Deobfuscation is an important part of malware analysis. Many malware currently uses obfuscation to hide from analysts but also to avoid detection. We keep track of some of these techniques in the Unprotect Project.

In this short tip, we will discuss the cool tool from Fireeye: Floss. I already discussed this tool in a previous article.

What is FLOSS?

Floss is basically a string extractor tool with the addition of features that emulate code to deobfuscate content.

According to the documentation:

FLOSS combines and automates the best manual reverse engineering techniques for string decoding. First, it uses heuristics to identify decoding routines in…


Binary diffing is a great way to visualize and spot differences and similarities in multiple binaries. As a malware researcher, this is useful for identifying similarity with another malware family, but also for identifying code changes between multiple variants of the same malware. As a vulnerability researcher, it is interesting to use it against two patches to understand where the vulnerabilities were and what code was added.

In this quick tip, I want to outline some of the tools I use to understand the similarities and differences in binaries.

Hexfiend

Hexfiend is an open-source hex editor. It contains a useful feature…


One of the greatest features of IDA is the ability to use Python directly in the interface to manipulate the disassembly code. IDAPython is basically a way to interact with the IDC scripting. It can be used to automate certain tasks such as deobfuscation or coloring of code. In this short tip we will make a brief tour of IDApython and how to use it.

Documentation

There are several sources that can be used to learn more about IDAPython.

Basic Functionalities

There are basic features that can be used to manipulate data. This nice cheat…


The Windows kernel allows the operating system to interact with the hardware and system resources of the computer. It runs the code in a protected memory area. For example, malware can load a malicious driver that will allow it to run in kernel mode.

In this tip, we will see how to configure and debug the Windows kernel with WinDBG.

General Configuration

To debug the kernel, you need two machines. In this lab, we will use two virtual machines on VMware. The machines must be on the same network and accessible to each other, you can disable the firewall.

Debugger Machine

On your machine…


A Shellcode is a piece of code that is PIC (Position-independent code), meaning it uses no hardcoded addresses for either code or data. It is often used for exploit development and can also be used in malware.

Running a shellcode in a debugger is not possible because it is not a normal executable but rather a piece of data. However, statically reversing it is pretty straightforward with IDA.

Let’s see how we can analyse and debug a shellcode quickly.

Shellcode Hello World

For this example, we will use a simple shellcode which will display the string “Hello World” using MessageBox.

 "\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"…


I have a ton of ideas and I love to imagine new things that can be practical or be a new challenge for myself. I have invented quite a few things, some of which were silly or too complicated to do, others were interesting and doable but never made it out of my desk drawer, some just failed, some were interesting and useful and I still use them today... Well you get my point, I imagine and try to create a lot of things. …


Image for post
Image for post
Photo by Kevin Ku on Unsplash

The first 30 days of the challenge are available here: https://medium.com/@tom_rock/100daysofcode-challenge-8915947cc6b9?source=friends_link&sk=c0b33f7a2e6e69cc13a6880694887f61

In this second part, we will continue the journal for the next days. Take a seat and enjoy the journey!

The Journal


Image for post
Image for post
Photo by Chris Ried on Unsplash

The #100DaysOfCode is a challenge that has been created in 2016. This is a self-directed commitment by developers to build strong and consistent coding habits. The goal of this challenge is basically to improve coding skills.

While I am also coding during my daily work, I decided to take on this challenge to devote time to learning new languages and to make more progress on different projects that I am working on. It’s also the kind of challenge I like to take on to push the boundaries and move forward. 🤓

I work in the field of Cybersecurity, although the…


I often do infographics to share security concepts or best practices. This page will list the different files. I will update it periodically so stay tuned by following me on Twitter or Medium.

Summary

Log Parsing Cheat Sheet

Image for post
Image for post


Image for post
Image for post

I have been studying malware for a while and more specifically evasion techniques or defense evasion (ATT&CK Matrix naming). I presented several of my works at conferences, you can find some of them on my SpeakerDeck.

Malware evasion is one of the most common tactics used by attackers and it can be used for many purposes, from hidden code to communication with the C2 server. There are different types of evasion techniques and I think it is very important to classify them.

I started the Unprotect Project in 2015 and it came out at Botconf 2016. Eventually last year I…

Thomas Roccia

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store