New blog post: Tapping into the potential of Memory Dump Emulation (#25)

Author: hugsy

.github/workflows/check.yml

@@ -5,7 +5,11 @@ on:
   repository_dispatch:
   workflow_dispatch:
   pull_request:
+    branches:
+      - main
   push:
+    branches:
+      - main
 
 jobs:
   spellcheck:
@@ -15,20 +19,20 @@ jobs:
       contents: read
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.1
 
       - name: Restore lychee cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4.0.2
         with:
           path: .lycheecache
           key: cache-lychee-${{ github.sha }}
           restore-keys: cache-lychee-
 
       - name: Check links
-        uses: lycheeverse/lychee-action@v1.6.1
+        uses: lycheeverse/lychee-action@v1.9.3
         env:
           GITHUB_TOKEN: ${{secrets.LYCHEE_TOKEN}}
         with:
-          args: --exclude='^https://twitter.com/.*$' --cache --max-cache-age 1w --exclude-all-private --exclude-mail --threads 4 --timeout 30 --retry-wait-time 60 --user-agent 'Mozilla/5.0 (Windows NT x.y; rv:10.0) Gecko/20100101 Firefox/10.0' --no-progress 'content/**/*.md'
+          args: --exclude='^http://rawpixels.net/.*$' --exclude='^http://rawpixels.net/.*$' --exclude='^https://twitter.com/.*$' --exclude='^https://ctftime.org/.*$' --cache --max-cache-age 1w --exclude-all-private --exclude-mail --threads 4 --timeout 30 --retry-wait-time 60 --user-agent 'Mozilla/5.0 (Windows NT x.y; rv:10.0) Gecko/20100101 Firefox/10.0' --no-progress 'content/**/*.md'
           fail: true
 

.github/workflows/notify.yml

@@ -11,14 +11,17 @@ on:
     types:
       - completed
 
+env:
+  BLOG_POST_TWITTER_NOTIFICATION_BODY:
+
 jobs:
   twitter_notify:
     name: Send notification on Twitter
     runs-on: ubuntu-latest
     if: contains( join(github.event.commits.*.message), 'New blog post')
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
         with:
           python-version: '3.10'
           architecture: 'x64'
@@ -27,12 +30,12 @@ jobs:
         run: |
           python -m pip install -r scripts/requirements.txt
           python scripts/get_release_info.py
-      - uses: ethomson/send-tweet-action@v1
+      - uses: nearform-actions/github-action-notify-twitter@v1.2.0
         with:
-          consumer-key: ${{ secrets.TWITTER_CONSUMER_API_KEY }}
-          consumer-secret: ${{ secrets.TWITTER_CONSUMER_API_SECRET }}
-          access-token: ${{ secrets.TWITTER_ACCESS_TOKEN }}
-          access-token-secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}
-          status: ${{ env.BLOG_POST_TWITTER_NOTIFICATION_BODY}}
+          twitter-app-key: ${{ secrets.TWITTER_CONSUMER_API_KEY }}
+          twitter-app-secret: ${{ secrets.TWITTER_CONSUMER_API_SECRET }}
+          twitter-access-token: ${{ secrets.TWITTER_ACCESS_TOKEN }}
+          twitter-access-token-secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}
+          message: ${{ env.BLOG_POST_TWITTER_NOTIFICATION_BODY}}
 
   # TODO: discord notify

.github/workflows/release.yml

@@ -19,8 +19,8 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
         with:
           python-version: '3.10'
           architecture: 'x64'
@@ -42,8 +42,8 @@ jobs:
     runs-on: ubuntu-latest
     if: contains( join(github.event.commits.*.message), 'New blog post')
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
         with:
           python-version: '3.10'
           architecture: 'x64'

content/2016-06-13-armpwn-challenge.md

@@ -84,7 +84,7 @@ Next, the binary analysis.
 
 ## Reversing the binary ##
 
-We can use [`IDA`](https://www.hex-rays.com/products/ida/support/download.shtml) to start with the static analysis. After a quick examination,
+We can use `IDA` to start with the static analysis. After a quick examination,
 the overall structure reveals itself quite clearly.
 The behaviour for the main process can be described with this pseudo-code:
 

content/2016-08-27-ruxmon-16-making-gdb-great-again.md

@@ -7,7 +7,7 @@ category: talk
 
 ### Ruxmon August 2016: Making GDB great again ###
 
-I did a small presentation last Friday at [Ruxmon Melbourne](http://ruxmon.com/melbourne) about GDB, its Python API and how it can be used to make awesome new stuff.
+I did a small presentation last Friday at [Ruxmon Melbourne](https://web.archive.org/web/20231209215029/http://ruxmon.com/melbourne/) about GDB, its Python API and how it can be used to make awesome new stuff.
 
