Sheng-Hao Ma(@aaaddress1) is currently working as a senior researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan.
He has served as a speaker and instructor for various international conferences and organizations, such as Black Hat USA, DEFCON, CODE BLUE, HITB, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book "Windows APT Warfare: The Definitive Guide for Malware Researchers".
Taipei, Taiwan
+886 973 850 620
March 2021 - Present
Research the exploits used by the trendy Ransomware family e.g. REvil, and vulnerabilities used by national-level cyber armies, like CVE-2021-40444. Also develop a semantic-aware Binary decompiler engine and published it in Black Hat USA and CODE BLUE.
November 2020 - January 2021
Served as Contractor to research methods on memory forensic and investigation in identifying malware signature, along with methods of how Microsoft Windows weakness on WoW64 layer could be abused by hackers; researched mono project and made a .NET binary analysis engine in C++.
January 2015 - January 2016
Doing reversing engineering on that malware attacking Taiwan government, and writing reports about the behavior of the APT organization and conscious intention.
2018 - 2020
2014 - 2018
github.com/aaaddress1/RunPE-In-Memory・538 Stars
Run Windows PE File directly in memory like an Application Loader.
github.com/aaaddress1/PR0CESS・513 Stars
Abuse the Windows internal process design to achieve wild attacks used by APT groups e.g. Process Herpaderping, Process Ghosting, UAC Bypassing.
github.com/aaaddress1/Skrull・408 Stars
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.
github.com/aaaddress1/wowInjector・144 Stars
Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious attacks and bypass Antivirus agents at the same time, e.g. Injection, Hollowing, Dropper, etc.
It's a proof-of-concept of the talk of HITB 2021. There are more details about reversing the whole WOW64 layer by Microsoft and abuse, see Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland.