Malware analysis of Sepsis ransomware:
Analysis of malware attacked bank X customers:
Unpacking UPX manually:
Analysis of simple obfuscated office malware:
@reverseengine
https://www.reddit.com/r/MalwareAnalysis/comments/bgf71t/malware_analysis_of_sepsis_ransomware/
Analysis of malware attacked bank X customers:
https://www.reddit.com/r/MalwareAnalysis/comments/bgqz7m/analysis_of_malware_attacked_bank_x_customers/
Unpacking UPX manually:
https://www.reddit.com/user/Thatskriptkid/comments/c3csyd/unpacking_upx_manually/
Analysis of simple obfuscated office malware:
https://www.reddit.com/r/MalwareAnalysis/comments/bxvw1j/analysis_of_simple_obfuscated_office_malware/
@reverseengine
Reddit
From the MalwareAnalysis community on Reddit: Malware analysis of Sepsis ransomware
Explore this post and more from the MalwareAnalysis community
❤5
Introducing Lumen Server Protocol
A private Lumina server for IDA Pro
Investigating IDA Lumina Feature
Local server for IDA Lumina feature
@reverseengine
https://abda.nl/posts/introducing-lumen/
A private Lumina server for IDA Pro
https://github.com/naim94a/lumen
Investigating IDA Lumina Feature
https://www.synacktiv.com/en/publications/investigating-ida-lumina-feature.html
Local server for IDA Lumina feature
https://github.com/synacktiv/lumina_server
@reverseengine
abda.nl
Introducing Lumen
Lumen - A private Lumina server for IDA Pro
❤5
Forwarded from GO-TO CVE
CVE-2025-32433-week-79.pdf
219.4 KB
🎯 Week 79 — CVE‑2025‑32433 — Erlang/OTP SSH — Pre‑Auth RCE
🔹 CVE: CVE‑2025‑32433
🔹 Type: Remote Code Execution (pre‑authentication flaw in Erlang/OTP SSH server)
🔹 Impact: Full system compromise via crafted SSH messages — no credentials required
🔹 Fixed in: OTP‑27.3.3 / OTP‑26.2.5.11 / OTP‑25.3.2.20
🔹 Action: Patch immediately or disable SSH / restrict access by firewall
Exploit
#week_79
🔹 CVE: CVE‑2025‑32433
🔹 Type: Remote Code Execution (pre‑authentication flaw in Erlang/OTP SSH server)
🔹 Impact: Full system compromise via crafted SSH messages — no credentials required
🔹 Fixed in: OTP‑27.3.3 / OTP‑26.2.5.11 / OTP‑25.3.2.20
🔹 Action: Patch immediately or disable SSH / restrict access by firewall
Exploit
#week_79
❤5
This media is not supported in your browser
VIEW IN TELEGRAM
Injection DLLs into the explorer process using icons
https://github.com/d419h/IconJector
@reverseengine
https://github.com/d419h/IconJector
@reverseengine
❤5
Forwarded from DarkBit
New Persistence Method In Windows.pdf
1.8 MB
🔒 تکنیک جدید Persist در ویندوز!
📌 خلاصه مقاله:
در این بخش به معرفی یک تکنیک پایداری (Persistence) در ویندوز میپردازیم که با استفاده از تزریق و جایگزینی DLL با دسترسی کاربر پیادهسازی شده است. در این روش، فایل DLL مخرب توسط فرآیند svchost.exe اجرا میشود و امکان اجرای مداوم و مخفیانه کد در سیستم هدف را فراهم میسازد.
#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals
💬 Forum
📣 DarkBit
📌 خلاصه مقاله:
در این بخش به معرفی یک تکنیک پایداری (Persistence) در ویندوز میپردازیم که با استفاده از تزریق و جایگزینی DLL با دسترسی کاربر پیادهسازی شده است. در این روش، فایل DLL مخرب توسط فرآیند svchost.exe اجرا میشود و امکان اجرای مداوم و مخفیانه کد در سیستم هدف را فراهم میسازد.
#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals
💬 Forum
📣 DarkBit
❤7👍1
DarkBit
New Persistence Method In Windows.pdf
🔒 New Persist Technique in Windows!
📌 Article Summary:
In this section, we will introduce a persistence technique in Windows that is implemented using DLL injection and replacement with user access. In this method, the malicious DLL file is executed by the svchost.exe process, allowing continuous and secret code execution on the target system.
#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals
💬 Forum
📣 DarkBit
📌 Article Summary:
In this section, we will introduce a persistence technique in Windows that is implemented using DLL injection and replacement with user access. In this method, the malicious DLL file is executed by the svchost.exe process, allowing continuous and secret code execution on the target system.
