Evan McBroom EvanMcBroom

LSA Whisperer

Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on the SpecterOps Blog.

What follows is the culmination of two years of research with funding by SpecterOps and contributions from many of my coworkers.

Special thanks are needed to Elad, Lee, Will, Daniel, and Kai. Elad, Lee, and Will have contributed several ideas to the project, which are documented here, and have each spent multiple days testing the tool. Daniel has answered all of my inevitable questions about AzureAD (whoops, now Ent

Sleepy - Python Tooling for Sleep

Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the SpecterOps Blog.

TL;DR: You can use sleepy to automate common tasks when working with Sleep code.

Raphael Mudge created the embeddable scripting language, Sleep, in April 2002. Sleep was designed to extend Java applications and has been used in few projects; most notably Cobalt Strike.

Perfect Loader Implementations

Thank you to SpecterOps for supporting this research and to Lee and Sarah for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use fuse-loader or perfect-loader as examples for extending an OS's native loader to support in-memory libraries.

Some software applications require the ability to load dynamic libraries from the memory of the application's own process. The majority of desktop OSes do not support this use case, so a number of developers have reimplemented the process of loading a library to overcome this limitation.

Encrypting Strings at Compile Time

Thank you to SpecterOps for supporting this research and to Duane and Matt for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use this header file for reliable compile time string encryption without needing any additional dependencies.

Programmers of DRM software, security products, or other sensitive code bases are commonly required to minimize the amount of human readable strings in binary output files. The goal of the minimization is to hinder others from reverse engineering their proprietary technology.

Common approaches that are taken to meet this requirement often add an additional maintenance burden to the developer and are prone to error. These approaches will be presented along with t

PIC and String Literals Part 2

I previously wrote about how to use macro metaprogramming to simplify using string literals in position independent code (PIC). The results are summarized in the below code snippet and the article can be read on GitHub.

void f() {
    // Example 1: The Pic idiom for instantiating a string
    char picString1[]{ 'a', 'b', 'c' };

	// Copyright (C) 2023 Evan McBroom
	// Originally authored October 19th, 2023.
	//
	// Geoff Chappell first documented the format of the loader lock cookie on November 26th, 2008.
	// His work is applied here to unlock the loader lock without knowing the original cookie that
	// LdrLockLoaderLock returned. This same example code may be safely used in DllMain to unlock
	// the loader lock and execute code that would otherwise deadlock the loader.
	// Sources:
	// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/lockloaderlock.htm
	// - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/ldrapi/unlockloaderlock.htm

	// Copyright (C) 2024 Evan McBroom

	#include <Windows.h>
	#include <iostream>
	#include <vector>
	#include <WbemCli.h>
	#include <atlbase.h>
	#include <iomanip>

	// The modified, compiled IDL file from:

	# Copyright (C) 2023 Evan McBroom

	cmake_minimum_required(VERSION 3.21.0)
	project(transacted-fmapi
	LANGUAGES CXX
	)
	set(CMAKE_CXX_STANDARD 17)
	set(CMAKE_CXX_STANDARD_REQUIRED YES)
	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")

	/*
	* Research by Evan McBroom and Chris Thompson (@_Mayyhem)
	* Roger Zander made security recommendations for SCCM based on the claim that NAA credentials could be recovered.
	* Source: https://rzander.azurewebsites.net/network-access-accounts-are-evil/
	* Roger stated that recover was "possible with a few lines of code" but did not provide any code. Here is working code.
	*/

	#include <Windows.h>
	#include <stdio.h>

	// Copyright (C) 2022 Evan McBroom
	//
	// Permission is hereby granted, free of charge, to any person obtaining a copy
	// of this software and associated documentation files (the "Software"), to deal
	// in the Software without restriction, including without limitation the rights
	// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	// copies of the Software, and to permit persons to whom the Software is
	// furnished to do so, subject to the following conditions:
	//
	// The above copyright notice and this permission notice shall be included in