 I also gave demos of my tool [`gef`](https://github.com/hugsy/gef.git), an architecture-agnostic exploitation helper for GDB to show the awesomeness of [Python API](https://sourceware.org/gdb/onlinedocs/gdb/Python-API.html) for GDB.
 

content/2017-06-25-qemu-images-to-play-with.md

@@ -48,7 +48,7 @@ Unless stated otherwise, `root` password is `root`, and an low privilege account
 
 ## But why ?
 
-Already existing fantastic projects such as [Vagrant](https://app.vagrantup.com/boxes/search){:target="_blank"} for Linux/*nix and [modern.ie](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/){:target="_blank"} for Windows help us getting quickly functional environments we can use in labs. But they are only providing Intel-based images.
+Already existing fantastic projects such as [Vagrant](https://app.vagrantup.com/boxes/search){:target="_blank"} for Linux/*nix and [modern.ie](https://web.archive.org/web/20170306074002/https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/){:target="_blank"} for Windows help us getting quickly functional environments we can use in labs. But they are only providing Intel-based images.
 
 The closest thing to what I wanted when I started exploring exotic architectures was [aurel32 (now Debian Quick Image Baker) Qemu pages](https://people.debian.org/~gio/dqib/), which provides great Qemu images. Unfortunately, they are using extremely old kernels and/or Linux distributions, making it too hard for a quick plug-n-play experience.
 

content/2017-08-07-setting-up-a-windows-vm-lab-for-kernel-debugging.md

@@ -22,7 +22,7 @@ isn't an option. So my setup is:
   - Debian testing x64 as host
   - [VirtualBox](https://www.virtualbox.org) as hypervisor
   - A
-  [Windows 7 x64 VM](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) acting
+  [Windows 7 x64 VM](https://web.archive.org/web/20170306074002/https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) acting
   as debugger.
   - And 2 debuggees:
     1. Windows 7 x86 VM (using UART as debugging medium)

content/2019-03-17-small-dumps-in-the-big-pool.md

@@ -17,7 +17,7 @@ Keeping on with experimenting with Windows 10 I noticed a field part of the `nt!
 
 [Source](https://ntdiff.github.io/#versionLeft=Win8.1_U1%2Fx64%2FSystem32&filenameLeft=ntoskrnl.exe&typeLeft=Standalone%2F_ETHREAD&versionRight=Win10_1607_RS1%2Fx64%2FSystem32&filenameRight=ntoskrnl.exe&typeRight=Standalone%2F_ETHREAD)
 
-So how to use it? Is it even reachable? The answer was as immediate as [Googling "windows set thread name"](http://lmgtfy.com/?q=windows+10+set+thread+name) which leads to an [MSDN article](https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-set-a-thread-name-in-native-code?view=vs-2017). This article mentions the [`SetThreadDescription()`](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setthreaddescription) in `processthreadsapi.h`. Disassembling `kernelbase.dll` shows that this function is merely a wrapper around the syscall `NtSetInformationThread()` with a `ThreadInformationClass` set to 0x26 (`ThreadNameInformation`).
+So how to use it? Is it even reachable? The answer was as immediate as [Googling "windows set thread name"](https://google.com/search?q=windows+10+set+thread+name) which leads to an [MSDN article](https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-set-a-thread-name-in-native-code?view=vs-2017). This article mentions the [`SetThreadDescription()`](https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setthreaddescription) in `processthreadsapi.h`. Disassembling `kernelbase.dll` shows that this function is merely a wrapper around the syscall `NtSetInformationThread()` with a `ThreadInformationClass` set to 0x26 (`ThreadNameInformation`).
 
 ![ida-setthreaddescription](/assets/images/small-pool/ida-setthreaddescription.png)
 

content/2021-01-10-browsing_registry_kernel_mode.md

@@ -503,7 +503,7 @@ Peace out ✌
 Links to resources I couldn't understand anything without.
 
  - <a name="link_0">[0]</a> All I could understand was compiled into my JS script [`RegistryExplorer.js`](https://github.com/hugsy/windbg_js_scripts/blob/master/scripts/RegistryExplorer.js)
- - <a name="link_1">[1]</a> [Windows Kernel Internals NT Registry Implementation](http://ivanlef0u.fr/repo/madchat/vxdevl/papers/winsys/wk_internals/registry.pdf)
+ - <a name="link_1">[1]</a> [Windows Kernel Internals NT Registry Implementation](https://web.archive.org/web/20220720121211/https://ivanlef0u.fr/repo/madchat/vxdevl/papers/winsys/wk_internals/registry.pdf)
  - <a name="link_2">[2]</a> [MSDN - Registry Hives](https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives)
  - <a name="link_3">[3]</a> [comaeio/SwishDbgExt - Github](https://github.com/comaeio/SwishDbgExt)
  - <a name="link_4">[4]</a> [Dumping Windows Credentials - <a class="fa fa-twitter" href="https://twitter.com/lanjelot" target="_blank"> @lanjelot</a> ](https://web.archive.org/web/20140127003901/https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/)