BUY ME A BEER - paypal.me/excellorator
Straight to EXCELLORATOR SELECTIONS...
EXCELLORATOR SELECTIONS FOR GULFSTREAM PARK - 30 MAR 2023
EXCELLORATOR SELECTIONS FOR OAKLAWN PARK - 30 MAR 2023

If you're in the market for a property in Gurgaon, it's important to find the right real estate consultant to help you navigate the complex and ever-changing real estate market. With so many options to choose from, it can be difficult to know what to look for when selecting a consultant. In this blog, we'll discuss some important factors to consider when hiring a real estate consultant in Gurgaon.

Why Hire a Real Estate Consultant?

Before we dive into what to look for in a real estate consultant in Gurgaon, it's important to understand why you might want to hire one in the first place. Real estate consultants have in-depth knowledge of the local market and can help you find the right property at the right price. They can also provide valuable insights into market trends, property values, and the legal and financial aspects of real estate transactions.
In addition to their expertise, real estate consultants can save you time and stress by handling the many details involved in buying or selling a property. They can help you with everything from property inspections and negotiations to contract drafting and closing.
Now that we've covered the benefits of working with the best real estate consultant, let's discuss what to look for when hiring one in Gurgaon.
Why Hire a Real Estate Consultant in Gurgaon?

Experience and Credentials

One of the most important factors to consider when selecting a real estate consultant is their experience and credentials. Look for a real estate consultant in Gurgaon who has a proven track record of success in the Gurgaon market, as well as the appropriate licenses and certifications.
You may also want to consider the consultant's education and training. A consultant with a background in real estate, law, or finance may be better equipped to handle the legal and financial aspects of your transaction.
Experience and Credentials

Local Knowledge

In addition to experience and credentials, it's important to choose a top-rated real estate consultant in Gurgaon who has in-depth knowledge of the local market. Look for a consultant who is familiar with the different neighborhoods and property types in Gurgaon, as well as market trends and property values.
A local consultant may also have valuable connections with other professionals in the real estate industry, such as home inspectors, lenders, and title companies. These connections can be especially helpful during the buying or selling process.
Local Knowledge

Communication Skills

Effective communication is key when working with a real estate consultant. Look for a consultant who is responsive and easy to reach, and who communicates clearly and effectively.
During your initial consultation with a potential real estate consultant in Gurgaon, pay attention to how they listen to your needs and concerns, and how they explain their services and process. A consultant who takes the time to understand your goals and preferences is more likely to provide personalized service and help you find the right property for your needs.
Communication Skills

Marketing Strategy

If you're selling a property, it's important to choose a consultant who has a strong marketing strategy. Look for a consultant who uses a variety of marketing channels, such as online listings, social media, and print advertising, to reach potential buyers.
Ask the consultant to explain their marketing plan and how they will showcase your property's unique features and benefits. A real estate consultant in Delhi who has a solid marketing plan and is proactive about promoting your property is more likely to attract qualified buyers and sell your property quickly.
Marketing Strategy

Client References and Reviews

Before hiring a real estate consultant in Delhi, it's important to check their references and reviews from past clients. Look for a consultant who has positive reviews and testimonials from clients who have had successful transactions with them.
You may also want to ask the consultant for references from clients who have worked with them on transactions similar to yours. Speaking with past clients can provide valuable insights into the consultant's communication style, expertise, and overall level of service.
Client References and Reviews

Final Thoughts

Choosing the right real estate consultant in Gurgaon is a crucial part of the buying or selling process. By considering the factors we've discussed in this blog a list of potential consultants, interviewing them, and checking their references and reviews, you can find a consultant who will provide expert guidance and personalized service throughout your transaction.
Remember to take the time to discuss your goals and preferences with potential consultants, and to ask questions about their experience, local knowledge, and marketing strategy. By doing your due diligence and selecting the right consultant, you can ensure a smooth and successful real estate transaction in Gurgaon.
Final Thoughts
In conclusion, here are some key takeaways for what to look for when hiring a real estate consultant in Gurgaon:

• Look for a consultant with experience and credentials in the Gurgaon market
• Choose a consultant with in-depth local knowledge and valuable connections in the industry
• Select a consultant with strong communication skills who will listen to your needs and preferences
• Consider the consultant's marketing strategy if you're selling a property
• Check the consultant's references and reviews from past clients

By following these tips, you can find a real estate consultant in Gurgaon who will provide the expertise, guidance, and personalized service you need to achieve your real estate goals in Gurgaon.

This is a daily megathread for general chatter about anime. Have questions or need recommendations? Here to show off your merch? Want to talk about what you just watched?
This is the place!
All spoilers must be tagged. Use [anime name] to indicate the anime you're talking about before the spoiler tag, e.g. [Attack on Titan] This is a popular anime.
Prefer Discord? Check out our server: https://discord.gg/r-anime

Recommendations

Don't know what to start next? Check our wiki first!
Not sure how to ask for a recommendation? Fill this out, or simply use it as a guideline, and other users will find it much easier to recommend you an anime!
I'm looking for: A certain genre? Something specific like characters traveling to another world?
Shows I've already seen that are similar: You can include a link to a list on another site if you have one, e.g. MyAnimeList or AniList.

Resources

• Watch orders for many anime
• List of streaming sites and find where to watch a specific anime
• Looking for the source of an image?
• Currently airing anime: AniChart.net LiveChart.me MyAnimeList.net
• Frequently Asked Anime Questions
• Related subreddits

Other Threads

• « Previous Thread Next Thread »
• Id: Invaded — Discussion for the selected anime of the week.
• Week in Review — Anime news and threads you might have missed.
• Watch This! Compilation — Read recommendations from other users.
• Casual Discussion — Off-topic thread for non-anime talk.
• Meta Thread — Discussion about /anime's rules and moderation.

