https://blogs.law.harvard.edu/tech/rss https://www.guitmz.com/ Recent content on TMZ Lair - Underground Coding https://www.guitmz.com/ http://img06.deviantart.net/94d5/i/2011/074/7/4/crunchbang_simple_by_mlsandahl-d3bptxx.png 1440 Hugo 0.54.0 en-US Mon, 26 Aug 2024 10:04:00 UT https://www.guitmz.com/linux-nasty-elf-virus/ Wed, 18 May 2022 08:52:59 UT Guilherme Thomazi https://www.guitmz.com/linux-nasty-elf-virus/ Overview This code was originally published in the first issue of tmp.0ut zine - an ELF Research Group founded by me and a super talented group of friends in early 2021. This project was finished literally minutes before the deadline we set. Living on the edge! In general, it took me around a couple of months to complete it, most of the time was dedicated to its core infection routine since the auxiliary sections are common file I/O operations that I’m already familiar with. Technology https://www.guitmz.com/linux-midrashim-elf-virus/ Mon, 18 Jan 2021 19:01:11 UT Guilherme Thomazi https://www.guitmz.com/linux-midrashim-elf-virus/ Overview My interest in Assembly language started when I was a kid, mainly because of computer viruses of the DOS era. I’ve spent countless hours contemplating my first humble collection of source codes and samples (you can find it at https://github.com/guitmz/virii) and to me, it’s cool how flexible and creative one can get with Assembly, even if its learning curve is steep. I’m an independant malware researcher and wrote this virus to learn and have fun, expanding my knowledge on the several ELF attack/defense techniques and Assembly in general. Technology https://www.guitmz.com/having-fun-with-ansi-codes-and-x64-linux-assembly/ Sun, 27 Dec 2020 09:04:08 UT Guilherme Thomazi https://www.guitmz.com/having-fun-with-ansi-codes-and-x64-linux-assembly/ Overview How can one not find command line art amusing? Specially when we are talking about computer viruses and even more so when referencing MS-DOS ones. The 16 bit era gave us some of the most interesting computer virus payloads of all time, but achieving something like this today is not as “trivial” anymore. As Linux is my OS of choice, I wanted to find something that could get close to these MS-DOS fun payloads for my own modern viruses, and, while it’s possible to write directly to the framebuffer, I wanted to try something related to terminal emulators instead. Technology https://www.guitmz.com/linux-fe2o3-rust-virus/ Fri, 06 Sep 2019 13:35:51 UT Guilherme Thomazi https://www.guitmz.com/linux-fe2o3-rust-virus/ Overview Everytime I try to learn a new programming language, I try by port my prependers (Linux.Zariche, Linux.Liora, Linux.Cephei). Despite the code simplicity , it gives me the chance to understand very useful things in a language, like error handling, file i/o, encryption, memory and a few of its core libraries. This time, Rust is the language and I must say that I was impressed by its compiler and error handling, but the syntax is still not 100% clear to me (as you can see from my rudimentar code in Linux. Technology https://www.guitmz.com/linux-elf-runtime-crypter/ Fri, 26 Apr 2019 10:31:20 UT Guilherme Thomazi https://www.guitmz.com/linux-elf-runtime-crypter/ "Even for Elves, they were stealthy little twerps. They'd taken our measure before we'd even seen them." — Marshall Volnikov Last month I wrote a post about the memfd_create syscall and left some ideas in the end. Today I’m here to show an example of such ideas implemented in an ELF runtime crypter (kinda lame, I know, but good for this demonstration). What is it? Glad you asked. Technology https://www.guitmz.com/running-elf-from-memory/ Wed, 27 Mar 2019 12:01:50 UT Guilherme Thomazi https://www.guitmz.com/running-elf-from-memory/ Something that always fascinated me was running code directly from memory. From Process Hollowing (aka RunPE) to PTRACE injection. I had some success playing around with it in C in the past, without using any of the previous mentioned methods, but unfortunately the code is lost somewhere in the forums of VXHeavens (sadly no longer online) but the code was buggy and worked only with Linux 32bit systems (I wish I knew about shm_open back then, which is sort of an alternative for the syscall we are using in this post, mainly targeting older systems where memfd_create is not available). Technology