Skip to content

Latest commit

 

History

History
209 lines (100 loc) · 14.5 KB

File metadata and controls

209 lines (100 loc) · 14.5 KB

Malware-analysis-and-Reverse-engineering

Some of my publicly available Malware analysis and Reverse engineering (Reports, Tips, Tricks...)


Tracing C function fopen [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel Executive Subsytem

Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION
Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION

[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
[3] Lokibot analyzing - Reversing, API Hashing, decoding

What is COM and its Functionality, COM in Registry (Tools - COM viewers), COM Client-Server (Using Powershell/.NET COM Client), Reversing COM instances and methods in IDA (Structures, Types, ComIDA plugin), Interesting way of using COM Method in LokiBot malware sample

Some notes, tips and tricks when you are dealing with reversing Malware sample which using statically imported OpenSource library

This video covers guide during reversing and making PoC decryptor in Python. In the last part of the video I will be covering another Trick how you can dynamically invoke only the decryption routine of this Ransomware directly from Powershell and get all files decrypted.

Managed code vs UnManaged code. Difficulties during reversing and debugging.
One nice example is Powershell ItSefl.

Video covers Deobfuscation of latest SmartAssembly 8+ (commercial obfuscator for .NET) using SAE (Simple-Assembly-Explorer) and Recreating original module using DnSpy. [Samples Download]

Sample, my prepared annotated IDA IDB, Bochs image: [Download-Pass:infected]

Video about .NET reversing of P/Invoke, D/Invoke and Dynamic P/Invoke implementation which serve for calling unmanaged code from managed. Covering tool Get-PDInvokeImports [Get-PDInvokeImports]

Deep dive into reverse engineering APT29 C2-Client Dropbox Loader.

For more information - check the description below the video.

Debugging Powershell process when debugging Powershell scripts - catch module loading (dnSpy)
DnSpy multi-process debugging
Dealing with code optimization during .NET debugging (when and why you can NOT see Locals and put a breakpoints)
Watch vs. Locals Windows in dnSpy - benefit from both (see fields, invoke expressions etc.)

My first tips and tricks released under CPR @CPResearch - showing practical usage of IDA-Appcall, Dumpulator and pure Unicorn Engine.
Getting the best and full of annotated code snippets.
Big thanks to my team members @BenHerzog11235 and @a14xt who helped to make this cool.

In this video, I will guide you through .NET deobfuscations covering a few exciting tricks and tips.
We will be using PowerShell and dnlib library.
We will create a universal string deobfuscator for Eternity Malware that uses some kind of custom obfuscation that is not so trivial at first sight.

Deep dive into reversing Azov Ransomware - Polymorphic wiper, released under CPR @CPResearch - showing not only main technical points but also many interesting anti-analysis and code obfuscation techniques.
Big thanks to my team members @BenHerzog11235 and @megabeets_ who helped to make this cool.

In this video, I will guide you through reverse engineering Mixed Mode Assemblies.
Example Sample of Mixed Mode Assembly: [Source/binary]

Defeating dotRunpeX — New virtualized .NET injector abusing advanced techniques to deliver numerous malware families.
Released under CPR @CPResearch

Revealing highly advanced, lightning-fast, and very customizable Rorschach Ransomware. Because of the obfuscation and protection (custom UPX-style packer, VMProtect, etc.), and the way it is being depolyed, the reversing process was quite a brain-buster.
Released under CPR @CPResearch

In this video, I will explain how the feature of IDA - Memory Snapshot works, what are the currently available options and the benefits of using them. We will use the IDA Memory Snapshotting on a practical example of unpacking Amadey Malware with all shellcode pre-stages.
In the last section, I will cover what _Initterm C++ internal function is, how it is used in the Amadey sample, and how malware can abuse that to run code before reaching the "main" method. In some cases (where we hijack the execution flow), we can refer to this technique as an _Initterm function table poisoning.

In-depth analysis of the new malware strain dubbed BundleBot spreading under the radar. BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all.
Revealing several techniques that were approved to be effective for reverse engineering the dotnet bundle (single-file), self-contained format.
Released under CPR @CPResearch

Introducing a new method for running hidden implanted code in ReadyToRun (R2R) compiled .NET binaries, R2R stomping.
Released under CPR @CPResearch

Introduction to .NET managed hooking using the Harmony library.
A practical example of using Harmony hooking to defeat the notorious “ConfuserEx2” obfuscator results in the “ConfuserEx2_String_Decryptor” tool. Revealing a neat trick on how to combine both debugging and hooking using the Harmony library (Harmony hooking from the dnSpyEx debugging context).
Released under CPR @CPResearch

Tools used in the video: [GitHub - ConfuserEx2_String_Decryptor]

Revealing the increasing abuse of BoxedApp products to pack and deploy known threats.
In-depth analysis of the BoxedApp internals, focusing on the resulting packed binary structures with Yara signatures that can be used to statically detect the packer in use while distinguishing the product itself.
Released under CPR @CPResearch