#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals
💬 Forum
📣 DarkBit
Telegram
DarkBit Community | انجمن دارکبیت
Channel: @DarkBitx
❤6
Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows
https://connormcgarr.github.io/km-shadow-stacks
@reverseengine
https://connormcgarr.github.io/km-shadow-stacks
@reverseengine
Connor McGarr’s Blog
Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows
Using SourcePoint’s JTAG debugger to investigate the implementation of Intel CET Shadow Stacks in kernel-mode on Windows
❤5
Analysing a 1-day Vulnerability in the Linux Kernel's TLS Subsystem
https://faith2dxy.xyz/2025-10-02/kCTF-TLS-nday-analysis
@reverseengine
https://faith2dxy.xyz/2025-10-02/kCTF-TLS-nday-analysis
@reverseengine
faith2dxy.xyz
Analysing a 1-day Vulnerability in the Linux Kernel's TLS Subsystem
I recently decided to start doing some Linux kernel security research in my free time, with the goal of creating one of my own submissions in Google's kernelCTF…
❤1
Rowhammer Attacks on DDR5
https://thehackernews.com/2025/09/phoenix-rowhammer-attack-bypasses.html
https://youtu.be/1emxVQ6__qg
@reverseengine
https://thehackernews.com/2025/09/phoenix-rowhammer-attack-bypasses.html
https://youtu.be/1emxVQ6__qg
@reverseengine
YouTube
Phoenix – Rowhammer Attacks on DDR5 ::: PTE Exploit Demo
This video demonstrates the end-to-end PTE exploit that we mounted using our novel Phoenix attack on DDR5. This is the first Rowhammer privilege escalation exploit on a DDR5 device.
For more information about Phoenix, please visit: https://comsec.ethz.ch/phoenix.…
For more information about Phoenix, please visit: https://comsec.ethz.ch/phoenix.…
❤1
Ghidra Scripts/Plugins/Extension
https://github.com/AllsafeCyberSecurity/awesome-ghidra
@reverseengine
https://github.com/AllsafeCyberSecurity/awesome-ghidra
@reverseengine
GitHub
GitHub - AllsafeCyberSecurity/awesome-ghidra: A curated list of awesome Ghidra materials
A curated list of awesome Ghidra materials. Contribute to AllsafeCyberSecurity/awesome-ghidra development by creating an account on GitHub.
❤1
A Universal MCU Firmware Emulator for Dynamic Analysis without Any Hardware Dependence
https://github.com/MCUSec/uEmu
@reverseengine
https://github.com/MCUSec/uEmu
@reverseengine
GitHub
GitHub - MCUSec/uEmu: A Universal MCU Firmware Emulator for Dynamic Analysis without Any Hardware Dependence.
A Universal MCU Firmware Emulator for Dynamic Analysis without Any Hardware Dependence. - MCUSec/uEmu
❤1
VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture
https://back.engineering/17/05/2021/
@reverseengine
https://back.engineering/17/05/2021/
@reverseengine
❤5
Pointer Arithmetic & Array Access
دسترسی به آرایه تک بعدی
دستور کلی:
در اسمبلی:
این خط یعنی:
نکته مهم برای ریورس:
هر وقت ضربدر 1/2/4/8 دیدی نوع داده مشخص میشه
ضربدر نوع داده
Pointer Arithmetic & Array Access
Accessing a one-dimensional array
General instruction:
In assembly:
This line means:
Important note for reverse:
Whenever you see multiplication by 1/2/4/8, the data type is specified
Multiplication by data type
@reverseengine
دسترسی به آرایه تک بعدی
دستور کلی:
arr[i] = *(arr + i)
در اسمبلی:
mov eax, DWORD PTR [rdi + rsi*4]
این خط یعنی:
rdi آدرس base آرایه
rsi مقدار i
*4 چون int = 4 bytes
نکته مهم برای ریورس:
هر وقت ضربدر 1/2/4/8 دیدی نوع داده مشخص میشه
ضربدر نوع داده
*1 char
*2 short
*4 int/float
*8 long/double/pointer
Pointer Arithmetic & Array Access
Accessing a one-dimensional array
General instruction:
arr[i] = *(arr + i)
In assembly:
mov eax, DWORD PTR [rdi + rsi*4]
This line means:
rdi base address of the array
rsi value of i
*4 because int = 4 bytes
Important note for reverse:
Whenever you see multiplication by 1/2/4/8, the data type is specified
Multiplication by data type
*1 char
*2 short
*4 int/float
*8 long/double/pointer
@reverseengine
❤2