jm33_ng

Writing a Linux BOF Loader from Scratch

jm33 — Sat, 17 Jan 2026 00:00:00 +0800

Introduction

Beacon Object Files (BOFs) have revolutionized the way we execute code in memory on Windows systems, particularly within the Cobalt Strike framework. As you may know, I have been working on my own C2 framework, emp3r0r, which aims to bring similar capabilities to Linux environments. In this post, I …

sRDI for Linux: Stealthy In-Memory ELF Loading

jm33 — Sun, 14 Dec 2025 00:00:00 +0800

TL;DR

The source code of this module is available in emp3r0r.

Pure C Shellcode: I implemented a full ELF loader and network stack in C, using direct syscalls to avoid libc dependencies.
True In-Memory: Uses mmap to manually map segments, avoiding memfd_create and disk I/O.
Stealth: Randomizes ELF …

Reversing a Nim-based APT Sample with Ghidra and x64dbg

jm33 — Fri, 14 Nov 2025 00:00:00 +0800

Introduction

This article is not just about analysing a malware sample, it's more about sharing my malware analysis methodology in general, and the sample I used has some interesting characteristics that make it a good candidate for demonstration.

The sample is from a Chinese APT group known as RedDelta. The …

Offensive CGO - An ELF Loader

jm33 — Fri, 24 Jan 2025 00:00:00 +0800

TL;DR

emp3r0r is a C2 framework written in pure Go. For many years, I have been building it without CGO because of annoying dependencies (glibc) that prevent the agent from running on some systems, that also ruled out the possibility of using CGO to compile agent in DLL or …

Reversing a Go Malware Using Ghidra

jm33 — Fri, 08 Dec 2023 00:00:00 +0800

I was called to handle an incident in which a malicious IP address is accessed each time the system boots. They couldn't find out what process is making the connection.

Using one of the BCC eBPF tools called tcpconnect.py, I was able to locate the malicious process that's disguised …

Secure Boot in Arch Linux

jm33 — Mon, 17 Jul 2023 00:00:00 +0800

Unified Kernel Image

Read Arch Wiki for details.

You can generate a UKI via mkinitcpio, first edit its linux.preset config file:

# mkinitcpio preset file for the 'linux' package

#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"
ALL_microcode=(/boot/*-ucode.img)

PRESETS=('default' 'fallback')

#default_config="/etc/mkinitcpio.conf"
default_image="/boot/initramfs-linux …

OpenSSH Server 密码收割机

jm33 — Tue, 06 Jun 2023 00:00:00 +0800

背景

差不多三年前，我读了一篇关于 sshd 进程注入和密码窃取的文章，然后在作者的基础上实现了一个自动化的SSH 密码收 …

Migrating from Libvirt to Qemu

jm33 — Sun, 04 Jun 2023 00:00:00 +0800

Graphics in Qemu

Performance Impact of SPICE+VirGL

I have been using libvirt (virt-manager) for years, until recently I tried to run Linux VMs with Qemu directly using virgl.

Running a Linux VM with Qemu's SDL display is much smoother than SPICE+VirGL solution provided by virt-manager, it made me …

Secure Boot and LKM Signing in Fedora

jm33 — Mon, 04 Jul 2022 00:00:00 +0800

For Windows PCs, it's very likely that they are already configured to use secure boot. The main benefit of secure boot for desktop users is they are protected from malicious code that hijacks the boot process of Windows OS, known as "bootkit".

If you want protection from physical threat (that …

Fully Interactive Remote Shell for Windows

jm33 — Fri, 22 Apr 2022 00:00:00 +0800

Understanding Windows Console Host

If you open cmd.exe or powershell.exe in Windows, you will always find conhost.exe alongside them. As a matter of fact, conhost.exe has been around for more than a decade. Every (console based) Windows program has a "console" with them, for example when …

Use Python for Linux Post-Exploitation

jm33 — Sat, 12 Mar 2022 00:00:00 +0800

Let's talk about hacking in Linux

Unlike Windows, who is well known for keeping backward compatibility, most Linux distros simply don't care about this, it's very common that different distros use different system utilities, different libraries, even the most critial one --- C standard library.

