In this post I dig a bit into the Windows's CryptoApi library, trying to locate the code that the library uses to fill buffers with random data when it needs to randomize something (i.e. paddings for plaintexts at RSA encryption, randomly generated AES keys, etc...). After locating the interesting functions, I wrote a PoC that I share in this post and that intercepts that functions to disable CryptoApi randomization to have deterministic ciphering results. Finally, I do a quick reversing on an OrcaKiller sample (it uses CryptoApi), disabling CryptoApi's randomization to make the analysis easy.
Showing posts with label reversing. Show all posts
Showing posts with label reversing. Show all posts
Friday, September 21, 2018
Subscribe to:
Posts (Atom)