Native Function and Assembly Code Invocation
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation
@reverseengine
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation
@reverseengine
Check Point Research
Native function and Assembly Code Invocation - Check Point Research
Introduction For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level…
❤1
LayeredSyscall – Abusing VEH to Bypass EDRs
https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs
@reverseengine
https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs
@reverseengine
White Knight Labs
LayeredSyscall - Abusing VEH to Bypass EDRs | White Knight Labs
Generating legitimate call stack frame along with indirect syscalls by abusing Vectored Exception Handling (VEH) to bypass User-Land EDR hooks in Windows.
❤2
Reverse Engineering 3011: Reversing C++ Binaries
https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+RE3011_re_cpp+2022_v1/about?s=09
@reverseengine
https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+RE3011_re_cpp+2022_v1/about?s=09
@reverseengine
p.ost2.fyi
Reverse Engineering 3011: Reversing C++ Binaries
The course will explain C++ reverse engineering topics including techniques and tools for researching C++ Binaries.
❤2
Detecting Crypto-Ransomware in IoT Networks Based on Energy Consumption Footprint
https://www.researchgate.net/publication/319252402_Detecting_crypto-ransomware_in_IoT_networks_based_on_energy_consumption_footprint
@reverseengine
https://www.researchgate.net/publication/319252402_Detecting_crypto-ransomware_in_IoT_networks_based_on_energy_consumption_footprint
@reverseengine
ResearchGate
(PDF) Detecting crypto-ransomware in IoT networks based on energy consumption footprint
PDF | An Internet of Things (IoT) architecture generally consists of a wide range of Internet-connected devices or things such as Android devices, and... | Find, read and cite all the research you need on ResearchGate
❤2
Racing bugs in Windows kernel
https://dannyodler.hashnode.dev/racing-bugs-in-windows-kernel
@reverseengine
https://dannyodler.hashnode.dev/racing-bugs-in-windows-kernel
@reverseengine
❤2
Aiding Reverse Engineering with Rust and a local LLM
https://security.humanativaspa.it/aiding-reverse-engineering-with-rust-and-a-local-llm
@reverseengine
https://security.humanativaspa.it/aiding-reverse-engineering-with-rust-and-a-local-llm
@reverseengine
HN Security
Aiding reverse engineering with Rust and a local LLM - HN Security
Offensive Rust series article that introduces a new AI tool (oneiromancer) to aid with reverse engineering.
❤3
Reverse Engineering Android Apps for API Keys
https://pwn.guide/free/forensics/re-android
@reverseengine
https://pwn.guide/free/forensics/re-android
@reverseengine
pwn.guide
Reverse Engineer Android Apps for API Keys
How to reverse engineer Android apps & find confidential API Keys
❤3
Bypassing Windows Defender antivirus in 2025: Evasion Techniques Using Direct Syscalls and XOR Encryption
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025
@reverseengine
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025
@reverseengine
Hackmosphere
Windows Defender antivirus bypass in 2025 - part 1
Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting !
❤2
Disassembling a Binary: linear Sweep and Recursive Traversal
https://nicolo.dev/en/blog/disassembling-binary-linear-recursive
@reverseengine
https://nicolo.dev/en/blog/disassembling-binary-linear-recursive
@reverseengine
nicolo.dev
Disassembling a binary: linear sweep and recursive traversal
Building your own set of analysis tools is a great exercise for those who already have some basics and allows you to later move on to implement more targeted analyses in reverse engineering. Even just seeing how the different algorithms can be implemented…
❤2
Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst
https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst
@reverseengine
https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst
@reverseengine
Fortinet Blog
Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst
FortiGuard Labs reverse engineers a malware’s binaries to look into what the malware is actually doing.…
❤2
Ransomware Groups Exploiting Microsoft Teams
https://gosecure.ai/blog/2025/01/22/ransomware-groups-exploiting-microsoft-teams
@reverseengine
https://gosecure.ai/blog/2025/01/22/ransomware-groups-exploiting-microsoft-teams
@reverseengine
GoSecure
24/7 managed detection, response, and expert cybersecurity services - GoSecure
We provide around-the-clock threat detection and incident response, backed by expert consulting to keep your organization secure.
❤3
The Definitive Guide to Linux Process Injection
https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection
@reverseengine
https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection
@reverseengine
Akamai
The Definitive Guide to Linux Process Injection | Akamai
In this blog post, we document Linux process injection techniques, and explain how to detect and mitigate them.
❤3
وقتی C با آرایهها کار میکنه کامپایلر چی تولید میکنه و چطور ما از روی اسمبلی بفهمیم indexing دقیقا چکار میکنه
یک مثال ساده در C
کامپایلر چی میکنه
آرایه روی دیتا سکشن ذخیره میشه و index تبدیل میشه به:
اسمبلی get در x86-64 بدون بهینه سازی زیاد
نکات مهم:
معنی دستورات
مهمترین قانون
هر وقت دیدید reg * 4, reg * 8, reg * 2 یعنی داره به آرایه دسترسی میده
پایین دستورات به ترتیب نوع داده سایز ضربدر رجیستر
What does the compiler produce when C works with arrays and how do we understand from the assembly what exactly indexing does
A simple example in C
What does the compiler do
The array is stored in the data section and the index becomes:
Important points:
Meaning of commands
The most important rule
Whenever you see reg * 4, reg * 8, reg * 2, it means that the array is being accessed
Below are the commands in order of data type size times register
@reverseengine
یک مثال ساده در C
int arr[4] = {10, 20, 30, 40};
int get(int i){
return arr[i];
}
کامپایلر چی میکنه
آرایه روی دیتا سکشن ذخیره میشه و index تبدیل میشه به:
address = base + index * sizeof(element)
چون int = 4 بایت:
arr[i] → arr + i*4
اسمبلی get در x86-64 بدون بهینه سازی زیاد
get:
mov eax, DWORD PTR
arr[rax*4] ; eax = arr[i]
ret
نکات مهم:
معنی دستورات
rax
پارامتر i
arr آدرس ثابت آرایه
rax*4
چون int چهار بایته
mov eax, [...]
