Sunday, May 26, 2019

PoC: Encoding Shellcode Into Invisible Unicode Characters

Malware has been using unicode since time ago, to hide / obfuscate urls, filenames, scripts, etc... Right-to-left Override character (e2 80 ae) is a classic. In this post  a PoC is shared, where a shellcode is hidden / encoded into a string in a python script (probably this would work with other languages too), with invisible unicode characers that will not be displayed by the most of the text editors.

Friday, September 21, 2018

CryptoApi Derandomization

In this post I dig a bit into the Windows's CryptoApi library, trying to locate the code that the library uses to fill buffers with random data when it needs to randomize something (i.e. paddings for plaintexts at RSA encryption, randomly generated AES keys, etc...). After locating the interesting functions, I wrote a PoC that I share in this post and that intercepts that functions to disable CryptoApi randomization to have deterministic ciphering results. Finally,  I do a quick reversing on an OrcaKiller sample (it uses CryptoApi), disabling CryptoApi's randomization to make the analysis easy.

Sunday, April 29, 2018

PoC: Copy Data into Remote Process Address Space with Window Messages

This post is the story of an unuseful fuzzer that became an unuseful but funny PoC. These days I have been playing with window messages and I would like to share some notes about the behavior of some messages, such as WM_SETTEXT or WM_COPYDATA, and a tiny PoC to execute code into explorer.exe process by using these messages and SetThreadContext. This is not about a bug or vulnerability, these window messages work as expected. It is only some ideas about using these messages in a tricky way to put our data into the address space of some target processes.

Saturday, November 18, 2017

Installation and First Contact With the New WinDbg

These days it is being my first contact with the new Windbg. There are fantastic things in this new version, I am still discovering and enjoying it. I decided to write this short post about the particular installation of the new WinDbg and the way that I needed to configure VirtualKD’s vmmon to attach the new WinDbg to the selected running VM from the vmmon menu.

Saturday, November 11, 2017

Using Gathering Information Tools Through TOR Network

Previous days I have been playing with nmap and other tools to gather information, through tor network. I wanted to share my experience with it, and the configuration that I am currently using. I hope you can find here some tips or ideas useful for you.

Sunday, August 27, 2017

Tools For Unpacking Malware, Part 2. Weak encryption algorithms

Some days ago I started a series of posts about tools and methods for unpacking malware, here you can find the first part. Each malware/packer is very different, and sometimes there are no generic ways to unpack them. But sometimes we can find characteristics shared by a number of them. For example, packers usually rely on weak encryption algorithms and, sometimes, it is possible to attack them.

Sunday, August 13, 2017

Tools For Unpacking Malware, Part 1. Dumping executables from RWE memory

This is the first part of a series of articles (at least I will write a second part and i hope to continue) where I will write about different ways that I use to unpack malware, and where I will share some tools and scripts that I use frequently for this purpose. I hope these articles and tools will be useful for you.