Most Linux distros are based on …

emp3r0r - Injection

jm33 — Sat, 05 Feb 2022 00:00:00 +0800

shared library injection

with gdb (yes i have compiled a fully static gdb), we can easily perform the injection by invoking dlopen in target processes, since most processes on a Linux machine are linked with glibc, this will work for almost every process, including systemd

according to https://magisterquis.github …

emp3r0r - SSH

jm33 — Tue, 14 Sep 2021 00:00:00 +0800

what we can do with ssh

ssh to target host for remote shell access
sftp to target host for FTP service
ssh -D for socks proxy
ssh -L/ssh -R for port mapping

all these features are provided by openssh suite, which we use everyday. why not integrate them into …

CSE548 - Bridges and Switches

jm33 — Thu, 03 Jun 2021 00:00:00 +0800

Terminology

Port

It can be really confusing as we know "port" as in TCP/UDP context, but here in layer 2 (data link) context, a "port" is equivalent to an "interface" in Linux language.

When we talk about ports of a bridge, we are talking about different interfaces that may …

Enable Mouse Natural Scroll In Windows 10

jm33 — Sat, 01 May 2021 00:00:00 +0800

Why

In macOS and Linux world, users can configure their mouse scroll direction conveniently with a provided settings UI or human readable config file. In Windows it's a completely different story, you won't find anything in settings UI, and Windows doesn't use config files, instead, it uses registry (which everybody …

QQ Is Reading Your Browsing History

jm33 — Fri, 22 Jan 2021 00:00:00 +0800

how do i know

original post here (QQ 正在尝试读取你的浏览记录)

the following content is based on QQ 9.0.4

see what qq does with procmon

i think theres one thing many people tend to ignore, you can view target …

emp3r0r - 0x00

jm33 — Tue, 19 Jan 2021 00:00:00 +0800

                      ____        ___
                     |___ \      / _ \
   ___ _ __ ___  _ __  __) |_ __| | | |_ __
  / _ \ '_ ` _ \| '_ \|__ <| '__| | | | '__|
 |  __/ | | | | | |_) |__) | |  | |_| | |
  \___|_| |_| |_| .__/____/|_|   \___/|_|
                | |
                |_|

i will post further updates here, for convenience

(pinned) updates

emp3r0r - 0x00 : capabilities, (planned …

emp3r0r - Process Injection And Persistence

jm33 — Tue, 19 Jan 2021 00:00:00 +0800

Process Injection In Linux

Background

The techniques covered in this article are part of emp3r0r project.

Linux has something that other platforms don't, the procfs, as Unix people always like to say "Everything is a file". From /proc/pid/maps we can read the process's memory mappings, and with /proc …

emp3r0r - Break Out Of Internal Network

jm33 — Wed, 06 Jan 2021 00:00:00 +0800

intro

from what i have heard of, pentesters/hackers manually set up their port mapping in their target networks, some people would even use iptables

please allow me to save you from those shitty works with emp3r0r

when an agent lands on a host, it checks if there were internet …

SSHD Injection and Password Harvesting

jm33 — Mon, 31 Aug 2020 00:00:00 +0800

TL;DR

The source code of this idea is available on GitHub

And the weaponized version is available in emp3r0r

Use echo 'print __libc_dlopen_mode("/path/to/library.so", 2)' | gdb -p <PID> for process injection
Write a shared library to inject into sshd process
In the library, fork a child …

Process Injection On Linux

jm33 — Sun, 16 Aug 2020 00:00:00 +0800

Dynamic Linker/Loader - Make an ELF load specific libraries

Intro

Strictly speaking, this is not the process injection you are expecting. Abusing ld.so can help you get your shared object (library) loaded in future processes the ELF file might …

