It’s been a while since I wanted to create a kind of newsletter with security news that I find interesting. The aim is to provide summaries of the 10 interesting topics of the week. The main goal is to provide a weekly or bi-weekly summary (depending on how much time I can devote to it) where you can check in a few minutes what has been posted recently.
This Security Highlight is…
Run-time type information (RTTI) is a feature of C++ that allows the determination of an object data type at runtime (runtime, or execution time is the final phase of a computer program’s life cycle, in which the code is being executed on the computer’s central processing unit (CPU) as machine code. In other words, “runtime” is the running phase of a program).
RTTI applies to classes with virtual functions and is only incorporated with binaries compiled with Visual Studio.
In C++ there are 3 main elements:
Name mangling is a mechanism used by compilers to add additional characters to functions with the same name (function overloading). The goal of name mangling is to avoid any confusion when executing the program and calling a function that may have the same name as another one.
To understand better this concept here is two definitions from Wikipedia that are important to understand:
In some programming languages, function overloading or method overloading is the ability to create multiple functions of the same name with different implementations. …
Deobfuscation is an important part of malware analysis. Many malware currently uses obfuscation to hide from analysts but also to avoid detection. We keep track of some of these techniques in the Unprotect Project.
Floss is basically a string extractor tool with the addition of features that emulate code to deobfuscate content.
According to the documentation:
FLOSS combines and automates the best manual reverse engineering techniques for string decoding. First, it uses heuristics to identify decoding routines in…
Binary diffing is a great way to visualize and spot differences and similarities in multiple binaries. As a malware researcher, this is useful for identifying similarity with another malware family, but also for identifying code changes between multiple variants of the same malware. As a vulnerability researcher, it is interesting to use it against two patches to understand where the vulnerabilities were and what code was added.
In this quick tip, I want to outline some of the tools I use to understand the similarities and differences in binaries.
Hexfiend is an open-source hex editor. It contains a useful feature…
One of the greatest features of IDA is the ability to use Python directly in the interface to manipulate the disassembly code. IDAPython is basically a way to interact with the IDC scripting. It can be used to automate certain tasks such as deobfuscation or coloring of code. In this short tip we will make a brief tour of IDApython and how to use it.
There are several sources that can be used to learn more about IDAPython.
There are basic features that can be used to manipulate data. This nice cheat…
The Windows kernel allows the operating system to interact with the hardware and system resources of the computer. It runs the code in a protected memory area. For example, malware can load a malicious driver that will allow it to run in kernel mode.
In this tip, we will see how to configure and debug the Windows kernel with WinDBG.
To debug the kernel, you need two machines. In this lab, we will use two virtual machines on VMware. The machines must be on the same network and accessible to each other, you can disable the firewall.
A Shellcode is a piece of code that is PIC (Position-independent code), meaning it uses no hardcoded addresses for either code or data. It is often used for exploit development and can also be used in malware.
Running a shellcode in a debugger is not possible because it is not a normal executable but rather a piece of data. However, statically reversing it is pretty straightforward with IDA.
Let’s see how we can analyse and debug a shellcode quickly.
For this example, we will use a simple shellcode which will display the string “Hello World” using MessageBox.
I have a ton of ideas and I love to imagine new things that can be practical or be a new challenge for myself. I have invented quite a few things, some of which were silly or too complicated to do, others were interesting and doable but never made it out of my desk drawer, some just failed, some were interesting and useful and I still use them today... Well you get my point, I imagine and try to create a lot of things. …
The first 30 days of the challenge are available here: https://medium.com/@tom_rock/100daysofcode-challenge-8915947cc6b9?source=friends_link&sk=c0b33f7a2e6e69cc13a6880694887f61
In this second part, we will continue the journal for the next days. Take a seat and enjoy the journey!