open_safety
Microsoft Research Detours Package
open_safety | Microsoft Research Detours Package | |
---|---|---|
14 | 17 | |
35 | 4,886 | |
- | 1.5% | |
2.6 | 2.7 | |
almost 2 years ago | 7 days ago | |
Rust | C++ | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
open_safety
-
Any sufficiently advanced uninstaller is indistinguishable from malware
Malware delivered as an email with a link to a zip file containing a .js file is one of the most common methods of delivery, right behind word macros. The "map the .js extension to notepad.exe" is a common security trick with a measurable, immediate drop in malware in large orgs. You can deploy it via GPO or InTune.
Personal promotion, I built this as a better alternative:
https://github.com/technion/open_safety
Note the built in .js parser hasn't basically ever updated, if you're writing for this you're writing like you're targetting IE5.
- How to build windows application clean / virus free for online distribution?
- Security Cadence: Use Default Apps to Help Prevent Accidental Launching of Malicious File Types
- Have you ever been hit with ransomware?
-
Microsoft's Small Step to Disable Macros Is a Win for Security
Allow me to reference my own workaround for those vectors:
https://github.com/technion/open_safety
- Am I the only one who finds Rust to be centered around Linux? Any Windows devs want to share their experience with Rust?
- State-of-the-art EDRs are not perfect, fail to detect common attacks
- Is shipping the produced .exe the only thing one needs to ship in order to ship a Rust program?
-
How to Rapidly Improve at Any Programming Language
https://github.com/technion/open_safety
The time I've spent on the Github actions is substantively higher than the time I've spent on the .rs files. Of course you can't "test actions before commit" in the way you can actual code, so I kept having to make branches, make 15 commits like "try action fix again", followed by squashing them all down and merging.
- To enable trust, install this certificate in the Trusted Root Certification Authorities store.
Microsoft Research Detours Package
-
AMD's Anti-Lag feature is getting gamers banned from Counter-Strike 2
Nit: AFAIU there is no literal modification of machine code going on—instead the import address table (IAT, the Windows counterpart of Linux’s GOT) is patched (the Windows tradition calls this “detoured”, from the quite popular Microsoft hack[1] that does it).
[1] https://github.com/microsoft/Detours
-
Any sufficiently advanced uninstaller is indistinguishable from malware
You essentially replace a function with your own. The project is at https://github.com/microsoft/Detours.
I’ve created a PowerShell module that wraps this library to make it easier to hook functions on the fly for testing https://github.com/jborean93/PSDetour. For example I used it to capture TLS session data for decryption https://gist.github.com/jborean93/6c1f1b3130f2675f1618da5663... as well as create an strace like functionality for various Win32 APIs (still expanding as I find more use cases) https://github.com/jborean93/PSDetour-Hooks
-
#rescuerift
But the client is much different now, and most of that won't work anymore. The client is heavily obfuscated and you can't use a packet sniffer, the communications are encrypted, you CAN however use things like Microsoft Detours to peek at communications
-
Hooking 🪝
If you mean is there an API to perform hooking, then I think the answer is no. There are libraries for doing this, including the official MS one: https://github.com/microsoft/Detours
-
It looks like League of Legends' source code has leaked and is up for sale online
That's how things like steam or Nvidia overlays work, or fraps or OBS hook the output buffer; you can use official packages published by Microsoft for that, such as Detours.
-
Having too many (1,000+) Microsoft Edge tabs open can break File Explorer in Windows 10
Inject a DLL into the process. The DLL hooks two API functions, RoGetActivationFactory() and RoActivateInstance(), using Detours library. When a WinRT class ID is passed in, compare it with WindowsUdk.UI.Shell.WindowTabManager, and if equal, return an error code.
-
Is it possible to edit the XAML of the Win11 Taskbar?
3. Manual hooking (Not recommended): It's possible to use some hooking library like Microsoft Detours to hook the functions responsible for creating the UI layout. I highly unrecommend this method as it's the most method prone to be broken by any change Microsoft does.
-
Is there a tool that you can attach to a game EXE file directly and it ll show you incoming and outgoing traffic for only that file?
Reference: https://github.com/microsoft/Detours
- Debugging C with Cosmopolitan Libc
-
Using Landlock to Sandbox GNU Make
> With regards to chroot, I stand corrected. I knew it was a tree of symlinks, but I thought it was also more than that because symlinks alone don't seem like a sandbox. Honestly, Cosmopolitan's system appears to be more of a sandbox than that.
To be totally clear: the tree of symlinks thing is a fallback, used only when lacking platform support or when sandboxing is explicitly turned off [0]. On Linux, the normal sandboxing strategy is to use namespaces, like most container runtimes. On Mac it apparently uses sandbox-exec (some opaque Apple tool), as was mentioned above. Chroot, being both non-POSIX, requiring root access on many systems, and not providing the necessary facilities is not really a great fit -- which I assume is why it's not used.
There was experimental Windows sandbox support at one point [1] based on how MS does it for BuildXL (their own build tool for giant monorepos) [2]. Unfortunately it doesn't seem to be maintained, and under the hood it's kinda ugly -- it actively rewrites code in-memory to intercept calls to the Win32 APIs [3], which was apparently the cleanest/best way MS could come up with. However, from Bazel's POV it works in a roughly similar way -- you spawn subprocesses under a supervisor, which is in charge of spinning up whatever the target process is with restrictions on time/memory usage/file access.
On the "sandbox in the interpreter" thing: what kind of checks are you envisioning? It seems like putting checks at that level would end up leaving a lot out -- the goal of any build system is to eventually spawn an arbitrary process (Python, gcc, javac, some shell script, etc.) and so even with extensive checks in starlark you'd end up with accidental sandbox breaks all over the place. For pure starlark rules you could e.g. check that there are no inputs from /usr, but even then if gcc does it implicitly, you're SOL. Or am I thinking of the wrong kind of checks?
[0] https://bazel.build/docs/sandboxing#sandboxing-strategies
[1] https://github.com/bazelbuild/bazel/issues/5136#issuecomment...
[2] https://github.com/microsoft/BuildXL/blob/master/Documentati...
[3] https://github.com/microsoft/Detours/wiki
What are some alternatives?
csv-injection-payloads - 🎯 CSV Injection Payloads
Mhook - A Windows API hooking library
music-vibes - Desktop app for translating audio output into vibrations
orbit - C/C++ Performance Profiler
xwin - A utility for downloading and packaging the Microsoft CRT headers and libraries, and Windows SDK headers and libraries needed for compiling and linking programs targeting Windows.
pe-sieve - Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
ntfs - An implementation of the NTFS filesystem in a Rust crate, usable from firmware level up to user-mode.
pmaudit - "Poor Man's Audit" (lightweight build-auditing script)
Windows-Sandbox-Utilities - A public repository for useful developments surrounding Windows Sandbox
samurai - ninja-compatible build tool written in C
Stacktribution - A tiny webapp to generate proper attribution to a Stack Overflow's answer.
WidescreenFixesPack - Plugins to make or improve widescreen resolutions support in games, add more features and fix bugs.