Make HTTP/2 Requests Via Proxy In Golang

jm33 — Wed, 15 Jul 2020 00:00:00 +0800

my struggle

i was trying to implement proxy support in emp3r0r, but found that http2.Transport has no such option. the only option that might work is replacing DialTLS() function with a custom one

i did a lot of research:

Digging Into A macOS Kernel Panic

jm33 — Mon, 22 Jun 2020 00:00:00 +0800

TL;DR (2021-06-09)

AppleSMC is a kernel module that communicates with SMC (System_Management_Controller), and the SMC is basically an Apple co-processor that has its own firmware, used to manage the upper layer system including disk encryption, etc.

I was able to dig into AppleSMC's backtrace and locate the spot …

Delete An Entry From wtmp/btmp/utmp Log Files

jm33 — Fri, 05 Jun 2020 00:00:00 +0800

Stop Deleting Everything!

many folks like to rm -f /var/log/*tmp, which I have to say is not a right way to cover your trail, if the admin would ever think of checking login logs, an empty log will certainly catch his attention

but *tmp files are all binary …

404

jm33 — Mon, 20 Apr 2020 00:00:00 +0800

Lost Your Way?

This page is intentionally left blank.

Set Up AD Domain Over VPN

jm33 — Mon, 20 Apr 2020 00:00:00 +0800

this is the setup of my AD domain:

install Active Directory Domain Services (AD DS)

install using server manager

assuming you are using Windows Server 2012 or later, in the server manager window, click Manage -> Add roles and features

DNS Server will be installed as well

i dont want to …

emp3r0r - 0x03

jm33 — Wed, 11 Mar 2020 00:00:00 +0800

this part is about port forwarding/mapping

port forwarding is extremely useful when you need to access targets lying deep inside victim's network

as this simple diagram suggests, you can use port-fwd to redirect an RDP server that cannot be reached from outside

linux targets are usually either IoT devices …

An Update to MEC

jm33 — Sat, 29 Feb 2020 00:00:00 +0800

switching to prompt_toolkit

python's readline module sucks

heres how:

python's readline cannot handle ANSI color codes properly, when i try to use ANSI color code in the prompt message, history browsing (via up/down key) fucks the prompt up

here's the code, it's from python's doc, i made a small …

emp3r0r - 0x02

jm33 — Wed, 19 Feb 2020 00:00:00 +0800

this part is about reverse shell

how to make your reverse shell suck less

take a look at pentestmonkey's Reverse Shell Cheat Sheet, which gives you a collection of reverse shell one-liners. each of the one-liners does the same thing -- establish a TCP connection to you, then execute a shell …

Use `su -c` in LPE

jm33 — Mon, 10 Feb 2020 00:00:00 +0800

su -c is convenient to use, but, when you use it in your LPE exploit, hoping it to execute your command, you will probably get

su: must be run from a terminal

the obvious solution is give it a "terminal" to run from

there's a forkpty function provided by pty …

emp3r0r - 0x01

jm33 — Fri, 24 Jan 2020 00:00:00 +0800

happy Chinese new year!

the coronavirus outbreak in Wuhan keeps me from going outside, actually i have cancelled all travel plans in this holiday. what do i do at home then?

get_root

this module can help you get root via:

kernel exploits
userland LPE exploits, such as exim, sudo
previously-implemented …

Linux Rootkit for Fun and Profit - 0x04 - emp3r0r

jm33 — Thu, 16 Jan 2020 00:00:00 +0800

this is a demo of the shell feature that im working on, it supports remote file editing, and FTP-like file get/put, among other things

Killer Wireless Kills My Network

jm33 — Wed, 18 Dec 2019 00:00:00 +0800

UPDATE:

windows update thinks my computer is lacking killer software, it keeps installing the shit back... why the fuck do i need the dumb ass killer network service???

