In this post I dig a bit into the Windows's CryptoApi library, trying to locate the code that the library uses to fill buffers with random data when it needs to randomize something (i.e. paddings for plaintexts at RSA encryption, randomly generated AES keys, etc...). After locating the interesting functions, I wrote a PoC that I share in this post and that intercepts that functions to disable CryptoApi randomization to have deterministic ciphering results. Finally, I do a quick reversing on an OrcaKiller sample (it uses CryptoApi), disabling CryptoApi's randomization to make the analysis easy.
Showing posts with label cryptoanalysis. Show all posts
Showing posts with label cryptoanalysis. Show all posts
Friday, September 21, 2018
Sunday, August 27, 2017
Tools For Unpacking Malware, Part 2. Weak encryption algorithms
Some days ago I started a series of posts about tools and methods for unpacking malware, here you can find the first part. Each malware/packer is very different, and sometimes there are no generic ways to unpack them. But sometimes we can find characteristics shared by a number of them. For example, packers usually rely on weak encryption algorithms and, sometimes, it is possible to attack them.
Subscribe to:
Posts (Atom)