Reverse Engineering

Video: First Look at Ghidra (NSA Reverse Engineering Tool)

Today during RSA Conference, the National Security Agency release their much hyped Ghidra reverse engineering toolkit. Described asĀ  “A software reverse engineering (SRE) suite of tools”, Ghidra sounded like some kind of disassembler framework.Prior to release, my expectation was something more than Binary Ninja, but lacking debugger integration. I figured …

Malware Analysis

How Cerber’s Hash Factory Works

Recently I saw a story on SecurityWeek about how the Cerber ransomware morphs every 15 seconds (each download results in a file with a new hash), which I then tracked back to the source, this article by Invincea. The various news articles made some dubious claims which can be put down …

Malware Analysis

Let’s Analyze: Dridex (Part 3)

Sorry for the longer than expected delay, occasionally the Dridex group will take the servers offline during the weekend and resume normal operations on Monday; however, it appears they decided to take an extended break as the network went offline at some point a week ago, preventing me from fetching …

Malware Analysis

Let’s Analyze: Dridex (Part 2)

In the previous article we went over how to dump the names of the majority of functions dridex resolves dynamically to complicate analysis. Today we will be using some similar methods to get the other main piece of the puzzle (encrypted string). Encrypted Strings As we’ve already got a nice list …

Malware Analysis
2

Let’s Analyze: Dridex (Part 1)

Due to popular request I’m starting a new reverse engineering article series which will detail how I go about analyzing various samples, instead of just presenting my findings like I normally do. Most of the posts will be centered around IDA Pro (evaluation edition should work too) with WinDbg as …

Malware Analysis

Necurs.P2P – A New Hybrid Peer-to-Peer Botnet

Last week I received a tip about a sample displaying some indication that it could be peer-to-peer (a large amount of UDP traffic being sent to residential IPs), after a couple days of analysis I was able to confirm that not only was it peer-to-peer but also currently active. The person …

Malware Analysis

Kelihos Analysis – Part 1

In the recent years I’ve noticed a shift in the malware economy from botnets to ransomware, which is likely due to the AV industry employing more aggressive tactics against botnets resulting in a drop in profitability. As I’ve said before: ransomware is about as interesting to me is watching oil …

Reverse Engineering
4

Windows 10 System Call Stub Changes

Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10 x86 …

Hacking
2

Intercepting all System Calls by Hooking KiFastSystemCall

Usually I don’t post things like this, but because KiFastSystemCall hooking only works on x86 systems and doesn’t work on Windows 8 or above, it no longer has much use in malware. There are also multiple public implementations for this method, just not very elegant, which I hope to correct. …

Malware Analysis
4

Bootkit Disk Forensics – Part 3

Getting Original Pointers XP is a little more complicated than newer systems due to the use of a single driver for both port and miniport; however, getting the original pointers is fairly straight forward depending on how you do it. IRP_MJ_SCSI & DriverStartIo – Method 1 (Windows XP) A common …