i want to ask you, my dear readers, do you want the fucking killer network service to "examine" every packet sent from …

Hook System Calls in Linux 5.x

jm33 — Thu, 12 Dec 2019 00:00:00 +0800

how to disable WP when cr0 is "pinned"?

you can read my previous article

according to this stackoverflow question, we cannot:

disable CR0's Write-Protection bits
set RO page to RW

i think ive found a solution:

since lkm runs in ring0, why not just write to cr0 directly, why bother …

We Can No Longer Easily Disable CR0 WP (Write-Protection)

jm33 — Thu, 12 Dec 2019 00:00:00 +0800

this commit makes write_cr0(read_cr0() | 0x10000) useless, next time you see a 5.x linux kernel, good luck

according to this stackoverflow question, we cannot:

disable CR0's Write-Protection bits
set RO page to RW

i think ive found a solution:

since lkm runs in ring0, why not just write to …

Linux Rootkit for Fun and Profit - 0x03 - LKM - Hide from ss/netstat

jm33 — Wed, 11 Dec 2019 00:00:00 +0800

Every technique used in this rootkit can be found from internet, I am NOT responsible for any damage you might cause using my code

how ss/netstat fetch TCP/UDP connections

lets do a strace netstat -antu:

...
openat(AT_FDCWD, "/proc/net/tcp", O_RDONLY) = 3
read(3, "  sl  local_address rem_address "..., 4096 …

Linux Rootkit for Fun and Profit - 0x02 - LKM - Hide files/procs

jm33 — Fri, 06 Dec 2019 00:00:00 +0800

Every technique used in this rootkit can be found from internet, I am NOT responsible for any damage you might cause using my code

what you will learn

how to hide files
how to hide processes
how to hide them better so they cant be bruteforced
asmlinkage and related reversing …

Linux Rootkit for Fun and Profit - 0x01 - LKM

jm33 — Thu, 05 Dec 2019 00:00:00 +0800

Every technique used in this rootkit can be found from internet, I am NOT responsible for any damage you might cause using my code

what you will learn

what system calls are
how to hijack them

how to hook syscalls

what?

to make the magic work, you have to deceive …

Linux Rootkit for Fun and Profit - 0x00 - Design

jm33 — Wed, 04 Dec 2019 00:00:00 +0800

Every technique used in this rootkit can be found from internet, I am NOT responsible for any damage you might cause using my code

what to expect

i plan to write a rootkit that runs in both kernel and user space, in which case it:

requires root when using LKM …

CVE-2019-13272: Linux LPE via 'PTRACE_TRACEME'

jm33 — Fri, 23 Aug 2019 00:00:00 +0800

what is ptrace

ptrace() system call stands for process trace, which provides a way for debuggers such as gdb/strace to control a process (tracee). "debuggers" can be any process that sends a PTRACE_ATTACH/PTRACE_SEIZE, or receives a PTRACE_TRACEME from its child.

several things to notice:

a tracee's ptrace relationship …

CVE-2019-12735: Vim/NeoVim modeline RCE漏洞分析

jm33 — Sat, 29 Jun 2019 00:00:00 +0800

一．漏洞背景

Vim和Neovim是Unix类操作系统下广泛使用的文本编辑器，其中后者的开发基于前者。 Vim/Neovim中的modeline功能可以让用户在文本文件的开头或结尾使用特定代码来控制编辑器的一些行为。这个功能被限制到仅能执行特定set指令，且有沙箱隔离，但:source!指令却可以用来绕 …

CVE-2018-18955 - A Handy LPE for Newer Linux Kernels

jm33 — Thu, 24 Jan 2019 00:00:00 +0800

中文版已发Freebuf

theres no posts about this cve as far as i know, and the original advisory is just too difficult for newbies like me, so..

