Cybersecurity Explorer

Male | 1984 | Bachelor | Chengdu, China | unclenull@gmail.com | GitHub

---

Summary

Former Web front-end developer with cross-corporate experiences, including multiple listed ones, such as Phoenix New Media, Tibco CDC (China Development Center), Lenovo, HNA Group, NetDragon Overseas R&D.

Fueled by insatiable curiosity, any unexpected system behaviors compel me to peel back layers to unravel the underhood mechanisms. I lean towards command-line tools with explicit flags over opaque black boxes managed by such as an IDE.

Possessing calm persistence, I can't stop until the root causes of peculiar bugs are identified, until solutions for technical challenges emerge.

The explorations led me through low-level domains: Binary, Opcodes, formats, encodings, protocols, OS internals, executables, etc. Ultimately they guided me down the rabbit hole of Cybersecurity.

Now I'm ready to make it my primary focus.

---

Education

Bachelor of Business Administration

Shihezi University – Xinjiang, China 09/2003 – 07/2007

Minor in Computer Science & Technology

Shihezi University – Xinjiang, China 09/2004 – 07/2006

---

Last Job

NetDragon Overseas R&D Feb 2020 - Jan 2025

Frontend Architect

• Technology selection, technical debt mitigation, architecture evolution.
• Development of project skeleton, shared libraries and common components
• CI/CD pipeline setup, including build tools/plugins, scaffolding utilities, Docker scripts, GitHub Actions, Gitlab Runners, etc.

Technical Lead

• Core features development
• Collaboration with international UI & product teams
• Tasks decomposition and assignment

---

Technical Knowledge & Skills & Practices

Opcodes/Assembly/Binary

• X86 instruction encoding format & common instructions¹; Coded with MASM/NASM, known about AT&T syntax.
• Fiddled with a POC of MBR bootloader tested in Bochs VM to learn the bootstrap process, which loads a dummy OS from a FAT12 filesystem, via BIOS interrupt with CHS addresses.
• Played with Smali when reverse APKs.
• Common binary number manipulations.

Windows

• Underlying mechanisms², such as architecture, interrupt, objects, synchronization, etc.
• Security internals, such as token, UAC, MIC (Mandatory Integrity Control), PPL (Protected Process Light), Kerberos, etc.
• Core components such as Registry, Service, ETW, WinRM, SMB, etc; Experimented Active Directory with VMs.
• PE format
  • Handcrafted a minimal HelloWorld PE less than a sector with hex editor
  • Customized UPX for evasion. Three approaches tried:

    In C++ & ASM
    Tested mimikatz 2.2.0 (x64) on Win11 24H2, escaping WinDefend successfully.

    • Anonymize UPX as well as the target PE

      branch dynamic

      • All information of the target PE is cleared from the external PE, including icons, resources, imports, etc.
      • All signatures of UPX are eliminated such as timestamp, RICH, sections pattern, etc.
      • The uncompressed space is not reserved in BSS, instead allocated dynamically.
      • The file size is randomized for each run with random data padded.

    • Camouflage the external PE

      branch camouflage

      • Based on the former, the external PE is randomly picked from the system.
      • A resource is added to embed the processed target PE, which is encrypted with a key passed from the command line.
      • A minimal loader is appended to the code section, to jump to which a call instruction is patched.
      • The loader returns normally without actions if a complex calculation based on runtime data fails, to counter static analysis.

    • reflective PE loading

      branch payload

      Similar to Reflective DLl Injection, the whole output PE is turned into a PIC(position independent) payload.
      When being copied to any dynamically allocated executable memory and transferred the execution,
      it would unroll in the current process.
      This envisions more possibilities especially when embedded in a script file,
      which remedy the fact that even Notepad compressed by vanilla UPX are flagged as malicious by certain AVs.

• Developed a rootkit from scratch based on BYOVD with references to a malware technical report³ and several open source projects, with features and improvements:
  • Disable all ETW consumers instead of just the Microsoft-Windows-Threat-Intelligence provider.
  • Disable all notifications for image, process, thread, object, and registry.
  • Remove Mini-Filter callbacks from all volume's instances, as well as the Registrations to prevent re-register.
  • LSASS memory could be dumped after lowering or lifting PPL, and optionally bypassing Credential Guard to get clear passwords.
  • The necessary normal drivers are whitelisted in a more efficient approach.
  • All modifications could be restored optionally.
  • Take advantage of c++ but without any C/C++ runtime libraries.

    Except for the SEH handler.

  • The embedded driver is encrypted with a dedicated key.
  • All texts are encrypted with distinct keys, and re-encrypted right after use.
  • All logging text are extracted and replaced with a pattern, which could be restored later on.
  • Direct system calls via SysWhiper2.
  • Support all x64-bit Windows versions starting from the first Win10 build 10240.

    The driver issue needs to be addressed in Win11

• Developed a AMSI bypass tool still working in Win11 24H2.
• Practiced a WDM driver for PnP device⁴.
• Developed a Windows service tool with C#.NET for a regular website task.
• Played with Windows GUI apps to practice Windows message system and drawing APIs.
• Common exploits such as process injection/hollowing, UAC bypass, System escalation, etc.

Linux

• System mechanisms such as PAM auth, Iptables/Netfilter, SysV/Systemd, At/Crontab, suid, etc
• Common cli utilities such as apt/yum/dnf, sed, awk, chmod, getent, etc
• GNU build tools, autotools
• ELF format, customized a tool (dnload) to create a minimal module (It doesn't support output libraries) used in Sqli UDF.
• Once patched Cryptsetup to add nuke key, along with customized PAM auth script to encrypt and strengthen my system.

