Posts on THALIUM

Symless: an IDA assistant for structure reconstruction

Tue, 13 Jan 2026 00:00:00 +0000

Symless is an IDA Pro plugin designed to assist with structure reconstruction and cross-reference placement. It comes in two flavors: an automatic pre-analysis that can reconstruct most of the structures used in a binary, and an interactive plugin that reconstructs a single structure from user selection.

We are now releasing a new architecture-agnostic version of Symless, and use this opportunity to describe its internal logic.

Don't judge an audiobook by its cover: taking over your Amazon account with a Kindle

Tue, 16 Dec 2025 08:00:00 +0000

Although Kindle e-readers are a prime target in modding and jailbreaking communities, there is little public work about vulnerability research in remote code execution scenarios.

In this post, we give technical details about a chain of vulnerabilities we identified that can be triggered by downloading a malicious Audible audiobook, allowing to take full control of the device and its registered Amazon account.

Linux kernel Rust module for rootkit detection

Wed, 12 Mar 2025 08:00:00 +0000

The introduction of Rust into the Linux kernel allows to write kernel drivers in Rust, which we can use to build a kernel-level EDR. This post explores this possibility by designing various checks to detect kernel-level rootkits and implementing them using the kernel’s Rust API. We then discuss the experience of developing in Rust within the Linux kernel.

LLVM-powered deobfuscation of virtualized binaries

Fri, 22 Nov 2024 08:00:00 +0000

Virtualization is a powerful technique for code obfuscation, and reversing it can be challenging. In this post, we cover the work done during an internship on developing an automated devirtualization tool. We explore a simplified taint-based approach and discuss its limitations. For a more in-depth analysis, the full report is also made available.

Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol

Mon, 04 Dec 2023 08:00:00 +0000

Remote Play Together, developed by Valve, allows sharing local multi-player games with friends over the network through streaming. The associated protocol is elaborate enough to shelter a valuable attack surface that has scarcely been ventured into in the past.

This post covers the reverse engineering of the protocol and client/server implementations inside Steam, before presenting a dedicated fuzzer that unveiled a few critical vulnerabilities.

ECW 2023: Centralized Memory (write-up)

Tue, 07 Nov 2023 12:00:00 +0100

Centralized Memory was a hard Linux pwn challenge created for the European Cyber Week CTF 2023 qualifiers. This write-up covers the intended method of exploitation through a race condition, an AES padding bug and a stack overflow.

ECW 2023: kaleidoscope (write-up)

Tue, 07 Nov 2023 12:00:00 +0100

kaleidoscope was a hard reverse engineering challenge created for the European Cyber Week CTF 2023 qualifiers, with a focus on Windows-specific mechanisms and VM-based obfuscation.

ECW 2023: The Calculator in Shadow (write-up)

Tue, 07 Nov 2023 12:00:00 +0100

The Calculator in Shadow was a hard pwn challenge created for the European Cyber Week CTF 2023 qualifiers. It included exploiting a RISC-V calculator running on top of a customized QEMU that featured a poorly implemented shadow stack.

Rooting Xiaomi WiFi Routers

Mon, 25 Sep 2023 00:00:00 +0000

In this article, we discuss our research approach for investigating Xiaomi routers. We discovered multiple vulnerabilities allowing Remote Code Execution (RCE) on several models, through both LAN and WAN interfaces. This work led to the publication of four CVEs specifically targeting Xiaomi routers.

Leveraging Android Permissions: A Solver Approach

Tue, 20 Jun 2023 00:00:00 +0000

The Android permission management system has already suffered from several vulnerabilities in the past. Such weaknesses can grant dangerous permissions to a malevolent application, an example being CALL_LOG, which gives access to all incoming and outgoing calls.

This post dives into the Android permission system and how a solver was leveraged to find new vulnerabilities. With this approach, a privilege escalation was identified, which was fixed and assigned CVE-2023-20947 by Google.

kSMBd: a quick overview

Fri, 12 May 2023 12:00:00 +0000

In this blogpost, we introduce the analysis of one SMB implementation: kSMBd. It will be followed up by a talk at OffensiveCon 2023 named “Abusing Linux in-kernel SMB server to gain kernel remote code execution”.

The Fuzzing Guide to the Galaxy: An Attempt with Android System Services

Thu, 20 Apr 2023 00:00:00 +0000

Although the Android base is open source, many different constructors customize it with their own UIs and APIs. All these additions represent an extra attack surface that can change from one phone model to another. We tried to automatically fuzz the closed-source system services powering these modifications, discovering CVE-2022-39907 and CVE-2022-39908 along the way.

ARM TrustZone: pivoting to the secure world

Fri, 24 Mar 2023 13:37:00 +0000

Discovery of two vulnerabilities in secure world components
Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment
Leverage of aarch32 T32 instruction set to find nice stack pivots
Turning an arbitrary write into an arbitrary code execution

Fuzzing RDPEGFX with "what the fuzz"

Fri, 14 Oct 2022 00:00:00 +0000

Microsoft’s Remote Desktop Protocol (RDP) client was fuzzed by various teams in the past few years, it thus seemed like a good target to try a recent snapshot fuzzer: what the fuzz (wtf) (of which we are only users). In this companion post to our Hexacon 2022 talk (slides, video) we’ll show how we took advantage of wtf flexibility in order to efficiently fuzz the RDPEGFX channel of Microsoft RDP client and uncover CVE-2022-30221.

