The first 30 days of the challenge are available here: https://medium.com/@tom_rock/100daysofcode-challenge-8915947cc6b9?source=friends_link&sk=c0b33f7a2e6e69cc13a6880694887f61
In this second part, we will continue the journal for the next days. Take a seat and enjoy the journey!
- Day #31: Unprotect Project — Disabling Process
- Day #32: Learning Golang
- Day #33: Unprotect Project — Checking installed software
- Day #34: Learning Golang — Fmt Package
- Day #35: FlareOn7 — Challenge 1 (no spoil)
- Day #36: Fixing stuffs and other works
- Day #37: Simple IOC Extractor
- Day #38, #39, #40, #41, #42
- Day #43, #44, #45, #46, #47, #48
- Day #49, #50, #51, #52, #53, #54, #55
- Day #56, #57, #58, #59, #60, #61, #62
- Day #63, #64, #65, #66, #67, #68, #69
- Day #70 to #85: Coding a portable gym timer.
- Day #85 to #100: End of challenge and small return of experience.
Day #31: Unprotect Project — Disabling Process
To avoid analysis or detection, malware can detect running processes and kill them before running on the infected computer. To get the list of running processes, you can use the CreateToolhelp32Snapshot API.
More details can be found here, including Yara rules: https://search.unprotect.it/map/anti-monitoring/disable-process/
Day #32: Learning Golang
Today I simply continued to learn golang on codecademy.
Day #33: Unprotect Project — Checking installed software
We continue our journey by coding a proof of concept for the malware evasion technique database. Another trick that can be used is to check if any blacklisted software is installed on the machine before running. It can be used to detect sandbox but also to avoid dynamic analysis.
More details can be found here: https://search.unprotect.it/map/sandbox-evasion/installed-software/
Day #34: Learning Golang — Fmt Package
The Fmt package is used to mplements formatted I/O with functions analogous to C’s printf and scanf. The format ‘verbs’ are derived from C’s but are simpler.
fmt.Println() -> format automatically the line.
fmt.Print() -> print ou the strings without formating
fmt.Printf() -> interpolate strings using verbs.verbs:
%v the value in a default format
when printing structs, the plus flag (%+v) adds field names
%T a Go-syntax representation of the type of the value
%d base 10
%f decimal point but no exponent, e.g. 123.456fmt.Sprint(), fmt.Sprintln(), fmt.Sprintf() will not print strings, but formats them.fmt.Scan() -> take user input
Learn more here: https://golang.org/pkg/fmt/
Day #35: FlareOn7 — Challenge 1 (no spoil)
It’s been a while since I did a CTF challenge and I must say that I miss it a lot. To change my routine a bit, I wanted to try the FlareOn challenge hosted by Fireeye. The first challenge is quite simple but a lot of fun. As the competition is still on, I won’t spoil anything but I encourage you to take a look. I hope I can find sometimes to spend in the next few days to continue the next challenges.
Day #36: Fixing stuffs and other works
It is easy to code scripts for a specific need, but is it difficult to maintain them for others. Sometimes it’s good to spend time fixing or updating old things, or even improving them. Today I just spent some time fixing and improving some tooling for daily work.
Day #37: Simple IOC Extractor
I coded a very simple IOC extractor. While it’s not perfect, I’ll improve it and post it once it’s ready for sharing.
It takes the blog link as a parameter and will browse it to extract hashes and url.
Day #38, #39, #40, #41, #42
I haven’t blogged the last few days as I was working on the IOCs extractor. I finally decided to rewrite the tool in Golang instead in Python. and it will be published as soon as the tool is finished.
In the meantime, let me introduce you “brIOChe — BRing IOCs HomE”.
Day #43, #44, #45, #46, #47, #48
Being stuck while coding is usual, sometimes you need to practice harder to understand what is wrong!
Day #49, #50, #51, #52, #53, #54, #55
I update the journal less often just because I have less to share that deserves more detail and some of the things I am working on cannot be shared! To give you an overview, my work mainly focuses on Python, Golang, and cpp. I also develop tools for home for personal projects. Unfortunately, some of the things I code for my work cannot be shared.
Moreover, I go over some concepts taking time with technical books. Although it is more and more difficult to maintain this journal, I am still here, I wake up every day and I practice coding even if sometimes it is just a small piece of code. I also do a lot of binary instrumentation in my daily work!
Day #56, #57, #58, #59, #60, #61, #62
Last week I worked on several different projects. I’m currently learning more about AWS and the API, it’s very interesting and there is a lot to learn. I also work on personal projects such as setting up and building my own home assistant, I am creating a plugin for my own use.
Day #63, #64, #65, #66, #67, #68, #69
I ended up doing a weekly update because it’s more convenient. Several projects still in progress, mostly private for the moment. A tool in Golang to export IOCs from an external report is almost complete. I also learned more about AWS and Athena DB with python automation. Finally, I also finalised a small page that groups my work. Give it a try here: https://troccia.unprotect.it/
Day #70 to #85
As a part of personal project I released a portable timer that I created. You can find the whole story and the code behind this prototype here.
Day #85 to #100
The last couple weeks was mostly working on programming basic and the Unprotect Project. Overall it was a great challenge. I have been able to work on several projects, unfortunately not everything was public.
If I found sometimes, I will wrote a short write up about my experience. It was an amazing challenge for me and I am planning to redo it very soon.