https://www.guitmz.com/lenovo-thinkpad-e485-review/ Mon, 13 Aug 2018 13:11:50 UT Guilherme Thomazi https://www.guitmz.com/lenovo-thinkpad-e485-review/ Last year I built a PC with a AMD Ryzen 5 1600 and I was truly impressed. Then now its time for me to get a new laptop and it was only natural to look for something that had AMD in it. I am very excited for my first Thinkpad, I even starting writing the same day as I ordered the unit (which took its damn time to be delived. Technology https://www.guitmz.com/return-to-crunchbang-with-openbox-opensuse/ Wed, 17 Jan 2018 09:42:12 UT Guilherme Thomazi https://www.guitmz.com/return-to-crunchbang-with-openbox-opensuse/ I’ve been running OpenSUSE (Tumbleweed) for some years now and KDE was my Desktop Environment of choice since years ago but before that, I was a die hard user of the Crunchbang (#!) Linux distro, which featured an awesome gray Openbox desktop. The simplicity Crunchbang offered is something that I missed during the years and after I found out that the community had revived the project in the for of Crunchbangplusplus and also Bunsenlabs, I just had to try it again but this time OpenSUSE Tumbleweed was my choice, instead of the good old Debian. Technology https://www.guitmz.com/yet-another-weather-indicator/ Tue, 16 Jan 2018 10:08:08 UT Guilherme Thomazi https://www.guitmz.com/yet-another-weather-indicator/ Recently I started using Openbox as my WM again (after a long time with KDE, the nostalgia hit me). After I had everything working as I wanted to, I noticed the lack of a weather indicator in my systray. Usually, the desktop environments I have used (Gnome, KDE, Mate) have some sort of applet for this included and I really never bothered (when I was using Openbox before, I had some hacky script that would display the weather in my tint2, but I can’t find it anymore). Technology https://www.guitmz.com/more-fun-with-elf-files-and-golang-code-caves/ Fri, 08 Sep 2017 15:00:33 UT Guilherme Thomazi https://www.guitmz.com/more-fun-with-elf-files-and-golang-code-caves/ A code cave is a piece of code that is written to a process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script. https://www.guitmz.com/linux-cephei-a-nim-virus/ Thu, 31 Aug 2017 15:30:50 UT Guilherme Thomazi https://www.guitmz.com/linux-cephei-a-nim-virus/ Nim is a systems and applications programming language. It has nice features such as producing dependency-free binaries, running on a huge list of operating systems and architectures and compiling to C, C++ or JavaScript. I’ve been messing with it for a while and I am very pleased with it. To be honest, Nim and Go have been my choices when I need to start a new project (goodbye Python, at least for now). Technology https://www.guitmz.com/from-ghost-to-hugo-netlify/ Fri, 21 Jul 2017 13:54:01 UT Guilherme Thomazi https://www.guitmz.com/from-ghost-to-hugo-netlify/ For a while now I have been thinking in migrating this blog to Hugo (from Ghost), mainly because I wanted save 10 bucks a month that were being spent on my DigitalOcean VPS that I was using to run the website (with Docker + Nginx + Let’s Encrypt SSL). DigitalOcean is great, but I simply lack the time to manage the installation, updating the OS, updating Ghost itself, renewals of the SSL certificate, etc. https://www.guitmz.com/about/ Fri, 21 Jul 2017 13:43:55 UT Guilherme Thomazi https://www.guitmz.com/about/ GitHub LinkedIn Keybase thomazi@linux.com or tmz@null.net Twitter (or this other profile) https://www.guitmz.com/having-fun-with-elf-files-and-golang/ Tue, 19 May 2015 15:01:14 UT Guilherme Thomazi https://www.guitmz.com/having-fun-with-elf-files-and-golang/ Now I will show how GoLang interacts with ELF files in a generic example. You could look further into the native module here. I do recommend reading it, I am using some bits of code extracted directly from the module source. It is basically the same idea as the PE, similar module. You can extend it depending on your needs. Here you go. package main import ( "fmt" "io" "os" "debug/elf" ) func check(e error) { if e ! https://www.guitmz.com/having-fun-with-pe-files-and-golang/ Fri, 15 May 2015 15:03:27 UT Guilherme Thomazi https://www.guitmz.com/having-fun-with-pe-files-and-golang/ New blog design, new post. Today I will show how GoLang interacts with PE files in a generic example. You could look further