warm up

whats user namespace

lets assume you use linux, man user_namespaces will give you what you need

in case …

An RCE Approach of CVE-2018-7750

jm33 — Wed, 07 Nov 2018 00:00:00 +0800

paramiko has an auth bypass vuln (found in March 2018), ie. CVE-2018-7750

which can be leveraged to execute arbitrary command (if the ssh server implementation supports command execution)

affects

anything that uses paramiko for ssh implementation, we can do things on it, unauthed

exploit

https://github.com/jm33-m0/CVE-2018-7750

# Exploit …

Write Better Linux Rootkits

jm33 — Thu, 01 Nov 2018 00:00:00 +0800

有个中文版在Freebuf，需要的可以去看看

dig deeper into user space

lets abuse inits

the INIT

a lot of script kiddies know how to write their own SysV service file or modify the existing ones, fortunate for them, SysVinit is still …

Enabling New PGP Key

jm33 — Fri, 19 Oct 2018 00:00:00 +0800

hi all, ive created new PGP key for my personal email address, and the old one 73690B57 is being deprecated

ill not respond to unencrypted emails

also, feel free to exchange public key in the comment section

How To Run GUI Programs With sudo Under Wayland

jm33 — Tue, 14 Aug 2018 00:00:00 +0800

xhost +si:localuser:root

Working in TMUX

jm33 — Sun, 12 Aug 2018 00:00:00 +0800

why tmux

i believe anyone who is new to tmux can be frustrated by its "ugly" user interface and weird key bindings (especially those who don't use vim very often). "why the hell is this ugly terminal tool called a productivity tool?", well, just like vim/zsh, with a little …

Use Shadowsocks as Transparent Proxy (like GFW doesn't exist)

jm33 — Tue, 24 Jul 2018 00:00:00 +0800

this transparent proxy depends on iptables, which means generally you can only use it on Linux

what you are getting

an always-on proxy that redirects all TCP/UDP traffic to your Shadowsocks proxy while bypassing a list of IP ranges a clean connection to foreign DNS server, bye bye DNS …

To My Graduation

jm33 — Sun, 15 Jul 2018 00:00:00 +0800

i was living near my campus for the whole last month, because of which, i barely felt anything when everyone was saying goodbye to each other. i could still go to my school for food or fun, just like before.

the only difference i noticed, was that i can never …

Parsing Large XML With Go

jm33 — Sun, 26 Nov 2017 00:00:00 +0800

i have a huge XML file (about 700MB) generated by masscan, initially i was trying to use masscan-web-ui to parse the file, which was extremely slow of course (have to admit that Offensive Security has done a great job for turning masscan into a Shodan/ZoomEye like search engine). then …

How to Use Cisco Anyconnect VPN - Certificate based authentication

jm33 — Mon, 30 Oct 2017 00:00:00 +0800

中文版

Read me
Windows PC
Android
iOS
BB10

Read me

Disclaimer

i've tested Android and Windows version myself, but i can't guarantee the accuracy of my tutorials for iOS and BB10 since i don't have those devices, and the screenshots are contributions from other …

如何使用Cisco Anyconnect VPN - 基于证书的认证

jm33 — Sun, 29 Oct 2017 00:00:00 +0800

Read me

Disclaimer

我已经测试了Android和Windows版本，但我不能保证 iOS和BB10 的教程的准确性，因为我没有这些设备，屏幕截图是其他用户的贡献

提醒

保持您 …

MassExpConsle - User Guide

jm33 — Thu, 01 Jun 2017 00:00:00 +0800

https://github.com/jm33-m0/massExpConsole

thank you all for your support

what it does

an easy-to-use cli ui
execute any adpated exploits with process-level concurrency
some built-in exploits (automated)
zoomeye host scan (10 threads)
google page crawler with gecko and firefox (not fully working)
a simple baidu crawler (multi-threaded)
webshell …

