sixtyvividtails
@sixtyvividtails.bsky.social
probably not a mimic
You mean DllMain load reason?
0: DLL_PROCESS_DETACH
...
4: DLL_PROCESS_VERIFIER
From ntdll!AVrfpLoadAndInitializeProvider, ctx: [outptr] address of ptr to RTL_VERIFIER_PROVIDER_DESCRIPTOR.
5: DLL_PROCESS_VERIFIER_TABLE
From ntdll!AvrfMiniLoadDll, ctx: address of ptr to RTL_VERIFIER_HELPER_TABLE.
0: DLL_PROCESS_DETACH
...
4: DLL_PROCESS_VERIFIER
From ntdll!AVrfpLoadAndInitializeProvider, ctx: [outptr] address of ptr to RTL_VERIFIER_PROVIDER_DESCRIPTOR.
5: DLL_PROCESS_VERIFIER_TABLE
From ntdll!AvrfMiniLoadDll, ctx: address of ptr to RTL_VERIFIER_HELPER_TABLE.
October 6, 2025 at 1:19 AM
You mean DllMain load reason?
0: DLL_PROCESS_DETACH
...
4: DLL_PROCESS_VERIFIER
From ntdll!AVrfpLoadAndInitializeProvider, ctx: [outptr] address of ptr to RTL_VERIFIER_PROVIDER_DESCRIPTOR.
5: DLL_PROCESS_VERIFIER_TABLE
From ntdll!AvrfMiniLoadDll, ctx: address of ptr to RTL_VERIFIER_HELPER_TABLE.
0: DLL_PROCESS_DETACH
...
4: DLL_PROCESS_VERIFIER
From ntdll!AVrfpLoadAndInitializeProvider, ctx: [outptr] address of ptr to RTL_VERIFIER_PROVIDER_DESCRIPTOR.
5: DLL_PROCESS_VERIFIER_TABLE
From ntdll!AvrfMiniLoadDll, ctx: address of ptr to RTL_VERIFIER_HELPER_TABLE.
...and I was wondering why 🌸🌸 count suddenly increased by like 10%; thanks for shoutout! 😸
And it's a great rebuttal, really nice to know forwarders are actually used. It seems some are even used in a pretty good way, like python3.dll -> python3X.dll.
And it's a great rebuttal, really nice to know forwarders are actually used. It seems some are even used in a pretty good way, like python3.dll -> python3X.dll.
September 5, 2025 at 5:26 PM
...and I was wondering why 🌸🌸 count suddenly increased by like 10%; thanks for shoutout! 😸
And it's a great rebuttal, really nice to know forwarders are actually used. It seems some are even used in a pretty good way, like python3.dll -> python3X.dll.
And it's a great rebuttal, really nice to know forwarders are actually used. It seems some are even used in a pretty good way, like python3.dll -> python3X.dll.
Well, at least exports are not rebuilt in some appended section, so we can add a few extra points of credibility. 😽
August 20, 2025 at 11:07 PM
Well, at least exports are not rebuilt in some appended section, so we can add a few extra points of credibility. 😽
Ooh! Wow! But it's it Real? 🤭
It's hard to imagine why would RealTek make something like that. On the other hand, if it was edited with malicious intent, what was even the purpose?..
I don't have access to VT nowadays, would be interesting to check out.
It's hard to imagine why would RealTek make something like that. On the other hand, if it was edited with malicious intent, what was even the purpose?..
I don't have access to VT nowadays, would be interesting to check out.
August 20, 2025 at 10:45 PM
Ooh! Wow! But it's it Real? 🤭
It's hard to imagine why would RealTek make something like that. On the other hand, if it was edited with malicious intent, what was even the purpose?..
I don't have access to VT nowadays, would be interesting to check out.
It's hard to imagine why would RealTek make something like that. On the other hand, if it was edited with malicious intent, what was even the purpose?..
I don't have access to VT nowadays, would be interesting to check out.
Hypothesis: no legit vendor beside Microsoft makes dlls with forwarded exports.
