Debugging and Reversing ALPC

https://csandker.io/2022/05/29/Debugging-And-Reversing-ALPC.html

@reverseengine

Exploiting CVE-2025-21479 on a Samsung S23

https://xploitbengineer.github.io/CVE-2025-21479

@reverseengine

VB disassembler and debugger

http://sandsprite.com/vbdec

@reverseengine

Binary Analysis Framework in Rust

https://github.com/falconre/falcon

@reverseengine

پاکسازی ردپاهای رفتاری Behavioral Artifacts

پاکسازی رفتاری یعنی چی

همیشه فقط فایل و لاگ نیست که شما رو لو میده خیلی وقتا رفتار برنامه یه اثر جانبی تو سیستم میذاره مثل اینکه برنامه رفته یه مسیر خاص یه DLL لود کرده یه NamedPipe ساخته یا حتی یه کلید رجیستری کوتاه اضافه کرده


این‌ها اسمش میشه Behavioral Artifact
و بدترین چیز اینه که خیلیاش اصلا به چشم نمیاد ولی تو فارنزیک کاملا مشخصه و لو میرید


مهمترین رد پاهای رفتاری که معمولا میوفتن

Load شدن
های غیر معمولی DLL

وقتی ابزارتون یه DLL کاستوم لود میکنه
تو ETW Sysmon و حتی حافظه اثرش میمونه

Named Pipes

اگه ابزار IPC داره و pipe ساخته بشه
تو حافظه handle table و بعضی لاگ‌ها دیده میشه

Registry Keys موقتی

بعضی ابزارا برای config یا persistence آزمایشی کلید short-lived میسازن که همون باعث لو رفتنتون میشه

Network Artifacts

حتی اگر لاگ فایل وجود نداشته باشه

route
های باز شده DNS cache ARP cache و socket states ممکنه دیده بشه

Process Tree / Parent Spoofing

خیلی وقتا افراد فکر می‌کنن چون PPID Spoof کردن پس کار تمومه ولی artifact های مثل Token Thread start time و Memory layout
دستتون رو رو میکنه و لو میرید و همه چی افشا میشه


چطور باید پاک‌شون کنید


اگه ابزارای شما DLL لود میکنه pipe میسازه یا رجیستری دستکاری میکنه باید اونا رو طوری طراحی کنید که بعد از اجرا خودش cleanup کنه


Pipeline Cleanup

بعد از کارا:

pipe
ها رو ببندید


handle
ها رو free کنید


thread
ها رو join کنید


registry موقت رو حذف کنید



%50 افراد همین کارای ساده رو نمیکنن

کم‌کردن Interaction با سیستم‌ عامل

هرچی syscalls کمتر
ردپا کمتر

محدود کردن Network Indicators

DNS cache، socket states و route
های باز شده

بعد از اتمام کار باید reset بشن


Memory Hygiene

Buffer
ها و ساختار هایی که حاوی metadata رفتاری هستن
نباید تو RAM بدون استفاده بشن





Cleaning up behavioral artifacts

What is behavioral cleaning?

It's not always just files and logs that give you away. Often, the program's behavior leaves a side effect on the system, such as the program going to a specific path, loading a DLL, creating a NamedPipe, or even adding a short registry key.

These are called Behavioral Artifacts.

And the worst thing is that many of them are not visible at all, but in forensics they are quite obvious and you get caught.

The most important behavioral traces that usually occur

Unusual DLL loadings

When your tool loads a custom DLL, it leaves traces in ETW Sysmon and even memory.

Named Pipes

If the tool has IPC and a pipe is created, it can be seen in the handle table and some logs.

Temporary Registry Keys

Some tools create short-lived keys for experimental config or persistence, which is what makes you get caught.

Network Artifacts

Even if there is no log file

Open routes, DNS cache, ARP cache, and socket states may be visible

Process Tree / Parent Spoofing

Many times people think that because PPID Spoofing is done, the job is done, but artifacts like Token Thread start time and Memory layout
will expose your hands and expose everything

How to clean them

If your tools load DLLs, create pipes, or manipulate the registry, you should design them to clean up after execution

Pipeline Cleanup

After work:

Close pipes

Free handles

Join threads

Delete temporary registry

50% of people do not do this simple thing

Reduce Interaction with the operating system

Less syscalls, whatever
Smaller footprint

Limit Network Indicators

Open DNS cache, socket states, and routes

They should be reset after completion

Memory Hygiene

Buffers and structures that contain behavioral metadata
should not be left unused in RAM

@reverseengine

Tools for analyzing UEFI firmware using radare2

https://github.com/binarly-io/uefi_r2

@reverseengine

Exploiting memory corruption vulnerabilities on Android

https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android

@reverseengine

A foray into Linux kernel exploitation on Android

https://mcyoloswagham.github.io/linux

@reverseengine

Helper plugin for analyzing UEFI firmware

https://github.com/zznop/bn-uefi-helper

@reverseengine

POC2025

https://www.youtube.com/playlist?list=PLHu2EA4lxh3Yvaa5sr9TYM3ywzGFBbpR8

@reverseengine

Malware Analysis

https://www.youtube.com/watch?v=sARnT7o8L60

@reverseengine

Hyper-V debugging for beginners 2nd edition

https://hvinternals.blogspot.com/2021/01/hyper-v-debugging-for-beginners-2nd.html

@reverseengine

Hyper-V memory internals. EXO partition memory access

https://hvinternals.blogspot.com/2020/06/hyper-v-memory-internals-exo-partition.html

@reverseengine

KOPYCAT - Linux Kernel module-less implant backdoor

https://github.com/milabs/kopycat

@reverseengine

Multi-disassemblers collaboration framework for reverse engineering

https://github.com/Martyx00/CollaRE

@reverseengine

Write Windows Shellcode in Rust

https://github.com/b1tg/rust-windows-shellcode

@reverseengine

How To Reverse Engineer RC4 Crypto For Malware Analysis

https://www.youtube.com/watch?v=-EQKiIbOLEc

@reverseengine

Reverse Engineering iMessage: Leveraging the Hardware to Protect the Software

https://www.nowsecure.com/blog/2021/01/27/reverse-engineering-imessage-leveraging-the-hardware-to-protect-the-software

@reverseengine

Cobalt Strike 4.12

https://www.cobaltstrike.com/blog/cobalt-strike-412-fix-up-look-sharp

@reverseengine