Deobfuscation is an important part of malware analysis. Many malware currently uses obfuscation to hide from analysts but also to avoid detection. We keep track of some of these techniques in the Unprotect Project.
Floss is basically a string extractor tool with the addition of features that emulate code to deobfuscate content.
According to the documentation:
FLOSS combines and automates the best manual reverse engineering techniques for string decoding. First, it uses heuristics to identify decoding routines in…
Binary diffing is a great way to visualize and spot differences and similarities in multiple binaries. As a malware researcher, this is useful for identifying similarity with another malware family, but also for identifying code changes between multiple variants of the same malware. As a vulnerability researcher, it is interesting to use it against two patches to understand where the vulnerabilities were and what code was added.
In this quick tip, I want to outline some of the tools I use to understand the similarities and differences in binaries.
Hexfiend is an open-source hex editor. It contains a useful feature…
One of the greatest features of IDA is the ability to use Python directly in the interface to manipulate the disassembly code. IDAPython is basically a way to interact with the IDC scripting. It can be used to automate certain tasks such as deobfuscation or coloring of code. In this short tip we will make a brief tour of IDApython and how to use it.
There are several sources that can be used to learn more about IDAPython.
There are basic features that can be used to manipulate data. This nice cheat…
The Windows kernel allows the operating system to interact with the hardware and system resources of the computer. It runs the code in a protected memory area. For example, malware can load a malicious driver that will allow it to run in kernel mode.
In this tip, we will see how to configure and debug the Windows kernel with WinDBG.
To debug the kernel, you need two machines. In this lab, we will use two virtual machines on VMware. The machines must be on the same network and accessible to each other, you can disable the firewall.
A Shellcode is a piece of code that is PIC (Position-independent code), meaning it uses no hardcoded addresses for either code or data. It is often used for exploit development and can also be used in malware.
Running a shellcode in a debugger is not possible because it is not a normal executable but rather a piece of data. However, statically reversing it is pretty straightforward with IDA.
Let’s see how we can analyse and debug a shellcode quickly.
For this example, we will use a simple shellcode which will display the string “Hello World” using MessageBox.
I have a ton of ideas and I love to imagine new things that can be practical or be a new challenge for myself. I have invented quite a few things, some of which were silly or too complicated to do, others were interesting and doable but never made it out of my desk drawer, some just failed, some were interesting and useful and I still use them today... Well you get my point, I imagine and try to create a lot of things. …
The first 30 days of the challenge are available here: https://medium.com/@tom_rock/100daysofcode-challenge-8915947cc6b9?source=friends_link&sk=c0b33f7a2e6e69cc13a6880694887f61
In this second part, we will continue the journal for the next days. Take a seat and enjoy the journey!
The #100DaysOfCode is a challenge that has been created in 2016. This is a self-directed commitment by developers to build strong and consistent coding habits. The goal of this challenge is basically to improve coding skills.
While I am also coding during my daily work, I decided to take on this challenge to devote time to learning new languages and to make more progress on different projects that I am working on. It’s also the kind of challenge I like to take on to push the boundaries and move forward. 🤓
I have been studying malware for a while and more specifically evasion techniques or defense evasion (ATT&CK Matrix naming). I presented several of my works at conferences, you can find some of them on my SpeakerDeck.
Malware evasion is one of the most common tactics used by attackers and it can be used for many purposes, from hidden code to communication with the C2 server. There are different types of evasion techniques and I think it is very important to classify them.
I started the Unprotect Project in 2015 and it came out at Botconf 2016. Eventually last year I…