A Hacking Console - Rewritten

jm33 — Thu, 11 May 2017 00:00:00 +0800

MassExpConsole

adding more exploits and tools

https://github.com/jm33-m0/massExpConsole

what's new

ZoomEye search engine is now more usable, as it saves user credentials to reduce the frequency of user having to re-login to gain their new token
improved exception handling, expect less confusing exceptions
most code has been …

A Hacking Console (Upgraded) - massExploitConsole

jm33 — Mon, 24 Apr 2017 00:00:00 +0800

massExploitConsole

a collection of tools with a cli ui

https://github.com/jm33-m0/massExpConsole

screenshot

what does it do?

an easy-to-use user interface (cli)
execute any adapted exploit with process-level concurrency
crawler for baidu and zoomeye
a simple webshell manager
some built-in exploits (automated)
more to come...

requirements

GNU/Linux …

A Hacking Console

jm33 — Sat, 11 Mar 2017 00:00:00 +0800

GitHub repo

https://github.com/jm33-m0/b0t-br0kr

a collection of my tools

as you can see among the tags, ~~i wrote this tool mainly to automate some heavy pentest work~~, and more importantly, to make my life easier. emmm, im sure you wanna know what you will get from this …

极路由3 LEDE + Shadowsocks + Mentohust (含所需文件tarball下载)

jm33 — Tue, 21 Feb 2017 00:00:00 +0800

链接

https://jm33.me/files/lede_pkgs.tar.gz (Shadowsocks，Mentohust及它们的依赖包下载)

已知问题

5G WiFi默认无法使用
MAC重写无法使用

刷机与Breed

请参考极路由刷OpenWrt最强攻略——从救砖、刷Breed、编译固件到安装配置 , 虽然是针对OpenWRT的 …

Using KCPTUN to Speed Up Your Proxy

jm33 — Thu, 01 Dec 2016 00:00:00 +0800

KCP with Shadowsocks / 配合Shadowsocks的KCP加速

If you were using Shadowsocks Plus for Windows, KCP is implemented already, no further configuration is needed / 如果你在使用Shadowsocks Plus for Windows，那么KCP已经启用，无须额外配置

Shadowsocks for Android

After finishing your setup, just …

No Title

jm33 — Mon, 21 Nov 2016 00:00:00 +0800

It's getting colder...

We are expecting the first snow of this year

Recent screenshots

Using Obfs4proxy to obfuscate your non-TOR proxy / 为Shadowsocks路由器增加Obfs4混淆

jm33 — Wed, 12 Oct 2016 00:00:00 +0800

You probably need obfs4 in my country

Censorship is the most famous part of internet in China, they actively attack users with packet analysis and proxy detection, which sets a tech barrier to most people who want to access international websites without tech background

I am unsure that my proxy …

搭建Cisco Anyconnect VPN服务器

jm33 — Thu, 06 Oct 2016 00:00:00 +0800

自动化脚本

如果你使用 Ubuntu (>=16.04) / Debian(>=9), 可以尝试使用我的自动配置。 in case 你用的发行版软件源中没有ocserv，你可以自己编译最 …

A reverse shell written in Golang

jm33 — Sun, 02 Oct 2016 00:00:00 +0800

Github repo

https://github.com/jm33-m0/go-reverse-shell

Why Golang?

~~'coz I don't know C~~

Cross platform

absolutely so! I only need to specify a target system/arch, and Go will compile it for me no matter what system I am using to compile guess what? if you choose C, you …

Switched to Xfce4 Desktop

jm33 — Sat, 24 Sep 2016 00:00:00 +0800

Why?

Got tired of KDE, plus that KDE replaced my custom splash screen with its default one, I then decided to configure Xfce4 as my main DE for at least the next month

How does it look?

Here is my screenshot:
Have to admit, Xfce4 consumes little system resources, and …

使用Shadowsocks-Plus整合KCPTUN加速

jm33 — Fri, 26 Aug 2016 00:00:00 +0800

Why KCPTUN?