into the native module here or even check its source code here. I do recommend reading it, I am using some bits of code extracted directly from the module source. Here you go. package main import ( "fmt" "debug/pe" "os" "io" "encoding/binary" ) func check(e error) { if e ! https://www.guitmz.com/win32-liora-b/ Fri, 15 May 2015 15:01:13 UT Guilherme Thomazi https://www.guitmz.com/win32-liora-b/ So I decided to port my Linux.Liora (https://github.com/guitmz/go-liora) Go infector to Win32 and it worked great. Minor tweaks were needed in the code, you can run a diff between both and check it out. EDIT: Fixed the PE verification routine, it checks for a proper PE file now. Thanks hh86! Virus source: /* * Win32.Liora.B - This is a POC PE prepender written in Go by TMZ (2015). * * Win32. https://www.guitmz.com/linux-liora/ Fri, 15 May 2015 14:54:23 UT Guilherme Thomazi https://www.guitmz.com/linux-liora/ So this guy asks me in a job interview last week “Have you ever developed in Go?” and well what’s best to learn a language than writting a prepender (probably a lot of things but don’t kill my thrill)? There you have it, the probably first ever binary infector written in GoLang (SPTH LIP hxxp://spth.virii.lu/LIP.html “outdately” confirms that - replace hxxp with http, this website is wrongly classified as malicious for some security tools). https://www.guitmz.com/dynamic-api-calls-net/ Fri, 15 May 2015 04:47:28 UT Guilherme Thomazi https://www.guitmz.com/dynamic-api-calls-net/ Today I’m going to share a way to call APIs without DLLImport. I’ve first saw this years ago at OpenSC.ws as far as I remember and got into the idea. The code was lost since then but I found a copy. Program.cs using System; using System.Reflection; namespace APICaller { class Program { ``` public static void Main(string[] args) { Console.Title = "Dynamic API Caller"; Console.WriteLine("Press any key to call your API! https://www.guitmz.com/net-mbr-dump-part1/ Wed, 13 May 2015 08:47:38 UT Guilherme Thomazi https://www.guitmz.com/net-mbr-dump-part1/ Greetings. Years ago I was messing around with Windows MBR (VXHeaven thread) and got stuck while trying to write a modified copy back to the disk. I’m calling this “Part 1” because I’m still stuck at this and plan to get back on my research. Anyways, it will be a short post, just to share where I was at that time. using System; using System.Runtime.InteropServices; using Microsoft.Win32.SafeHandles; using System.IO; namespace MBR { class MainClass {[DllImport("Kernel32. https://www.guitmz.com/a-steganographic-net-executable/ Tue, 14 Apr 2015 14:42:01 UT Guilherme Thomazi https://www.guitmz.com/a-steganographic-net-executable/ A while ago, alcopaul suggested a .NET executable that could store a secret message inside. While I did not followed his strict theory, I did wrote a working proof of concept, very basic and dirty but, well, it’s only a POC. Here we go (dirty code, do not judge me): Our includes for this application. using System; using System.Reflection; using System.IO; using System.Windows.Forms; using System.Security.Cryptography; I’ll now show you the methods I’m using here. https://www.guitmz.com/net-injection-cecil/ Fri, 10 Apr 2015 14:40:09 UT Guilherme Thomazi https://www.guitmz.com/net-injection-cecil/ This may not be news for everyone but I find it interesting. Mono.Cecil is a impressive work and can provide a lot of cool features such as runtime .NET assembly manipulation. We can inject opcodes (IL instructions) into a target assembly, transforming it as we wish. Here’s the test scenario: A dummy C# application like the one below, compile it to get it’s executable file, that’s what we need (https://github.com/guitmz/msil-cecil-injection). https://www.guitmz.com/vala-virus/ Fri, 10 Apr 2015 14:29:09 UT Guilherme Thomazi https://www.guitmz.com/vala-virus/ Vala is an object-oriented programming language with a self-hosting compiler that generates C code and uses the GObject system. Vala is syntactically similar to C# and and rather than being compiled directly to assembly or to another intermediate language, Vala is source-to-source compiled to C, which is then compiled with a platform’s standard C compiler, such as GCC. You can also create VAPI files which are basically native C (not C++) functions you can import to Vala code (I will show an example later).