August 20, 2025 at 2:40 PM
Hypothesis: no legit vendor beside Microsoft makes dlls with forwarded exports.
Relaunch feature is funny, didn't expect it.
Btw, this app is called servercoreshell.exe because it's a shell.. on a Server Core SKUs. Yeah, that gui-less OS versions where even explorer.exe binary is absent by default.
The calcflood happens coz calc terminates (after launching own lesser clone). 😺
Btw, this app is called servercoreshell.exe because it's a shell.. on a Server Core SKUs. Yeah, that gui-less OS versions where even explorer.exe binary is absent by default.
The calcflood happens coz calc terminates (after launching own lesser clone). 😺
August 17, 2025 at 8:56 AM
Relaunch feature is funny, didn't expect it.
Btw, this app is called servercoreshell.exe because it's a shell.. on a Server Core SKUs. Yeah, that gui-less OS versions where even explorer.exe binary is absent by default.
The calcflood happens coz calc terminates (after launching own lesser clone). 😺
Btw, this app is called servercoreshell.exe because it's a shell.. on a Server Core SKUs. Yeah, that gui-less OS versions where even explorer.exe binary is absent by default.
The calcflood happens coz calc terminates (after launching own lesser clone). 😺
🔙🕛1582⚡
Set-Date 1601-10-08;if($?){$b=60*24*365*19;`
$x={Add-Type -m "[DllImport(`"ntdll`")]public static extern int $f(int a,int$args b,int c,int[]d);"$f$f -pas};`
$f='RtlAdjustPrivilege';(&$x)::$f(34,1,0,0);`
$f='NtSetSystemInformation';(&$x [])::$f(93,(,$b+(,0*42)),172,0)}
(that kills your app)
Set-Date 1601-10-08;if($?){$b=60*24*365*19;`
$x={Add-Type -m "[DllImport(`"ntdll`")]public static extern int $f(int a,int$args b,int c,int[]d);"$f$f -pas};`
$f='RtlAdjustPrivilege';(&$x)::$f(34,1,0,0);`
$f='NtSetSystemInformation';(&$x [])::$f(93,(,$b+(,0*42)),172,0)}
(that kills your app)
August 16, 2025 at 4:54 PM
🔙🕛1582⚡
Set-Date 1601-10-08;if($?){$b=60*24*365*19;`
$x={Add-Type -m "[DllImport(`"ntdll`")]public static extern int $f(int a,int$args b,int c,int[]d);"$f$f -pas};`
$f='RtlAdjustPrivilege';(&$x)::$f(34,1,0,0);`
$f='NtSetSystemInformation';(&$x [])::$f(93,(,$b+(,0*42)),172,0)}
(that kills your app)
Set-Date 1601-10-08;if($?){$b=60*24*365*19;`
$x={Add-Type -m "[DllImport(`"ntdll`")]public static extern int $f(int a,int$args b,int c,int[]d);"$f$f -pas};`
$f='RtlAdjustPrivilege';(&$x)::$f(34,1,0,0);`
$f='NtSetSystemInformation';(&$x [])::$f(93,(,$b+(,0*42)),172,0)}
(that kills your app)
Windows SystemTime is # of centums (100ns units) since 1601-01-01. Thus NtSetSystemTime(&zero) only gets you to 1601.
We need extra 19 years!
💡 No UTC in 1582 yet: we can make use of Local Time.
Use SystemTimeZoneInformation to set Timezone Bias: ±68 years (±2³¹ s), 60s grain.
Enjoy your weekend 😺
We need extra 19 years!
💡 No UTC in 1582 yet: we can make use of Local Time.
Use SystemTimeZoneInformation to set Timezone Bias: ±68 years (±2³¹ s), 60s grain.
Enjoy your weekend 😺
August 16, 2025 at 4:54 PM
Windows SystemTime is # of centums (100ns units) since 1601-01-01. Thus NtSetSystemTime(&zero) only gets you to 1601.
We need extra 19 years!
💡 No UTC in 1582 yet: we can make use of Local Time.
