Malware-analysis-and-Reverse-engineering
Some of my publicly available Malware analysis and Reverse engineering. (Reports, tips, tricks...)
[Reverse engineering KPOT v2.0 Stealer]
[Debugging MBR - IDA + Bochs Emulator (CTF example)]
[TLS decryption in Wireshark]
[Ryuk Ransomware - API Resolving and Imports reconstruction]
[Formbook Reversing]
[Reversing encoded shellcode]
[WINDBG Kernel&User Mode Debugging (EPROCESS, ETHREAD, TEB, PEB...)]
[Cutter 2.0 - Introduction of new features (Reverse Debugging...)]
[Tracing C function fopen]
Tracing C function fopen [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel Executive Subsytem
[Visible vs Hidden vs VeryHidden Sheet - Excel Binary File Format (.xls)]
[Exploiting CVE-2019-0708 (BlueKeep) using Metasploit (Manual settings GROOMBASE + GROOMSIZE)]
[Abusing External Resource References MSOffice]
Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION
Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION
[Real-Time Solving CyberDefenders "DumpMe" MemoryForensics Challenge in 1 hour]
[Volatility3 Output Formatting Trick in PS]
[Advanced Memory Forensics (Windows) - Threat_Hunting and Initial Malware_Analysis]
[LokiBot Analyzing]
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
[3] Lokibot analyzing - Reversing, API Hashing, decoding
[Fast API resolving of REvil Ransomware related to Kaseya attack]
[Dancing with COM - Deep dive into understanding Component Object Model]
What is COM and its Functionality, COM in Registry (Tools - COM viewers), COM Client-Server (Using Powershell/.NET COM Client), Reversing COM instances and methods in IDA (Structures, Types, ComIDA plugin), Interesting way of using COM Method in LokiBot malware sample
[HiveNightmare - Bug in ACLs of Registry Hives]
[Finding Vulnerability in PE parsing tool - NEVER trust tool you didnยดt write by your own]
[Reversing binary (Malware sample) which using statically imported OpenSource library]
Some notes, tips and tricks when you are dealing with reversing Malware sample which using statically imported OpenSource library
[Reversing CryptoCrazy Ransomware - PoC Decryptor and some Tricks]
This video covers guide during reversing and making PoC decryptor in Python. In the last part of the video I will be covering another Trick how you can dynamically invoke only the decryption routine of this Ransomware directly from Powershell and get all files decrypted.
[Powershell and DnSpy tricks in .NET reversing โ AgentTesla]
[So you Really think you Know What Powershell Is ???]
Managed code vs UnManaged code. Difficulties during reversing and debugging.
One nice example is Powershell ItSefl.
[Full malware analysis Work-Flow of AgentTesla Malware]
[Deobfuscation SmartAssembly 8+ and recreating Original Module SAE+DnSpy]
Video covers Deobfuscation of latest SmartAssembly 8+ (commercial obfuscator for .NET) using SAE (Simple-Assembly-Explorer)
and Recreating original module using DnSpy. [Samples Download]
[Advanced DnSpy tricks in .NET reversing - Tracing, Breaking, dealing with VMProtect]
[NightSky Ransomware โ just a Rook RW fork in VMProtect suit]
[IDAPro Reversing Delphi MBR Wiper and Infected Bootstrap Code]
Sample, my prepared annotated IDA IDB, Bochs image: [Download-Pass:infected]
[.NET Reversing Get-PDInvokeImports - Dealing with P/Invoke, D/Invoke and Dynamic P/Invoke]
Video about .NET reversing of P/Invoke, D/Invoke and Dynamic P/Invoke implementation which serve for calling unmanaged code from managed. Covering tool Get-PDInvokeImports [Get-PDInvokeImports]
[Malware Analysis Report โ APT29 C2-Client Dropbox Loader]
Deep dive into reverse engineering APT29 C2-Client Dropbox Loader.
[Analyzing HTML Application "HTA" Loading .NET Runtime]
[From Zero to Hero - Advanced Usage of Tiny_Tracer tracing APT29]
For more information - check the description below the video.
[Advanced DnSpy tricks in .NET reversing 2 - PS debugging, Watch vs Locals, Code Optimization, more..]
Debugging Powershell process when debugging Powershell scripts - catch module loading (dnSpy)
DnSpy multi-process debugging
Dealing with code optimization during .NET debugging (when and why you can NOT see Locals and put a breakpoints)
Watch vs. Locals Windows in dnSpy - benefit from both (see fields, invoke expressions etc.)
[Native function and Assembly Code Invocation]
My first tips and tricks released under CPR @CPResearch - showing practical usage of IDA-Appcall, Dumpulator and pure Unicorn Engine.
Getting the best and full of annotated code snippets.
Big thanks to my team members @BenHerzog11235 and @a14xt who helped to make this cool.
[Deobfuscation of .NET using PowerShelling & dnlib - Eternity Malware]
In this video, I will guide you through .NET deobfuscations covering a few exciting tricks and tips.
We will be using PowerShell and dnlib library.
We will create a universal string deobfuscator for Eternity Malware that uses some kind of custom obfuscation that is not so trivial at first sight.
[Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper]
Deep dive into reversing Azov Ransomware - Polymorphic wiper, released under CPR @CPResearch - showing not only main technical points but also many interesting anti-analysis and code obfuscation techniques.
Big thanks to my team members @BenHerzog11235 and @megabeets_ who helped to make this cool.
[Reverse Engineering Mixed Mode Assemblies (IDA, DnSpyEx)]
In this video, I will guide you through reverse engineering Mixed Mode Assemblies.
Example Sample of Mixed Mode Assembly: [Source/binary]
[DotRunpeX โ demystifying new virtualized .NET injector used in the wild]
Defeating dotRunpeX โ New virtualized .NET injector abusing advanced techniques to deliver numerous malware families.
Released under CPR @CPResearch
[Rorschach โ A New Sophisticated and Fast Ransomware]
Revealing highly advanced, lightning-fast, and very customizable Rorschach Ransomware. Because of the obfuscation and protection (custom UPX-style packer, VMProtect, etc.), and the way it is being depolyed, the reversing process was quite a brain-buster.
Released under CPR @CPResearch
[IDA Memory Snapshot - Amadey Malware Unpacking & Initterm Poisoning]
In this video, I will explain how the feature of IDA - Memory Snapshot works, what are the currently available options and the benefits of using them. We will use the IDA Memory Snapshotting on a practical example of unpacking Amadey Malware with all shellcode pre-stages.
In the last section, I will cover what _Initterm C++ internal function is, how it is used in the Amadey sample, and how malware can abuse that to run code before reaching the "main" method. In some cases (where we hijack the execution flow), we can refer to this technique as an _Initterm function table poisoning.