and deallocation from the GLIBC source code. Understanding the relevant data structures and memory management mechanisms is fundamental to heap exploitation.

Running into errors when installing pwntools on Mac — a common issue and its fix.

A summary of commonly used GDB commands.

Win7 scheduled tasks didn’t have schtasks but used the legacy at command, represented as files. Starting from Win8, the schtasks.exe command appeared — the modern scheduled task service.

Previously in Deep Dive into Windows Scheduled Tasks and Malicious Hiding Techniques, I described the general meaning of some fields in the registry but didn’t research the specific content structures, especially the binary Triggers, Actions, and other fields.

By referencing public materials and the GhostTask project, I roughly outlined the differences in Triggers and Actions structures between Win8.1 and Win10, which may be useful later.

I recently saw a tweet from @AndrewOliveau. Just reading the description “arbitrary file deletions to SYSTEM” felt magical — an arbitrary file deletion vulnerability that can be turned into local privilege escalation. After reading through it with questions in mind, I found that the general approach leverages Windows’ MSI installation rollback mechanism. Seeing “Config.Msi” felt very familiar, because two or three years ago I had deeply studied this and even crafted a custom MSI package to test it — it was awesome, but I didn’t take notes and forgot about it after having fun, so now this topic has resurfaced. However, this isn’t the main focus of the article; rather, it’s about “how to turn a fixed ordinary user file deletion into an arbitrary file deletion vulnerability.”

Cryptominers, ransomware, and certain rogue software frequently leverage scheduled tasks and WMI to periodically execute fileless backdoors or hijack browser homepages. How do you investigate these using PowerShell?

Hell’s Gate is a direct syscall technique on Windows that can bypass most EDR hooks at the Ring3 layer. Some quick notes on the topic.

Injecting a filter-based memory shell in Resin to intercept and exfiltrate interface response data.

Overly permissive ACLs on multiple system files, including the SAM file, allow built-in regular user groups to access SAM under certain circumstances, leading to local privilege escalation.

The vulnerability exists in the Windows graphics driver win32kfull.sys. When win32kfull!NtUserCreateWindowEx is called to create a window with tagWND→cbWndExtra≠0, the function calls win32kfull!xxxClientAllocWindowClassExtraBytes to callback the user-mode function user32.dll!__xxxClientAllocWindowClassExtraBytes for memory allocation. An attacker can hook this user-mode function and call ntdll!NtCallbackReturn to return an arbitrary value to the kernel. When tagWND→flag contains the 0x800 flag, this return value is treated as an offset relative to the kernel desktop heap base address. A user-mode call to NtUserConsoleControl can modify tagWND→flag to include 0x800, causing the return value to be used directly for heap memory addressing, triggering an out-of-bounds memory access. Through out-of-bounds read/write, an attacker can copy the SYSTEM process token to the current process to achieve privilege escalation.