Finding the right road bike tires is essential to your safety, performance and level of comfort. When looking for the best 26 inch road bike tires, make sure to seriously consider the reviews from online resources and cycling professionals. Doing research in advance can help you choose the best product to suit your needs - one that offers optimal performance without compromising on reliability or durability.
https://www.susanruns.com/best-26-inch-road-bike-tires/
https://preview.redd.it/ciq8y9zvmuqa1.jpg?width=754&format=pjpg&auto=webp&s=f1443e74e33b75f4231f42f7b9654c1e0de6fd09
#susanruns #roadbike #biketires #fincci #kenda #himiway #catazer #michelin #vittoria

As temperatures rise, a reliable air conditioner becomes a necessity for comfortable living. With the vast array of air conditioners available in the market, selecting the right one can be a daunting task. In this guide, we will discuss the factors to consider when choosing the best air conditioner, where to find the best AC service in Lahore, and how many units are consumed by a 1.5 ton AC.
Choosing the Best Air Conditioner When shopping for an air conditioner, you need to consider various factors such as the size of your room, your budget, energy efficiency, and features that suit your lifestyle. Here are some of the key factors to consider when selecting the best air conditioner:

Room Size:

The first step is to determine the size of your room. You need an air conditioner that can cool the entire room effectively. The British Thermal Unit (BTU) is used to measure an air conditioner's cooling capacity. For a room of 150-250 square feet, you will need an air conditioner with a capacity of 5000-7000 BTUs. For larger rooms, you may need a unit with a higher BTU rating.

Energy Efficiency:

Energy efficiency is an essential factor to consider when selecting an air conditioner. An energy-efficient air conditioner will save you money on your electricity bills in the long run. Air conditioners with higher SEER (Seasonal Energy Efficiency Ratio) ratings are more efficient. Look for air conditioners with a SEER rating of at least 14.
AC Service in Lahore

Features:

Modern air conditioners come with various features that improve their functionality and convenience. Some of the essential features include a programmable thermostat, remote control, multiple fan speeds, and a sleep mode. Consider what features are important to you and select an air conditioner that has them.

Budget:

Air conditioners come in various price ranges, from budget-friendly to high-end models. Determine your budget and select an air conditioner that meets your needs without breaking the bank.
AC Service in Lahore Regular maintenance is essential for keeping your air conditioner in top condition. In Lahore, there are numerous AC service providers that offer maintenance, repair, and installation services. Here are some tips for finding the best AC service in Lahore:

Research:

Start by researching AC service providers in Lahore. Look for reviews, ratings, and testimonials from previous customers to gauge their quality of service.

Experience:

Consider the experience of the AC service provider. Experienced providers have the knowledge and expertise to handle various AC-related issues effectively.

Certifications:

Look for AC service providers that are certified by relevant authorities. Certification is a sign that the provider has met the necessary standards of quality and professionalism.
Pricing: Compare pricing among different AC service providers. Look for providers that offer competitive pricing without compromising on the quality of service.
How Many Units are Consumed by a 1.5 Ton AC? The electricity consumption of an air conditioner depends on various factors such as the size of the unit, the cooling load, and the frequency of use. Here is a general guide on how many units are consumed by a 1.5 ton AC:

Usage Hours:

The number of hours you use your AC determines its electricity consumption. On average, a 1.5 ton AC consumes around 1.5-2.5 units per hour. If you use your AC for eight hours a day, it will consume around 12-20 units per day.

Cooling Load:

The cooling load refers to the amount of heat that needs to be removed from a room to maintain a comfortable temperature. The higher the cooling load, the more electricity an air conditioner will consume. Factors that affect the cooling load

A shelf Corporation, also known as an aged or dormant corporation, is a pre-established company that has been inactive and held in reserve for future use. This type of corporation can be attractive to those seeking to start a business quickly or establish credibility with potential partners or investors.
Learn everything you need to know about setting up a shelf corporation, from legal requirements to tax implications and transferring ownership. Follow these step-by-step instructions to ensure a smooth process.
​
https://preview.redd.it/1trtrnwckuqa1.png?width=800&format=png&auto=webp&s=62a0a302ef9fa55ba3b5ac45355b24b191ac9bbd

01 Introduction

This is the third article in Goby's community memory shellcode series. The first article, "Ghost King in Shell - JAVAWEB Memory Shellcode [Cognitive]" introduced the history and classification of JavaWeb memory shellcode technology, and introduced common JavaWeb memory shellcode technology from a cognitive perspective; the second article, "Using Goby to Inject Memory Shellcode with Deserialization Vulnerabilities [Exploit]" mainly introduced how to combine memory shellcode with vulnerabilities to enable Goby to inject memory shellcode with one-click through deserialization vulnerabilities, and integrate with Goby's PoC and extension system. Users only need to click a few buttons to complete the injection of vulnerabilities with one-click.
This article mainly introduces some technical details used in the process of using Goby to inject memory shellcode with one-click through deserialization vulnerabilities, based on the first two articles. Of course, users do not need to know these details during the injection process using Goby PoC, but understanding and learning the technology helps to grasp some common ideas.
This article is mainly divided into three parts: "Exploiting Pre-Vulnerabilities", "Generating Memory Shellcode", and "Using Memory Shellcode", sharing some technical points and details or pitfalls related to Goby, and welcome everyone to discuss together.
Here is a brief demonstration of the use of some related technologies. The following video demonstrates the use of Goby to inject a Filter-type memory shellcode with one-click through deserialization, and carry false information through a custom URLClassLoader to avoid security personnel's investigation. The purpose is achieved by clearing the log without a trace.
​
https://reddit.com/link/126hgcu/video/khixam196uqa1/player
​
> The one-click Memory shellcode injection feature of Goby can be used for free in the community version.
> [Get version](https://gobies.org)
​

