Ma Sheng Hao
Cyber Security
Sheng-Hao Ma(@aaaddress1) is currently working as a senior researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan.
He has served as a speaker and instructor for various international conferences and organizations, such as Black Hat USA, DEFCON, CODE BLUE, HITB, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book "Windows APT Warfare: The Definitive Guide for Malware Researchers".
Taipei, Taiwan
+886 973 850 620
Skills
Professional Skills
- Reverse Engineering
- Malware Analysis (Windows & Linux)
- IoT Malware (Embedding Linux)
- Compiler Techniques
- Operating System
- Machine Learning
- Neural Network based Model
- Word2Vec
- Asm2Vec
- Windows Security
- Exploit
- Pwn
- Elevation of Privilege (EoP)
- AntiVirus Bypassing
Programming Languages
- x86
- C/C++
- C#
- Python
- Javascript
Publication
- Windows APT Warfare: The Definitive Guide for Malware Researchers
Instructor
- from Zero to Windows Shellcode Expert
- Windows Malware Analysis In Practice
- Linux Pwn: from Buffer Overflow to RoP
Experience
March 2021 - Present
Senior Researcher
TXOne Networks, inc.
Research the exploits used by the trendy Ransomware family e.g. REvil, and vulnerabilities used by national-level cyber armies, like CVE-2021-40444. Also develop a semantic-aware Binary decompiler engine and published it in Black Hat USA and CODE BLUE.
November 2020 - January 2021
Security Researcher
CyCraft
Served as Contractor to research methods on memory forensic and investigation in identifying malware signature, along with methods of how Microsoft Windows weakness on WoW64 layer could be abused by hackers; researched mono project and made a .NET binary analysis engine in C++.
January 2015 - January 2016
Malware Researcher
Ministry of Justice Investigation Bureau (MJIB)
Doing reversing engineering on that malware attacking Taiwan government, and writing reports about the behavior of the APT organization and conscious intention.
Speaker
- Security and Privacy (IEEE S&P Workshop on the Internet of Safe Things)
- Black Hat
- CODE BLUE
- DEFCON
- Hack In The Box (HITB)
- Hackers In Taiwan Conference (HITCON)
- Skrull Like A King: From File Unlink to Persistence
- Reversing In Wonderland: Neural Network Based Malware Detection Techniques
- Duplicate Paths Attack: Get Elevated Privilege from Forged Identities
- Windows Injection 101: from Zero to ROP
- PokemonGo Hacking without Jailbreak
- Cheating Tricks against IDA Pro Hex-Rays x86 Decompiler
- ICNC' 17 IEEE Workshop
- VXCON
- CYBERSEC Conference
Education
2018 - 2020
National Taiwan University of Science and Technology
Computer Science - Master
2014 - 2018
I-Shou University
Computer Science - Bachelor
Projects
RunPE In Memory
github.com/aaaddress1/RunPE-In-Memory・538 Stars
Run Windows PE File directly in memory like an Application Loader.
PR0CESS
github.com/aaaddress1/PR0CESS・513 Stars
Abuse the Windows internal process design to achieve wild attacks used by APT groups e.g. Process Herpaderping, Process Ghosting, UAC Bypassing.
Skrull
github.com/aaaddress1/Skrull・408 Stars
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.
wowInjector
github.com/aaaddress1/wowInjector・144 Stars
Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious attacks and bypass Antivirus agents at the same time, e.g. Injection, Hollowing, Dropper, etc.
It's a proof-of-concept of the talk of HITB 2021. There are more details about reversing the whole WOW64 layer by Microsoft and abuse, see Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland.