Reverse Engineering

• Windbg: common commands, kernel mode debugging, DotNet debugging, scripting (most traditional, tried Javascript)⁵
• GDB common commands, scripting
• IDA usage⁶'⁷, developed several plugins with IDAPython, such as
  • List what outside functions a function calls directly or indirectly
  • Display all numbers in HEX format in command line by default by patching methods print/repr/str of int,
  • A POC to emulate x86 execution
• Common tools, Dnspy, Radare2, Ghidra, X64dbg, Ollydbg, etc
• Common packing & unpacking, ant-debugging & ant-sandboxing techniques⁸
• Basics of memory forensics and Volatility framework⁹.
• Reversed APKs, uncovered a specific one's login protocol
  • Java debugged in APKStudio with Smalidea, Native codes debugged in GDB, WebView debugged in Chrome DevTools
  • Dissemble & Decompile with Jadx, Re-sign with uber-apk-signer,
  • Force route to transparent proxy via Iptables
  • Use Frida/Objection to trace & manipulate execution flow, intercept the packer, bypass SSL pinning

Penetration

• Common vulnerabilities such as Sqli, XSS, CSRF, stack/heap overflow, etc; Experimented laboritaries in Web Security Academy from PortSwigger.
• Common concepts of APT tactics in ATT&CK
• Sqli
  • Common techniques, nuances among common DBs
  • Debugged source codes of Sqlmap to get acquainted with its structure, workflow, core logics, etc
  • Played with all courses in sqli-labs
• Debugged source codes of Metasploit to study exploits implementations.
• Developed an Extender of BurpSuite to fix Chinese encoding issue
• Have built & run a local GVM/Openvas to scan Metasploitable
• Bundled Impacket scripts to a PE executable
• Customized PAExec
• Other common tools like Mimikats, Beef, NtObjectManager, Nishang, etc

Cryptography

• Fundamental theories of modern cryptography¹⁰'¹¹
• Common algorithms & protocols, especially
  • Symmetric/Private-key encryption
    • stream cipher (LFSR, ChaCha)
    • block cipher (DES/AES), encryption modes
    • Padding Oracle Attack on CBC
  • Asymmetric/Public-key encryption (RSA, ECC)
  • Hash & Authentication
    • Unkeyed/MDC/MIC (MD4 family)
    • Keyed/MAC (CBC-MAC, HMAC, Poly1305)
    • Non-cryptographic (FNV, Murmur)
  • Bitcoin
    • Address formats & algorithms
    • Standard scripts
    • Transaction mechanism
    • Wallet protocols
      • Mnemonic codes (bip39)
      • Key derivation (bip32)
    • Proof-of-work
  • Ransomware
    • Common encryption strategies¹²
    • Have read the leaked Conti source codes

Machine Learning

Tried to crack a CAPTCHA system in two approaches:

• SVM (Support Vector Machines)
• CNN (Convolutional Neural Network) via Tensorflow, the training process is:

  Project Inspired by an academic paper¹³ Generative Adversarial Network Based Approach.](https://eprints.whiterose.ac.uk/id/eprint/151526/1/ccs18.pdf)

  1. Download samples of images and pre-process 1). Turn to greyscale then normalize to white on black 2). Denoise with median-filter algorithm and a custom one 3). Split into chars with the drop-fall algorithm 4). Label them manually
  2. Train a dataset generator model of CircleGAN from those samples
  3. Train the final model of AlexNet from that generator.

Network

• OSI model, TCP/IP stack (headers format, TCP three/four-way handshake, etc)
• Common tools such as Nmap, Tcpdump/Wireshark, Netcat/Socat, Mitmproxy, etc
• Common protocols such as SMTP, TLS, OAuth, etc
• Socket APIs

Languages

• Shell Powershell, Bash, Cmd
• Scripts Javascript, Python, (Php, Sql, Ruby, Lua, VB)
• Compiled ASM, C/C++, C#/Java, (Go)

---

Miscellaneous

• Comfortable working & learning in English; Collaborated with international teams; Temporary assignment in Palo Alto for months.
• Developing daily in Vim, on Windows with WSL, and previously on Ubuntu and Mac for years.
• Subscriber of various cybersecurity news feeds, such as bleepingcomputer.com, darkreading.com, hackread.com, thehackernews.com, etc.
• Maintain regular exercise routine alternating between 10km runs and strength training every other day.
• Open to any opportunities that would benefit from my potentials.

References

Footnotes

1. Intel® 64 and IA-32 Architectures Software Developer’s Manual ↩

2. David Solomon and Mark Russinovich, Windows Internals ↩

3. Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD ↩

4. Walter Oney, Programming the Microsoft Windows Driver Model ↩

5. Tarik Soulami, Inside Windows Debugging ↩

6. Chris Eagle, The IDA Pro Book ↩

7. Justin Ferguson and et al., Reverse Engineering Code with IDA Pro ↩

8. Mark Vincent Yason, The Art of Unpacking ↩

9. Michael Hale Ligh, Andrew Case, Jamie Levy and AAron Walters, The Art of Memory Forensics ↩

10. Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography ↩

11. Jean-Philippe Aumasson, Serious Cryptography ↩

12. Pranshu Bajpai, Extracting Ransomware’s Keys by Utilizing Memory Forensics ↩

13. Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach. ↩