02 Pre-vulnerability Exploitation

First, let's talk about the pre-vulnerability exploitation. As mentioned in previous articles, from the perspective of practical vulnerability exploitation and weaponized development, we tend to inject a memory shellcode with one click during the vulnerability exploitation process, rather than obtaining a JSP webshell first and then converting it into a memory shellcode. Therefore, here we need to consider how to directly execute the implantation action of the memory shellcode during the vulnerability exploitation process.
2.1 Dynamic Loading and Class Initialization
In most current vulnerability exploits, if you want to execute complex malicious attack logic, you usually use a new URLClassLoader, the current thread's class loader, or a custom class loader to load and initialize malicious class bytecode. In different exploitation scenarios, you can choose different class loaders according to the situation, but sometimes you cannot choose and need to adjust according to the situation:

• Use a new URLClassLoader. If not specified, the system class loader is used as the parent ClassLoader by default, which is the AppClassLoader.
• Use the context class loader of the current thread, generally obtained using `Thread.currentThread().getContextClassLoader()`.
• Create a custom class loader, generally by defining a method for loading classes through bytecode, which is like encapsulating a public `defineClass` method.
• In some exploitation scenarios, it is not possible to customize ClassLoader, such as using BCEL ClassLoader for exploitation.

When using different ClassLoaders to load malicious classes in different situations, different problems will be faced:

• When using the context class loader of the current thread or cannot control the class loader, there may be a situation where the same class name cannot be loaded twice and additional processing is required.
• When using special ClassLoaders such as BCEL ClassLoader, due to the problem of loading across classes, some classes and interfaces need to be accessed and called through pure reflection, which requires a relatively large amount of physical work.

When dynamically loading classes during vulnerability exploitation, it is generally necessary to manually break the parent delegation mechanism and inject the malicious class into the system. Class initialization is closely related to class loading. Usually, in malicious code, some initialization malicious logic will be written, which can generally be written in the static statement block or public parameterless constructor:

• The static statement block is executed once when the class is loaded and only executed once during its lifecycle.
• The public parameterless constructor is called during class initialization, and it is called each time a new class instance is created.

Therefore, you can choose a class loader according to the specific situation and place the malicious logic in an appropriate location.
2.2 Echo and Memory Shellcode
After the Goby deserialization implantation extension went online, I enhanced and corrected the exploitation of deserialization vulnerabilities in the vulnerability library. Friends familiar with Goby may know that Goby's detection of vulnerability exploitation is divided into PoC and EXP. When facing native Java deserialization, the original detection and exploitation procedures were:

• PoC uses URLDNS combined with Goby's built-in dnslog platform GodServer for vulnerability detection.
• EXP uses the bytecode of YSOSERIAL, dynamically replaces the hex value of the command execution part, and writes the command execution.

The above logic is used to detect vulnerabilities, which is the way most people detect deserialization vulnerabilities. Technically, there is no problem with this detection method, but in practice, the following problems may be encountered:

1. Due to unstable network or DNSLOG platform, it may not be possible to receive DNSLOG or DNSLOG may have a long delay.
2. Vulnerability exploitation only performs command execution, and it is often impossible to determine whether the vulnerability exploitation is successful or what the result of the vulnerability execution is.
3. In a scenario where there is no outbound network connectivity, it is not possible to perform a reverse shell or execute more advanced actions. In terms of practicality for real-world scenarios, its usability is quite poor.

Therefore, to address the usability issues in practical scenarios, all subsequent updates to the vulnerability exploitation PoCs have adopted echo-based techniques to return the command execution results in the response. As for the exploits (EXP), they are directly injected into the memory as a shellcode, saving a lot of intermediate processes.
https://preview.redd.it/om35mjpa8uqa1.png?width=3526&format=png&auto=webp&s=50d20516faf1de88f808f0fd6d293214a179cd96
2.3 In constructing an echo
It involves locating the critical request, searching memory, and other technical points. And to inject a memory shellcode, it is necessary to prepare a highly available memory shellcode for the vulnerability environment. With these technical supports, the problems mentioned above can be solved without the need for third-party dnslog, OOB, etc., directly conducting high-precision detection and utilization of vulnerabilities.
There are many types of vulnerabilities, and there are also many types that can provide arbitrary code execution, such as Java native deserialization vulnerabilities, Fastjson/Jackson/XStream deserialization vulnerabilities, SpEL/Ognl expression injection, etc. However, many situations require additional utilization methods to complete the vulnerability utilization process. Taking advantage of the native deserialization as an example, some modifications of the utilization chain are listed to directly inject memory shellcode.

• The Transformer[] utilization chain is the most classic utilization chain, generally chain a Runtime.getRuntime().exec() or new ProcessBuilder().start() to execute commands. If you want to execute additional functions, you can also use new URLClassLoader().loadClass() to perform remote class loading. Without going online, you can write JS to inject malicious classes by using com.sun.org.apache.bcel.internal.util.ClassLoader.loadClass(), org.mozilla.javascript.DefiningClassLoader().defineClass(), new ScriptEngineManager().getEngineByName("JavaScript").eval() methods, and one-click utilization of memory shellcode.

https://preview.redd.it/nqcjxw0s8uqa1.png?width=2948&format=png&auto=webp&s=b39a2f0e380f3bdb64bbd2170d01c25b57882f12

• BeanShell chain, although Bsh supports all Java syntax and many loose writing methods, is ultimately a script language parser. If these writing methods are used or arrays are used in the script, related implementation classes' methods may be called during the deserialization process, and Interpreter objects may be used, which could result in a NullPointerException. Therefore, it is still possible to use ScriptEngineManager to parse JS and execute the memory shellcode.

https://preview.redd.it/6q0igqey8uqa1.png?width=2948&format=png&auto=webp&s=8301ebe53d4212e9c5f9a7b83be5ac15df10a1fa

• In the original version, `C3P0` chain used PoolBackedDataSource for remote class loading to exploit vulnerabilities. However, C3P0 can also use Tomcat's getObjectInstance method to call the eval method of ELProcessor for expression injection. This allows injection of memory shellcode through EL expressions, and can also be achieved through other methods such as Groovy, SnakeYaml, etc.

https://preview.redd.it/983m1ie29uqa1.png?width=2200&format=png&auto=webp&s=a940d51c4f83e25f1aa5ac09dcee303a426d9967
Here are several techniques that link the deserialization exploit chain to memory shell. There are also many other exploit situations that can be “saved by the bell”. Considering the length of the article, further elaboration on these techniques will not be discussed here.