مقدار رو در eax برمیگردونه return value
مهمترین قانون
هر وقت دیدید reg * 4, reg * 8, reg * 2 یعنی داره به آرایه دسترسی میده
پایین دستورات به ترتیب نوع داده سایز ضربدر رجیستر
char / int8_t 1 i*1
short / int16_t 2 i*2
int / float4 i*4
long / pointer / int64_t 8 i*8
What does the compiler produce when C works with arrays and how do we understand from the assembly what exactly indexing does
A simple example in C
int arr[4] = {10, 20, 30, 40};
int get(int i){
return arr[i];
}
What does the compiler do
The array is stored in the data section and the index becomes:
address = base + index * sizeof(element)Assembly get in x86-64 without much optimization
Since int = 4 bytes:
arr[i] → arr + i*4
get:
mov eax, DWORD PTR
arr[rax*4] ; eax = arr[i]
ret
Important points:
Meaning of commands
rax Parameter i
arr array constant address
rax*4 Since int is four bytes
mov eax, [...] Returns the value in eax return value
The most important rule
Whenever you see reg * 4, reg * 8, reg * 2, it means that the array is being accessed
Below are the commands in order of data type size times register
char / int8_t 1 i*1
short / int16_t 2 i*2
int / float4 i*4
long / pointer / int64_t 8 i*8
@reverseengine
❤5
تحلیل پچ Patch Analysis
فهمیدن فرق دو نسخه از یک باینری: چه چیزی تغییر کرده کد کجا اصلاح شده ایا باگ فیکس شده یا رفتار جدیدی اضافه شده
مثال:
دو نسخهی یک برنامهی open-source یا نمونه قانونی رو با ابزار هایی مثل BinDiff/Diaphora مقایسه کنید و ببینید تو کد چه توابعی تغییر کردن بعد pseudocode اون توابع رو چک کنید تا دلیل تغییر مشخص بشه
دیتکشن
توابعی که signature یا آدرسشون تغییر کرده ولی اسم ندارن احتمالا patch مهمه
اضافه شدن یا حذف شدن چک های ورودی یا شرط ها
میتیگیشن
سازمان: همیشه patch ها رو اول توی محیط تست بررسی کنید برای نسخهها changelog و hash نگه دارید
توسعهدهنده: Release note دقیق بنویسید و نماد signature/hash ارائه بدید تا کسی بتونه درستی فایل رو چک کنه
Patch Analysis
Understanding the difference between two versions of a binary: what has changed, where the code has been modified, whether a bug has been fixed, or new behavior has been added
Example:
Compare two versions of an open-source program or legal sample with tools like BinDiff/Diaphora and see what functions in the code have changed, then examine the pseudocode of those functions to determine the reason for the change
Detection
Functions that have changed signatures or addresses but no names are likely important patches
Added or removed input checks or conditions
Mitigation
Organization: Always test patches in a test environment first, keep a changelog and hash for the versions
Developer: Write a detailed release note and provide a signature/hash symbol so that someone can check the file for correctness
@reverseengine
فهمیدن فرق دو نسخه از یک باینری: چه چیزی تغییر کرده کد کجا اصلاح شده ایا باگ فیکس شده یا رفتار جدیدی اضافه شده
مثال:
دو نسخهی یک برنامهی open-source یا نمونه قانونی رو با ابزار هایی مثل BinDiff/Diaphora مقایسه کنید و ببینید تو کد چه توابعی تغییر کردن بعد pseudocode اون توابع رو چک کنید تا دلیل تغییر مشخص بشه
دیتکشن
توابعی که signature یا آدرسشون تغییر کرده ولی اسم ندارن احتمالا patch مهمه
اضافه شدن یا حذف شدن چک های ورودی یا شرط ها
میتیگیشن
سازمان: همیشه patch ها رو اول توی محیط تست بررسی کنید برای نسخهها changelog و hash نگه دارید
توسعهدهنده: Release note دقیق بنویسید و نماد signature/hash ارائه بدید تا کسی بتونه درستی فایل رو چک کنه
Patch Analysis
Understanding the difference between two versions of a binary: what has changed, where the code has been modified, whether a bug has been fixed, or new behavior has been added
Example:
Compare two versions of an open-source program or legal sample with tools like BinDiff/Diaphora and see what functions in the code have changed, then examine the pseudocode of those functions to determine the reason for the change
Detection
Functions that have changed signatures or addresses but no names are likely important patches
Added or removed input checks or conditions
Mitigation
Organization: Always test patches in a test environment first, keep a changelog and hash for the versions
Developer: Write a detailed release note and provide a signature/hash symbol so that someone can check the file for correctness
@reverseengine
❤5