Who I am

• A cyber security researcher that focuses on redteam tooling and uses Linux.
• A student at Monash University
• A fast learner that gets things done
• A guy who goes to gym and builds muscles and stays healthy
• The defacto IT man who helps colleagues with all kinds of tech difficulties

What I do

• Redteam tooling in Go, Python, Bash, C#, PowerShell, C, etc.
• Linux/windows hacking, rootkits, malware research
• Binary exploitation
• Reverse engineering, Linux/windows
• Web pentesting
• Crypto coins, blockchain

Professional Experience

Security Researcher at Alpha Lab of TopSec

From 2018.10 to 2024.2

Responsible for:

• Redteam tooling
• Threat intelligence
• Linux security
• Malware research
• Incident response
• Patents

Security Engineer (internship) at Qingteng

From 2018.2 to 2018.9

Responsible for:

• Incident response
• Malware research

Education

• Since 2024: Monash University - Master of Cyber Security
• 2022 (discontinued due to visa issues): Simon Fraser University - Master of Cyber Security
• 2021: Arizona State University - Cyber Security, Master of Computer Science Pathway
• From 2014 to 2018: Zhengzhou University - Electronics and Information Engineering, Bachelor of Science

Projects

emp3r0r

Link: https://github.com/jm33-m0/emp3r0r

A post-exploitation framework, or C2 framework, written in pure Go. It is the first C2 that targets Linux platform, highlights include:

• C2 transport is in HTTP2 (over TLS), can be encapsulated in other proxies, such as CDN, TOR, Shadowsocks/KCP, etc
• Automatically brings hosts to C2 as long as there's a path, regardless of their network location
• Utilizes SSH protocol to provide features like
• Remote Shell (fully interactive for both Linux/Windows platforms)
• File manager, you can use any SFTP compliant tools to access it
• Proxy, this can be used to bring hosts that can't establish outbounding connections to C2
• Module support, has a fully static Python 3.9 environment that runs on target hosts
• Credential harvesting, currently supports automatic OpenSSH password extracting
• Many more, please check its GitHub page

SSH-Harvester

Link: https://github.com/jm33-m0/SSH-Harvester

Automatically extracts clear-text passwords from OpenSSH Server process, and makes sure they are valid

This tool is based on one of my blog post

MEC

Link: https://github.com/jm33-m0/mec

A toolbox for mass exploiting and scanning

Articles

• Anquanke - Linux process injection and Persistence
• Anquanke - An Analysis of Linux 'PTRACE_TRACEME' - CVE-2019-13272
• Freebuf - A Linux Post-Exploitation Framework Made by Linux User
• Freebuf - An Analysis of CVE-2018-18955
• Freebuf - How Linux Rootkits Get Persistence
• Freebuf - CVE-2018-18955 - A Handy LPE for Newer Linux Kernels

Patents

• CN113810427B (Automatically form proxy chains to bring hosts from isolated internal networks to the C2 server on the Internet)
• CN116775147B (Injecting ELF objects into running processes)
• CN114629889B (Remote shell that’s encapsulated in SSH protocol, which also provides additional features such as file management)
• CN117201072B (Harvest passwords in real time from OpenSSH server via process injection)
• CN116016638A (A method to hide C2 server through TLS camouflage, non-C2 traffic will be forwarded to legitimate sites)
• CN115334133A (A remote PTY-compliant shell that works on Windows.)
• CN116016479A (A kernel module that authenticates C2 traffic and redirect non-C2 traffic to legitimate service that uses the service port.)