03 Generating In-Memory Shellcode

After discussing the direction of vulnerability exploitation, we will now discuss some technical details involved in generating in-memory shellcode.
3.1 Dynamic Code Generation Techniques
Considering different vulnerability exploitation points, different exploitation scenarios and requirements, and different personnel's habits and preferences, the content of in-memory shellcode cannot be fixed in practical environments and needs to be dynamically generated based on various configurations.
Therefore, we use javassist to dynamically generate and write malicious bytecode of in-memory shellcode. In the process of preparing in-memory shellcode, we will face some requirements:

• The exploitation method of the vulnerability is fixed, such as command execution, commonly used tools such as Behinder, Godzilla, or self-developed webshell interaction tools, and most of them are reusable custom vulnerability exploitation methods;
• In-memory shellcode can customize URL and password, in addition to the common AES key, additional authentication mechanisms can also be set;
• Any in-memory shellcode technique can be freely selected, and any exploitation method can be used to quickly generate dynamically.

Therefore, I finally abstract the key logic into a same method, whose first two parameters are Request and Response objects. No matter it is command execution, Behinder, Godzilla, etc., their own logic can be injected into this method. For different middleware, due to different encapsulation and implementation, extra judgment and processing are performed before entering the key logic to make the final processing logic consistent.
For example, below is the core logic of Behinder:
https://preview.redd.it/wkwgl98c9uqa1.png?width=2550&format=png&auto=webp&s=8628569046170ba7c82fb2b32312dc4de63083fe
Here is the core logic of Godzilla:
https://preview.redd.it/ee6idwph9uqa1.png?width=2656&format=png&auto=webp&s=2422c46fe77be58d980a2ecc9b6b47ef6c84ed88
Here is the logic of command execution:
https://preview.redd.it/pxyqf7gk9uqa1.png?width=2632&format=png&auto=webp&s=be1eb3f2c94be2d7ea2c11cf152d66c47637b325
After determining the parameters to be used, bytecode can be assembled based on different Memory shellcode types and exploitation methods, with critical methods inserted into malicious classes in sequence, ultimately forming a complete memory shell.
3.2 ClassLoader Issues
As mentioned before, when dynamically loading and initializing a malicious class, it is important to consider the ClassLoader selection. This remains true after the Memory shellcode is loaded, as ClassLoader issues still need to be carefully considered.
In the first case, as the Memory shellcode file itself, the instance should generally be placed in a key position for processing routes, such as in a Map member variable of the global context. In this case, it is necessary to pass a reference to an instance, and register an instance of the shell's own object in a critical position within the system during malicious class initialization.
However, there are exceptions, such as in the Struts2 framework, where the key position stores the class name rather than the class instance. When processing routes, if a mapping is found, the class instance is dynamically created and its execute method is called for processing. Therefore, when injecting a malicious memory shell, the class name and route mapping should not be the only considerations, as the memory shell's own class should also be loaded into the critical context, allowing it to find our injected malicious class during class instantiation.
In terms of exploitation methods, in addition to command execution and feedback, the key logic of a Memory shellcode is still achieved through the transmission of class bytecode. In addition to the previously mentioned URLClassLoader, custom ClassLoader, and thread context ClassLoader, there are still many tricks that can be used, such as:

• Registering a class using java.lang.reflect.Proxy#defineClass0()
• Registering a class directly in the JVM using sun.misc.Unsafe#defineAnonymousClass()
• Using some wrapper classes that may call some uncommon ClassLoaders, such as jdk.nashorn.internal.runtime.ScriptLoader#installClass() and com.sun.naming.internal.VersionHelper#loadClass()

In addition to the above, JavaSec group members have shared some other methods:

• jxxload_help.PathVFSJavaLoader#loadClassFromBytes
• org.python.core.BytecodeLoader1#loadClassFromBytes
• sun.org.mozilla.javascript.internal.DefiningClassLoader#defineClass
• java.security.SecureClassLoader#defineClass
• org.mozilla.classfile.DefiningClassLoader#defineClass

3.3 Exploitation Methods
For Memory shellcode exploitation methods, the three most common types are command execution and feedback, and the Behinder and Godzilla shells, each with their own advantages:

• Command execution and feedback: Simple command execution with feedback visible.
• Behinder and Godzilla shells: Both provide advanced features that can be selected as needed.

In addition to the typical web shell exploitation methods, the latest trend is the infiltration of tunneling shells. After obtaining a web shell, attackers typically use this machine as a jump point for further intranet penetration. This requires a clear tunneling flow.
Previously, the common approach was to upload a traffic forwarding tool such as FRP to the target server and use this tool for traffic forwarding. If the network layer is not fully port mapped, this can also involve port reuse and other techniques.
However, with a memory shell, a tunneling shell can be easily created with one click, and the appropriate client can be used for direct connection, achieving a true "one-stop" solution.
https://preview.redd.it/yees98yz9uqa1.png?width=1432&format=png&auto=webp&s=628b9901b2d139d5320139152274062f491ed44a
3.4 Agent No File
The AgentNoFile technology implemented by Master rebeyond provides us with the ability to directly call the JVMTI interface without the need to provide Agent.jar or Agent.so. With this capability, we can inject Agent-type memory shellcode without file landing.
On Linux platform, shellcode is executed by modifying /proc/self/mem. On Windows platform, shellcode is implanted into the process with PID -1 through Java, so as to construct JPLISAgent object and obtain all capabilities of calling Java Agent.
In the BeichenDream's Kcon2021Code project, similar code with this technology idea is also shared.
In the implementation of memory shellcode, a Javassist dependent jar is injected into the target environment without landing, and the target critical class is dynamically modified to inject malicious logic, which realizes the dynamic modification of Agent shellcode. For example, the following figure shows the logic of hooking doFilter method of ApplicationFilterChain, injecting Behinder memory shellcode, and dumping class from the server.
https://preview.redd.it/7l4172y1auqa1.png?width=3468&format=png&auto=webp&s=3677d0f849286b6622da39e2ee7267d904d9a2a8