Use SystemTimeZoneInformation to set Timezone Bias: ±68 years (±2³¹ s), 60s grain.
Enjoy your weekend 😺
We need extra 19 years!
💡 No UTC in 1582 yet: we can make use of Local Time.
Use SystemTimeZoneInformation to set Timezone Bias: ±68 years (±2³¹ s), 60s grain.
Enjoy your weekend 😺
Hey, don't play the UNO reverse card on me here! It is the challenge, to determine what is the intended purpose and meaning of the returned value. What score did you get here, 80? Less? That's okay, one of my old computers got 23. 😂
August 1, 2025 at 5:22 PM
Hey, don't play the UNO reverse card on me here! It is the challenge, to determine what is the intended purpose and meaning of the returned value. What score did you get here, 80? Less? That's okay, one of my old computers got 23. 😂
…or #bsod instead:
cmd /v/k"set A=A&(for /L %i in (1,1,9)do set A=!A!!A!)&set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /t 3 /v &!R!ForceReadCachedLabels /d C!A!B!A!1&(for %v in (EnableLabelCache CreateSimulatedRamdiskRootDevice RamdiskSizeInBytes)do !R!%v /d DAC5)&sc start scmbus"
cmd /v/k"set A=A&(for /L %i in (1,1,9)do set A=!A!!A!)&set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /t 3 /v &!R!ForceReadCachedLabels /d C!A!B!A!1&(for %v in (EnableLabelCache CreateSimulatedRamdiskRootDevice RamdiskSizeInBytes)do !R!%v /d DAC5)&sc start scmbus"
June 16, 2025 at 4:10 PM
…or #bsod instead:
cmd /v/k"set A=A&(for /L %i in (1,1,9)do set A=!A!!A!)&set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /t 3 /v &!R!ForceReadCachedLabels /d C!A!B!A!1&(for %v in (EnableLabelCache CreateSimulatedRamdiskRootDevice RamdiskSizeInBytes)do !R!%v /d DAC5)&sc start scmbus"
cmd /v/k"set A=A&(for /L %i in (1,1,9)do set A=!A!!A!)&set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /t 3 /v &!R!ForceReadCachedLabels /d C!A!B!A!1&(for %v in (EnableLabelCache CreateSimulatedRamdiskRootDevice RamdiskSizeInBytes)do !R!%v /d DAC5)&sc start scmbus"
Make pmem/nvdimm #dax RAM📀, 0x1234_MB:
cmd /v/c"set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /v&!R! CreateSimulatedRamdiskRootDevice /t 4 /d 1 &!R! RamdiskSizeInBytes /t 11 /d 0x123400000 &sc start scmbus"
mb reboot; partite, and
format X: /fs:ntfs /Q /L /DAX
cmd /v/c"set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /v&!R! CreateSimulatedRamdiskRootDevice /t 4 /d 1 &!R! RamdiskSizeInBytes /t 11 /d 0x123400000 &sc start scmbus"
mb reboot; partite, and
format X: /fs:ntfs /Q /L /DAX
June 15, 2025 at 12:23 PM
Make pmem/nvdimm #dax RAM📀, 0x1234_MB:
cmd /v/c"set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /v&!R! CreateSimulatedRamdiskRootDevice /t 4 /d 1 &!R! RamdiskSizeInBytes /t 11 /d 0x123400000 &sc start scmbus"
mb reboot; partite, and
format X: /fs:ntfs /Q /L /DAX
cmd /v/c"set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /v&!R! CreateSimulatedRamdiskRootDevice /t 4 /d 1 &!R! RamdiskSizeInBytes /t 11 /d 0x123400000 &sc start scmbus"
mb reboot; partite, and
format X: /fs:ntfs /Q /L /DAX
1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
May 6, 2025 at 10:06 PM
1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.
Oh no, be careful! This creature may look cute, but that calm smile hides something cunning and unpredictable!
March 1, 2025 at 12:21 PM
Oh no, be careful! This creature may look cute, but that calm smile hides something cunning and unpredictable!