KCP是一个快速可靠协议，能以比 TCP浪费10%-20%的带宽的代价，换取平均延迟降低 30%-40%，且最大延迟降低三倍的传输效果。纯算法实现，并不负责底层协 …

My First C-Sharp Project

jm33 — Thu, 25 Aug 2016 00:00:00 +0800

Shadowsocks-Plus-Win

You can find its Github homepage here

What I want to say

C# with .Net is actually the best language for developing Windows apps
Haven't used C# before, I heard it's a Java-like language (dunno Java, either) for Windows
I'm learning a lot from developing this... (thanks to Visual …

Cryptography - Week 1

jm33 — Wed, 17 Aug 2016 00:00:00 +0800

TL; DR

Sym. encryption
One Time Pad
Shannon: Perfect secrecy
History - Badly broken algorithms
Stream cipher - OTP in real life
Probability basics
Pseudo random gen - predictable
Negligible / Non-negligible

Topics

Sym. encryption definition

What

Sender and receiver use the same secret key for encryption and decryption,
or the same encryption scheme …

极路由hosts修改 (无行数限制)

jm33 — Thu, 04 Aug 2016 00:00:00 +0800

TL; DR

我在hiwifi_scripts项目里改写的一个Shadowsocks插件无法实现远程解析被污染的域名
所以我在看了DNSCrypt等解决方案之后最终决定使用成熟的hosts项目提供的不断更新的hosts文件来解决DNS污染的问题
从而保证了防污染DNS解析不会影响整体网络性能表现
该sh脚本会把自己添加成cron job，定时检查hosts文件更新并自动应用修改 …

NetCat - File Transfer and More

jm33 — Sun, 24 Jul 2016 00:00:00 +0800

What is NetCat

According to its manual:

    Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. 
    It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.  
    At the …

极路由4使用Shadowsocks插件（含web配置面板）

jm33 — Sat, 16 Jul 2016 00:00:00 +0800

本插件会持续更新，请以Github发布的内容为准

提供相关代理服务器(无流量限制)和技术支持，请点击https://jm33.me/pages/fgfw.html了解详情 …

Secure Your Email with PGP

jm33 — Sat, 04 Jun 2016 00:00:00 +0800

Background

Almost a decade ago I wrote this article showing how to use PGP to secure your emails. Today I decide to rewrite it, to make it useful in 2025, and to instruct people who might want to encrypt their communication with me but don't know how.

This is a …

Using OCSERV On An HTTPS server

jm33 — Thu, 26 May 2016 00:00:00 +0800

What happened

Using ocserv 0.11.1 on Debian Stretch

ocserv 0.11.1

Compiled with seccomp, tcp-wrappers, oath, gssapi, PAM, PKCS#11, AnyConnect, 
GnuTLS version: 3.4.12 (compiled with 3.4.10)

By default, ocserv creates ocserv.socket that listens on port 443, and you usually can't figure …

Build Your Own Anyconnect VPN

jm33 — Wed, 25 May 2016 00:00:00 +0800

TL; DR

As many fellow Chinese users might need this guide, I will add Chinese translation to this article
You may encounter errors like The secure gateway has rejected the connection attempt. Well, I will tell you how to solve problems like that
You will also find instructions about how …

Enabling HTTP2

jm33 — Wed, 25 May 2016 00:00:00 +0800

Do you have Apache/2.4.17+ ?