04 Usage of Memory Shellcode

The problem of exploiting vulnerabilities to directly inject memory shellcodes and the generation and utilization methods of memory shellcodes have been resolved. The next problem to be addressed is the issues encountered during the use of memory shellcodes.
As mentioned in previous articles, the main purpose of the Memory shellcode technology is to combat the problem of security protection devices detecting and alarming against landed files. Therefore, since its inception, Memory shellcode technology has faced and shouldered the responsibility and mission of confronting various protection capabilities.
4.1 Bypassing Security Protections
The first challenge is **bypassing traffic-side devices**. This is actually the traffic characteristics of the communication protocol between the WebShell management side and the memory shell. Since AES encryption and decryption are commonly used, with a small number of cases using DES encryption and decryption, and there are regular behaviors, such as sending several packets when connecting to the WebShell, there are some means to detect webshell connections based on these two factors. Therefore, whether it is the Behinder or Godzilla, if they have not been customized, their basic traffic characteristics will be detected.
However, basically everyone has the habit of customization, so the traffic layer characteristics are still not easy to be uniformly protected, and the latest Behinder client already supports custom communication protocol encryption and decryption programs. This allows attackers to disguise Behinder traffic as similar to business data traffic, such as Restful API return data, or similar base64 image resource return data.
The second challenge is **bypassing host-level protections**. At the host level, there may be some host-level defenses such as EDR devices, which may monitor Java process calls to system resources. However, most of the time, it is almost impossible for this level of defense to determine whether Java-level operations are sensitive operations.
Finally, there is **bypassing Java-level protections**. At the Java level, there may be some RASP products or custom security rules defenses. These defenses intercept suspicious behaviors based on stack or behavior, and hook at the position where some sensitive functions are executed.
At this point, we can bypass these defenses through reflection. Whether it is to call deeper code or even native methods through reflection, or to reflectively obtain objects that encapsulate specific methods in the system for execution, the purpose is to disrupt the stack or behavior call chain, making Java-level defense unable to determine whether you are performing malicious operations or system behaviors, thus bypassing the detection logic.
For example, bypassing command execution defense through reflection to call native methods:
https://preview.redd.it/s2akxi85auqa1.jpg?width=2320&format=pjpg&auto=webp&s=1a84dae44723fba626af08b2c509a783df28be41
Or use messy reflection to make the call chain difficult to trace:
https://preview.redd.it/sdx9g37gauqa1.png?width=2588&format=png&auto=webp&s=b92d429a2196af1b0647347b431bfd6899c77da3
Creating malicious classes using APIs like unsafe can also bypass certain security defenses:
https://preview.redd.it/5wfyjklhauqa1.png?width=2486&format=png&auto=webp&s=d07b6289921110f5511897df95d3c4888f07c786
4.2 Anti-detection
As mentioned in previous memory shellcode articles, many tools have provided detection methods to scan specific locations to check for the presence of memory shellcode. At this time, the check will include some dimension judgments. Similarly, we need to perform certain processing on these dimensions to prevent detection, for example:

1. Detection of malicious class names and package names: For some defense measures, loading of known malicious package names and class names will be prohibited. Therefore, we use dynamic splicing and generation of malicious class package names to confuse the defense system or administrator.

https://preview.redd.it/3v02n0xnauqa1.png?width=1780&format=png&auto=webp&s=0c8d71a8e5639575edffeea9ef89730417079dfe

1. Detection of whether files are written to disk from ClassLoader: The detection logic can be bypassed by using a custom ClassLoader to carry false information or loading malicious classes using the system class loader with an empty class loader for the malicious class.

https://preview.redd.it/km3dlaiuauqa1.png?width=3402&format=png&auto=webp&s=8ee567dd3916cc7ffa05af54465fd7e9ff71d49d

1. Detection of critical positions in the system: Some detection tools can obtain information about critical positions and assist in manual inspection. For example, some tools obtain all Filter-type memory shellcode in the system and display them. At this time, it is possible to evade detection by exploring unconventional memory shellcode. As mentioned in the PPT I shared earlier about JavaWeb memory shellcode, all components that use the chain of responsibility design pattern in the web request processing process can be used as directions for exploring and utilizing memory shellcode. Therefore, it is not difficult to explore a new type of memory shellcode in various web middleware.

​
https://preview.redd.it/i6k57idwauqa1.png?width=2414&format=png&auto=webp&s=26573c1053879ba3d680b3dc44140da1f410ac09

1. Many tools offer the ability to dump the class, allowing for troubleshooting by dumping the class bytecode in memory. Therefore, it is possible to modify the cache of relevant information in the InstanceKlass data structure of the Java class in the JVM, such as _cached_class_file, to deceive and hide by making the dumped class not contain dangerous code.
   
2. Some RASPs also use redefineClasses to set the critical method content of malicious classes and functions to empty, in order to clear the memory shellcode in the running system. At this point, it is possible to make it fail by modifying the function modifiers, adding member variables, methods, etc. of the malicious class, as redefineClasses does not allow changes in class structure and signatures.
   
3. Currently, most of the methods for detecting and defending against memory shellcode are implemented through Java Agent technology. Therefore, preventing new Agent injections is also a key strategy for preventing detection. As mentioned in the first article, blocking the communication between JVM processes by deleting the java pid file and preventing the loading of subsequent ClassFileTransformers can prevent the loading of other Java Agents and prevent detection.
   

