Skip to content
View 0xjbb's full-sized avatar
🎯
Focusing
🎯
Focusing
72 followers · 338 following
  • /dev/null
  • Cheltenham, UK

Achievements

Achievement: StarstruckAchievement: Pull SharkAchievement: Quickdraw

Achievements

Achievement: StarstruckAchievement: Pull SharkAchievement: Quickdraw

Block or report 0xjbb

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
0xjbb/README.md

Projects

EyYoEtwWhereYouAt

Proof of concept tool that monitors kernel events (image loads, process creation, thread creation) and identifies anomalous absences in corresponding ETW telemetry. When system activity occurs without expected ETW events, IE ETW Patching.

cet-spoofing-detection

This tool is a proof of concept aimed to detect stackspoofing within CET processes. It does this by comparing the shadow stack to the userstack and looks for missing frames. Specifically targeting the modification of unwind data.

SuspiciousThreads

A Poc attempt at hunting suspicious thread creation events using ETW only. it currently identifies

  • Unbacked Thread creation calls
  • Unbacked StartAddress
  • JOP based StartAddress

Pinned Loading

  1. EyYoEtwWhereYouAt EyYoEtwWhereYouAt Public

    Correlating kernel notifications with the lack of ETW events to detect ETW Patching

    C++ 3 1

  2. cet-spoofing-detection cet-spoofing-detection Public

    Stack spoofing Detection for CET processes by comparing shadow and user stacks.

    C++ 26 2

  3. SuspiciousThreads SuspiciousThreads Public

    A Poc attempt at hunting suspicious thread creation events using ETW only.

    C++ 2