Remote Deserialization Bug in Microsoft's RDP Client through Smart Card Extension (CVE-2021-38666)

Fri, 10 Dec 2021 06:00:01 +0100

This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.

Remote ASLR Leak in Microsoft's RDP Client through Printer Cache Registry (CVE-2021-38665)

Fri, 10 Dec 2021 06:00:00 +0100

This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.

Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology

Wed, 10 Nov 2021 12:00:00 +0000

This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.

ECW 2021 - WriteUp

Mon, 25 Oct 2021 12:00:01 +0100

For the European Cyber Week CTF 2021 Thalium created some challenges in our core competencies: reverse and exploitation. This blog post presents some of the write-ups:

Chest (36 solve) - reverse
FSB as a service (3 solve) - exploitation
WYSIWYG (3 solve) - reverse
Pipe Dream (1 solve) - reverse
- the author posted his solution on his personal blog

Thalium’s challenges have been less resolved than others. They were not that difficult, but probably a bit more unexpected. A few additional challenges designed by Thalium are:

NT objects access tracing

Mon, 07 Jun 2021 12:00:00 +0100

Draw me a map

As homework during the lockdown, I wanted to automate the attack surface analysis of a target on Windows. The main objective was to construct a view of a software architecture to highlight the attack surface (whether remote or local).

The software architecture can be composed of several elements:

processes
privileges
ipc
etc

Usually, software architecture analysis is done with tools that give a view at a specific time (ProcessHacker, WinObjEx, etc). However, the different components of the software architecture might be invoked dynamically and temporarily on certain conditions. Monitoring tools such as ProcMon can help in this context but these involve manual operations.

SSTIC : how to setup a ctf win10 pwn user environment

Wed, 02 Jun 2021 15:30:00 +0100

Introduction

This post aims to present how to easily setup a lightweight secure user pwning environment for Windows. From your binary challenge communicating with stdin/stdout, this environment provides a multi-client broker listening on a socket, redirecting it to the IO of your binary, and executing it in a jail. This environment is mainly based on the project AppJaillauncher-rs from trailofbits, with some security fixes and some tips to easily setup the RW rights to the system files from the jail.

Cyber Apocalypse 2021 5/5 - Artillery

Wed, 28 Apr 2021 12:00:04 +0100

Artillery was a web challenge of the Cyber Apocalypse 2021 CTF organized by HackTheBox. We were given the source code of the server to help us solve the challenge. This challenge was a nice opportunity to learn more about XXE vulnerabilities.

Cyber Apocalypse 2021 4/5 - Discovery

Wed, 28 Apr 2021 12:00:03 +0100

One of the least solved challenges, yet probably not the most difficult one. It is a Hardware challenge, though it is significantly different from the other challenges of this category. The first thing to spot is that when starting the challenge machine, we have access to two network services:

an HTTP server, requesting an authentication
an AMQP broker, rabbitmq

Cyber Apocalypse 2021 3/5 - Off the grid

Wed, 28 Apr 2021 12:00:02 +0100

Off-the-grid was the 4th hardware challenge of the Cyber Apocalypse 2021 CTF organized by HackTheBox. We were given an Saleae trace and schematics to analyse. Thalium was one of the very first of 99 players to complete it.

Cyber Apocalypse 2021 2/5 - Wii-Phit

Wed, 28 Apr 2021 12:00:01 +0100

Wii-Phit was the only Hard crypto challenge designed by CryptoHack for the Cyber Apocalypse 2021 CTF (there were also 4 challenges categorized as Insane though).

There is already an excellent writeup by the challenge organizers: one could recognize a well known equation related to the Erdős–Straus conjecture, some participants used Z3. We took a different approach.

Cyber Apocalypse 2021 1/5 - PWN challenges

Wed, 28 Apr 2021 12:00:00 +0100

Thalium participated in the Cyber Apocalypse 2021 CTF organized last week by HackTheBox. It was a great success with 4,740 teams composed of around 10,000 hackers from all over the world. Our team finished in fifth place and solved sixty out of the sixty-two challenges:

This article explains how we solved each pwn challenge and what tools we used, it is written to be accessible to beginners:

Windows Memory Introspection with IceBox

Mon, 22 Jun 2020 12:00:00 +0100

Virtual Machine Introspection (VMI) is an extremely powerful technique to explore a guest OS. Directly acting on the hypervisor allows a stealth and precise control of the guest state, which means its CPU context as well as its memory.

Basically, a common use case in VMI consists in (1) setting a breakpoint on an address, (2) wait for a break and (3) finally read some virtual memory. For example, to simply monitor the user file writing activity on Windows, just set a breakpoint on the NtWriteFile function in kernel land. Once triggered, you can retrieve the involved process and capture its corresponding callstack. All these actions eventually require accessing the guest virtual memory.

Getting Started with Icebox VMI

Fri, 24 Jan 2020 12:00:00 +0100

Icebox is a VMI (Virtual Machine Introspection) framework enabling you to stealthily trace and debug any kernel or user code system-wide.

All Icebox source code can be found on our github page.

Try Icebox

Icebox now comes with full Python bindings enabling fast prototyping on top of VMI, whether you want to trace a user process or inspect the kernel internals.

The core itself is in C++ and exposes most of its public functions into an icebox Python 3 module.