​
4.3 Disappear Without a Trace
First of all, since memory shellcode have reached the point of not leaving files behind, is there anything else that can be done to hide themselves again? The answer is yes.
That is, clearing the access logs of middleware. When making access requests, middleware records logs, which are usually used as the basis for subsequent reviews and emergency responses. If access logs can be cleared during memory shellcode access, wouldn't that be anonymous browsing?
With the idea in place, the execution is simple, which is to find the component responsible for logging in the middleware and clear it. Taking Tomcat as an example.
​
https://preview.redd.it/hfr744p2buqa1.png?width=3482&format=png&auto=webp&s=c446370ad9a73d31dd86cc8c23ffeddfbf659606
4.4 Persistence
The final issue is the issue of persistence, which needs to consider whether the injection of memory shellcode can be restored after service restart or even operating system restart:

• For Java, Java shutdown hook can be used for landing and other operations of memory shellcode. If the target environment is Tomcat, JSP files can be written in the resource directory of Jar package, etc.;
• If the target environment may be killed by -9, a "daemon process" can be started to monitor the Java process on the server;
• For operating system restart, critical malicious operations can be registered as timed tasks in advance to achieve persistence.

Since these actions are an extension of memory shellcode technology and may involve tampering and landing of Jar packages and resource files in order to achieve persistence, which is somewhat contrary to the original intention of using memory shellcode, this part will not be discussed further, and we look forward to more elegant ideas.

05 Summary

The above section briefly lists some technical issues and solutions encountered in practical use of memory shellcode technology. After researching and resolving the above techniques, there should be no problem in using memory shellcode quickly in practice.
Although we are discussing JavaWeb memory shellcode technology, it can be seen that the thinking and technology of the countermeasures have already extended beyond the Java layer to the native layer and memory level. This is still a drop in the bucket in practical use. In actual use, due to differences in operating systems, middleware versions, JDK distributions and versions, security restrictions, security protection and other complex situations, there will be various difficulties. Therefore, more research and debugging, and accumulation of ideas can enable efficient and fast use of memory shellcode in practical use.
In the face of memory shellcode technology, it is superficially a technical confrontation, but in fact it is a confrontation between people and people, thinking and thinking. I throw out some ideas here, hoping to inspire more ingenious ideas, and welcome everyone to discuss.
​
[All articles in the memory shellcode series](https://github.com/gobysec/Memory-Shell)

The Fyrelayers Battlesmith, which was previously available separately, is now exclusive to the Vanguard box. Have GW done this with anything else, where a previously separately available mini is then upsold as a box exclusive.

For database, users' concerns often differ in different application scenarios, such as: read/write latency, throughput, scalability, reliability, availability, etc.. For some concerns, it can be effectively enhanced by means of application system architecture, hardware devices, etc. But the problem brought is the complex system architecture and the consequent difficulties in operation and maintenance, upgrading, fault location, availability reduction and a series of other problems. Some business scenarios (such as in finance, telecom and other fields) put forward higher requirements on the database, such as reliability (e.g. RPO of 0) and availability (e.g. 99.999%, i.e. the failure time cannot exceed 5.26 minutes throughout the year). In a distributed environment, it will face more problems such as data loss and service unavailability caused by host, network, storage, power, and other factors. These problems are extraordinarily labor-intensive and material-intensive at all stages of business system design, implementation, operation and maintenance, upgrade, etc.
AntDB-M (AntDB in-memory engine) adopts many effective designs to improve the reliability and availability of services, provide effective data services, simplify the architecture of business systems, and allow users to focus more on business systems. One of the many designs of AntDB-M is CheckPoint. The design goal of CheckPoint is to take a snapshot of the data in the database without affecting the business, and that snapshot can be used for quick recovery of the service. The design principles are efficiency and simplicity.

1. Brief description of functions

The CheckPoint function of AntDB-M includes trigger at any time and at designated time. One trigger will CheckPoint all tables. CheckPoint does not allow concurrency, and new requests will fail before the former is completed. If there are many tables, concurrent processing can be enabled, and the maximum amount of concurrency is the number of tables. Upon success, two types of files are output in the specified directory: 1) data files, one for each table, and 2) a table list file containing the transaction number that initiated the CheckPoint, and a list of all tables.
CheckPoint files can be used for quick database loading. The table list file can be edited to select the tables that need to be loaded.
​
Figure 1: Brief description of functions

2. Design implementation

The following section describes how CheckPoint was designed to achieve its design goals and requirements.

2.1 No business impact

CheckPoint cannot block normal access to database services during its execution. This means that the data is always changing during CheckPoint. In order not to block the modification of the data, as well as to export the consistency of the data, CheckPoint state and table caching is introduced here to solve this problem.
​
Figure 2: Design implementation - no business impact

2.1.1 CheckPoint state

AntDB-M has three states related to CheckPoint: 1) data export; 2) exported file processing; 3) export completion; The state "1 - Data Export" means that the in-memory data is being exported to a file. This state is very important for exporting data consistency. The following section describes how to guarantee data consistency by referring to this status.

2.1.2 AntDB-M table cache

AntDB-M is divided into two parts in data management: 1) table cache; 2) table data (including table metadata). Normally, all modifications to the data will only modify "2-Table Data". The table cache is only used when AntDB-M performs CheckPoint and is in the "1-Data Export" state.

2.1.3 Export process and data consistency assurance

AntDB-M follows the following steps to export CheckPoint and ensure the consistency of the exported data.

1. Status setting

When performing CheckPoint, first set the CheckPoint status of AntDB-M service to "1 - Data Export". Once this state is entered, AntDB-M will enable special processing of table cache.

1. Data backup of uncommitted transaction

After entering "1-Data Export", before starting to export data, save a copy of the original data of all records related to the current uncommitted transactions to the table cache. This data in the table cache ensures that the data of uncommitted transactions will not be exported, which is a guarantee of data consistency.

1. Table cache modification

Once CheckPoint enters the "1-Data Export" state, all data additions, deletions, and modifications will modify the table cache and table data at the same time. The table cache action is different for different operation types. The operation logic of table data remains unchanged.

• insert

Record the record ID of the newly inserted data in the table cache (the record ID is described later).