As far as I know, Debian hasn't put Apache 2.4.18 in their stable repo yet, therefore you might want to upgrade your Debian server to a testing version (I strongly recommend doing so, as you will get all your software up …

Sh4d0ws0cks Over Obfsproxy (Scramblesuit)

jm33 — Mon, 16 May 2016 00:00:00 +0800

如果您看不懂英文，请点击这里以查看简体中文版本

Get obfsproxy for your server

TOR official Debian/Ubuntu repo

You can find your repo here
For Debian Jessie users like me, simply add the following to your …

Glowing Bear

jm33 — Mon, 09 May 2016 00:00:00 +0800

Get certs ready

Get Letsencrypt with git clone https://github.com/letsencrypt/letsencrypt
Enter git directory, and ./letsencrypt-auto certonly -d <your domain>
Find your certs in cd /etc/letsencrypt/live/<your domain>, you will see the following

You will need to combine privkey.pem and fullchain.pem, fire up the …

A Tour Of Go - My First Step To Golang

jm33 — Tue, 19 Apr 2016 00:00:00 +0800

Basic Types

bool(true/false)
string
int int8 int16 int32 int64 / and uint equivalences, uintptr
byte(alias for uint8)
rune(alias for int32, represents a Unicode code point)
float32 float64
complex64 complex128

Operators

:= is used to set a new variable without declaring it, like this new_var := 1
<< is used to …

使用Obfsproxy (Scramblesuit) 混淆sh4d0ws0cks流量

jm33 — Sat, 16 Apr 2016 00:00:00 +0800

为您的服务器获取obfsproxy

TOR 官方Debian/Ubuntu软件源

可以在这里找到您的软件源
Debian Jessie用户请添加以下内容到 /etc/apt/sources.list

deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main …

jm33_ng

Writing a Linux BOF Loader from Scratch

Introduction

sRDI for Linux: Stealthy In-Memory ELF Loading

TL;DR

Reversing a Nim-based APT Sample with Ghidra and x64dbg

Introduction

Offensive CGO - An ELF Loader

TL;DR

Reversing a Go Malware Using Ghidra

Secure Boot in Arch Linux

Unified Kernel Image

OpenSSH Server 密码收割机

背景

Migrating from Libvirt to Qemu

Graphics in Qemu

Performance Impact of SPICE+VirGL

Secure Boot and LKM Signing in Fedora

Fully Interactive Remote Shell for Windows

Understanding Windows Console Host

Use Python for Linux Post-Exploitation

Let's talk about hacking in Linux

emp3r0r - Injection

shared library injection

emp3r0r - SSH

what we can do with ssh

CSE548 - Bridges and Switches

Terminology

Port

Enable Mouse Natural Scroll In Windows 10

Why

QQ Is Reading Your Browsing History

how do i know

see what qq does with procmon

emp3r0r - 0x00

(pinned) updates

emp3r0r - Process Injection And Persistence

Process Injection In Linux

Background

emp3r0r - Break Out Of Internal Network

intro

SSHD Injection and Password Harvesting

TL;DR

Process Injection On Linux

See also

Dynamic Linker/Loader - Make an ELF load specific libraries

Intro

Make HTTP/2 Requests Via Proxy In Golang

my struggle

Digging Into A macOS Kernel Panic

TL;DR (2021-06-09)

Delete An Entry From wtmp/btmp/utmp Log Files

Stop Deleting Everything!

404

Lost Your Way?

Set Up AD Domain Over VPN

install Active Directory Domain Services (AD DS)

install using server manager

emp3r0r - 0x03

An Update to MEC

switching to prompt_toolkit

emp3r0r - 0x02

how to make your reverse shell suck less

Use `su -c` in LPE

emp3r0r - 0x01

Linux Rootkit for Fun and Profit - 0x04 - emp3r0r

Killer Wireless Kills My Network

Hook System Calls in Linux 5.x

how to disable WP when cr0 is "pinned"?

We Can No Longer Easily Disable CR0 WP (Write-Protection)

Linux Rootkit for Fun and Profit - 0x03 - LKM - Hide from ss/netstat

how ss/netstat fetch TCP/UDP connections

Linux Rootkit for Fun and Profit - 0x02 - LKM - Hide files/procs

what you will learn

Linux Rootkit for Fun and Profit - 0x01 - LKM

what you will learn

how to hook syscalls

what?

Linux Rootkit for Fun and Profit - 0x00 - Design

what to expect

一．漏洞背景