If you like these infographics and would like to have a printed version for your office or for a gift, consider supporting me by ordering one from my RedBubble store online. Thanks! :)
The past weeks have been very busy with the critical vulnerability PrintNigthmare and the REvil attack which breached Kaseya MSP. A lot of content have already been published and discussed. In this Security Highlight expect content not related to these two, but information that you may have missed.
Here is your weekly update with fresh and entertaining content! Good reading! :)
Already summertime and I know that some of you are experiencing hot weather in some parts of the planet! Here is Security Highlight number 3: your fresh news condensed to stay up to date in just 3 minutes! Enjoy reading!
This week, a Proof Of Concept of the vulnerability CVE-2021–1675 and CVE-2021–34527 has leaked online. The vulnerability affects the spooler service named “Print Spooler” which…
Last week I launched this newsletter and wanted to thank you all for your wonderful feedback. In this second Security Highlight, we’ll talk about recent breaches and technical analyzes. Feel free to send me your feedback or suggestion on Twitter. Good reading!
The Kimsuki APT has breached a nuclear agency in South Korea. KOERI described in a press release how the attackers breached the network…
It’s been a while since I wanted to create a kind of newsletter with security news that I find interesting. The aim is to provide summaries of the 10 interesting topics of the week. The main goal is to provide a weekly or bi-weekly summary (depending on how much time I can devote to it) where you can check in a few minutes what has been posted recently.
Run-time type information (RTTI) is a feature of C++ that allows the determination of an object data type at runtime (runtime, or execution time is the final phase of a computer program’s life cycle, in which the code is being executed on the computer’s central processing unit (CPU) as machine code. In other words, “runtime” is the running phase of a program).
RTTI applies to classes with virtual functions and is only incorporated with binaries compiled with Visual Studio.
In C++ there are 3 main elements:
Name mangling is a mechanism used by compilers to add additional characters to functions with the same name (function overloading). The goal of name mangling is to avoid any confusion when executing the program and calling a function that may have the same name as another one.
To understand better this concept here is two definitions from Wikipedia that are important to understand:
In some programming languages, function overloading or method overloading is the ability to create multiple functions of the same name with different implementations. …
Deobfuscation is an important part of malware analysis. Many malware currently uses obfuscation to hide from analysts but also to avoid detection. We keep track of some of these techniques in the Unprotect Project.
Floss is basically a string extractor tool with the addition of features that emulate code to deobfuscate content.
According to the documentation:
FLOSS combines and automates the best manual reverse engineering techniques for string decoding. First, it uses heuristics to identify decoding routines in…
Binary diffing is a great way to visualize and spot differences and similarities in multiple binaries. As a malware researcher, this is useful for identifying similarity with another malware family, but also for identifying code changes between multiple variants of the same malware. As a vulnerability researcher, it is interesting to use it against two patches to understand where the vulnerabilities were and what code was added.
In this quick tip, I want to outline some of the tools I use to understand the similarities and differences in binaries.
Hexfiend is an open-source hex editor. It contains a useful feature…
One of the greatest features of IDA is the ability to use Python directly in the interface to manipulate the disassembly code. IDAPython is basically a way to interact with the IDC scripting. It can be used to automate certain tasks such as deobfuscation or coloring of code. In this short tip we will make a brief tour of IDApython and how to use it.
There are several sources that can be used to learn more about IDAPython.
There are basic features that can be used to manipulate data. This nice cheat…