• delete

Record the record ID of the deleted data in the table cache, along with the record data.

• update

Record the record ID of the updated data in the table cache, along with the record data. For multiple updates, only the first update goes into the table cache.

2.1.4 Exporting table data to a file

For table data, the full amount will be exported to a file, except for the newly created data blocks during CheckPoint. Since the service doesn’t block waiting, the table data will be updated continuously during this process, and it is not concerned here whether the data in the data block is consistent or not. The consistency of the data will be handled in the subsequent step 5.

2.1.5. Update files by using cache

As you can see from points 2 and 3 above, all changes are recorded in the table cache during the CheckPoint status of "1 - Data Export". After the table data is exported to the file, the file is updated with the records from the table cache, thus ensuring data consistency. That is, the CheckPoint file is a snapshot of the data at the point in time when CheckPoint entered the "1-Data Export" state. Here the update may exist randomly written, but the CheckPoint process is very fast, randomly written data volume is not large, the impact can be basically ignored.
File update rules:

• insert: delete
• update: recover with the original record
• delete: recover with the deleted record

2.2 Efficient and simple

CheckPoint is efficient in two ways: 1) efficient in exporting; and 2) efficient in importing. The following section describes the design to achieve simplicity and efficiency.
​
Figure 3: Design implementation - efficient and simple

2.2.1 Full export

AntDB-M's CheckPoint is a full export, which is very different from MySql innodb's checkpoint. Here are a few aspects to introduce why full export is adopted.

• Memory overhead pressure

As an in-memory database, all data is stored in memory, so you don't need to consider too much memory consumption (only for the data itself), so you don't need to consider exporting data to file in real time because the data occupies memory.

• High availability guarantee

As a highly available distributed database, its high availability adopts the multi-copy mechanism. Therefore, high availability can be achieved through multiple services. Exporting data is mainly to reduce the high loading time when the service restarts and the master-slave data synchronization time. Therefore, CheckPoint files are not the main means of high availability. That is, the CheckPoint file export time is not required to be too real-time, and the lower export frequency has little impact on high availability.

• Read/write performance

For data import and export, the factor that affects the efficiency the most is the read and write performance of the disk. For the disk, adopting sequential read and write offers the highest efficiency. Therefore, for data, direct read and write is of the highest efficiency, in stead of format conversion in memory and between files. If you perform incremental synchronization, there are either frequent random reads and writes, or complex conversions and file storage space occupation. Both of them have a great negative impact on the efficiency and complexity of the system.

• Export time

The memory structure of AntDB-M is designed to be very compact and memory address independent. Therefore, data can be exported and imported without conversion. The efficiency is very high, and the time of one export can be controlled within acceptable time.
Combining the above points, it is more efficient and cost effective to adopt full export.

2.2.2 Address-independent

The memory structure of AntDB-M is very compact, which avoids the waste of data space and the amount of exported data without additional management space except for the necessary data storage space. Another efficient design for importing and exporting is address-independent. This avoids a lot of address mapping conversions during import and export.

• Record ID

The record ID is a very important design in the memory structure. All data records have a unique record ID. The memory address of the record can be obtained by simple and efficient modulo and remainder operations on the record ID. This allows the storage of table data to be address-independent, ensuring that no address translation is required for import and export.

• Multi-level management

Each table in AntDB-M has its own independent tablespace, and each tablespace takes three levels of management. The first and second levels are address spaces that exist only in memory, and the third level is address-independent data blocks. When exporting, it is sufficient to export the data blocks. When importing, the three levels of memory spaces are applied in memory and the relationship between the three levels is established in accordance with the order of the memory blocks, which is a small amount of data and fast.
Since the contents of the data block are address-independent, the entire block is written to the file when exporting, and the data in the file is read directly into the corresponding memory block when importing. This greatly improves the efficiency of exporting and importing.

• Idle record

The management data of the idle address of the data block is also recorded on the data block itself, no additional management unit is needed. All idle records form a bidirectional chain table and only the last idle position needs to be recorded additionally. In addition, an additional 1 byte is reserved for each row of records to identify the current record status.
With the above points, the management of data blocks is compact and concise, and at the same very efficient.
​
Figure 4: Multi-level management of tablespace

2.2.3 Overflow columns

For variable-length columns, AntDB-M manages them separately as overflow columns, with their own memory space and structure. Only fixed-length columns are stored in the data block, as well as the length and record ID of overflow columns.
The structure design of overflow column is similar to that of data block, which also keeps multi-level and address-independent. Also, to save memory and be efficient, the overflow column has a fixed length per row, which may vary from column to column. An extra record ID is kept for each row, and when the length exceeds 1 row length, record the location where the next row of data is saved.

2.2.4 Index

AntDB-M supports two kinds of indexes: 1) hash; 2) btree; only the index metadata will be exported when CheckPoint exports. The data will be reconstructed in memory.

2.2.5 CheckPoint file structure

CheckPoint eventually generates a separate file for each table, which is roughly divided into 5 parts. 1) table metadata; 2) overflow columns; 2) data blocks; 4) column metadata; and 5) indexes;
​
Figure 5: CheckPoint export file structure

3. Constraints and recommendations

​
Figure 6: Constraints and recommendations

3.1 DDL constraints

DDL changes are prohibited during CheckPoint because DDL causes changes to table metadata and data. It will greatly affect the memory overhead and the complexity of the system. The frequency of DDL operation is generally low and the time is controllable, and the frequency of CheckPoint is also low and the time is controllable. Therefore, DDL operations can be limited and have little impact on the business system.

3.2 Storage requirements

When importing and exporting, there are very high read and write performance requirements for disks. Therefore higher performance disks are required, preferably SSD disks.

3.3 Stagger export

Assuming a disk write speed of 400M/S, it takes about 256 seconds to export 100G of data. Therefore when deploying multiple services on one host, you can stagger the export to avoid long export time for a single service. Because of the export process, a copy of the data will be put into the table cache to avoid causing memory pressure.

​

Introduction

Apprenticeships are great for job seekers to gain company-specific skills. It is also easier for employers to find talented people and people who fit their needs well. The apprenticeship Act of 1961, amended in 1973 and 1986, protects apprentices and enforces labor rules.
The pandemic hurt businesses, which will always need people who can work, even if the economy is doing well. An apprenticeship could be a solution to this problem. The Apprentices Act says that the Ministry of Skill Development and Entrepreneurship will pay the stipend of 2.43 lakh apprentices nationwide in 2020. This will cost the government an estimated 36 crore INR.

Apprentice Act, 1961

This Act aims to regulate and control how apprentices are trained. On March 1, 1962, it went into effect.
The Act has rules about the followings-

• Qualifications of apprentices,
• The duties of employers and apprentices,
• The length of an apprenticeship,
• How to end an apprenticeship contract
• How to settle disputes between employers and apprentices,
• Reservation for Schedule Caste (SC) and Schedule Tribe (ST) in designated trades (any trade, occupation, or ‘any subject field in engineering or technology’ that the central government specifies as a ‘designated trade’ under the Act).

The Act calls for the National Council, a Central Apprenticeship Council, State Councils, State Apprenticeship Councils, an All India Council, Regional Boards, State Councils of Technical Education, the Central Apprenticeship Adviser, and State Apprenticeship Advisers to be set up to oversee apprenticeship training.
The Act covers the entire country of India.

1. Who is an ‘apprentice’ in the eyes of the Act?

Apprentices or trade apprentices learn how to do a job in any industry or business under a contract with an employer. An apprenticeship act is a contract between an employer and a person who wants to learn how to do a job.
Apprentices must be at least 14 years old and meet the education and physical fitness requirements for the trade they want to learn.

1. What does the Apprentice Act say concerning the apprentice's income, welfare, and health?

Every employer is required to provide an apprentice with a stipend during the Apprenticeship at a rate that is not less than the 'specified minimum rate.' No "piece work" compensation or participation in any "output bonus" programs is permitted for apprentices. Any time spent attending training sessions or receiving relevant instructions will be compensated.
The provision of the Mines Act of 1952 and the Factories Act of 1948, respectively, must be followed if an apprentice is receiving training in a mine or factory. The Workmen's Compensation act of 1923.pdf) requires the employer to provide compensation if an apprentice sustains an injury while undergoing training.
An apprentice's weekly and daily work schedule must follow the guidelines. Unless with the approval of the apprenticeship advisor, they shall not be compelled to perform overtime work or be permitted to do so. The trainee is entitled to any prescribed holidays and leave.

1. What duties must both employers and apprentices comply with under the Apprentice Act?

Every employer has to ensure that the apprentice receives training under the provisions of this Act, to provide instructional staff, to make sure that the instructional staff and the person in charge of training have the necessary credentials, and to uphold the duties outlined in the apprenticeship contract. Employers must set aside "training spots" for SCs and STs in each designated trade according to the state's population of SCs and STs.
Apprentices must receive practical instruction in their workshops; thus, employers must make accommodations. The employer must build a separate structure or a portion of a building to train trade apprentices if more than 500 people are engaged in the company.
Every person completing an apprenticeship in a trade must learn their business carefully and diligently, attend practical and academic classes regularly, obey all legitimate instructions from their employer and superiors, and adhere to the apprenticeship contract requirements.

1. What happens when the Apprenticeship is over?

The National Council will administer a test to establish an apprentice's skill level in the selected trade after their training time. After passing the test, the National Council will provide the apprentice with a certificate of proficiency.
Unless stated explicitly in the apprenticeship contract, neither the employer nor the apprentice is required to make an employment offer to an apprentice who has finished training in the employer's facility.

Act Scheme

• There are 38 Schedule and General Sections.
• This Schedule adjusts the Workmen's Compensation Act 1923 for students under the Apprentices Act 1961.

Employers should promote Apprenticeship.

Apprenticeship provides skilled and trained workers for the future. Apprenticeships help employers recruit top talent. Employers can hire competent, qualified workers who can advance to more challenging roles. Apprenticeship programs help employers meet and improve training standards. They have reduced personnel turnover and training costs.

Major apprentices Act Amendments

The Apprentice (Amendment) Act, 2014, took effect on December 26, 2014, to ensure the Apprentice Act was adequately implemented.
LOK SABHA (Introduced) Aug 07, 2014
LOK SABHA (Passed) Aug 14, 2014
RAJYA SABHA (Passed) Dec 26,2014
The amendment changes the following:

1. The definition of ‘worker’ has been changed to include people who work for an agency or on a contract. This is true because the number of employees in a status quo is one of the things that could be considered when deciding how many apprentices to hire in a company.
2. If someone breaks the Apprentice Act, they no longer go to jail. After the change, the only punishment for not allowing the rules of the Act is to pay a fine.
3. Due to the change in the apprentice act, the way that the number of apprentices to be hired is checked has changed.
4. With the portal's launch, the Apprentice Act change has made it possible to switch from paper records to electronic records and information systems. Some things could be done through the portal that can already be done online, such as registering the apprenticeship contract, keeping records, filing returns, etc.

The main goal of these changes is to get more employees to hire Apprentices and to get the organization to follow the rules of the Apprentices Act.

Conclusion

The apprenticeship Act aids in the resolution of the disagreement between the apprentice and the employer, and the Apprenticeship Advisor serves as the final arbiter. They should appeal to the committee that the council constituted. He will be punished if the employer does not follow the Act's provisions. The apprenticeship Act of 1961 is a comprehensive statute that protects both the employer's and the apprentice's rights. The Apprentice Act can be put into action to protect the rights of the apprentice and resolve the issue they encountered throughout their training.
Looking forward to implementing NAPS in your organization? 2COMS can help you implement it with a case while you stay compliant with labor laws. Not to mention you get financial benefits. Ask us how! Visit https://2coms.com/solutions/apprenticeship-management today.