Windows anti Debugging Protection Techniques With Examples
https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software
Apriorit
Anti Debugging Protection Techniques with Examples
This article considers popular anti-cracking, anti reverse engineering protection techniques, namely anti-debug methods in Windows OS.
Anti-Debugging and Anti-VM Techniques and Anti-Emulation
https://resources.infosecinstitute.com/anti-debugging-and-anti-vm-techniques-and-anti-emulation/#gref
https://resources.infosecinstitute.com/anti-debugging-and-anti-vm-techniques-and-anti-emulation/#gref
Infosecinstitute
Anti-debugging and anti-VM techniques and anti-emulation [updated 2019] | Infosec
These days malware is becoming more advanced. Malware Analysts use lots of debugging software and applications to analyze malware and spyware. Malware author
Decompiling and running flash programs using SWF file player + FFdec
EXPLORING THE PE FILE FORMAT VIA IMPORTS
DLL Name RVA: A pointer (address) to the name of the imported DLL.
Import Address Table (IAT) RVA is populated by the loader when the executable and its imported DLLs are mapped into memory, and it is a table of pointers to the imported functions. Each entry in the table is called a “thunk” and the table is referred to as a “thunk table.” With that in mind, the RVA in this field points to the address of the imported function within the IAT
https://malwology.com/2018/10/05/exploring-the-pe-file-format-via-imports/
DLL Name RVA: A pointer (address) to the name of the imported DLL.
Import Address Table (IAT) RVA is populated by the loader when the executable and its imported DLLs are mapped into memory, and it is a table of pointers to the imported functions. Each entry in the table is called a “thunk” and the table is referred to as a “thunk table.” With that in mind, the RVA in this field points to the address of the imported function within the IAT
https://malwology.com/2018/10/05/exploring-the-pe-file-format-via-imports/
PE 101/102 - a windows executable walkthrough
https://github.com/corkami/pics/tree/master/binary/pe101
https://github.com/corkami/pics/tree/master/binary/pe102
https://github.com/corkami/pics/tree/master/binary/pe101
https://github.com/corkami/pics/tree/master/binary/pe102
GitHub
pics/binary/pe101 at master · corkami/pics
File formats dissections and more... Contribute to corkami/pics development by creating an account on GitHub.
Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
https://github.com/LordNoteworthy/al-khaser
https://github.com/LordNoteworthy/al-khaser
GitHub
GitHub - ayoubfaouzi/al-khaser: Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. - GitHub - ayoubfaouzi/al-khaser: Public malware techniques used in the wild: Virtual Machine,...
Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
https://github.com/summitt/Burp-Non-HTTP-Extension
https://github.com/summitt/Burp-Non-HTTP-Extension
GitHub
GitHub - summitt/Nope-Proxy: TCP/UDP Non-HTTP Proxy Extension (NoPE) for Burp Suite.
TCP/UDP Non-HTTP Proxy Extension (NoPE) for Burp Suite. - summitt/Nope-Proxy
Four Ways to Bypass Android SSL Verification and Certificate Pinning
https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
https://blog.netspi.com/four-ways-bypass-android-ssl-verification-certificate-pinning/
NetSPI
Four Ways to Bypass Android SSL Verification and Certificate Pinning
Explore four techniques to bypass SSL certificate checks on Android in our Four Ways to Bypass Android SSL Verification and Certificate Pinning blog.
Radare2 Emulation commands
initialize emulation: aei
deinitialize emulation: aed
emulate a whole function: aef
single-step: aes
initialize emulation: aei
deinitialize emulation: aed
emulate a whole function: aef
single-step: aes
Deobfuscate strings using De4dot https://github.com/0xd4d/de4dot
d4dot.exe -strtyp delegate -strtok <deobfuscation function token> <file>
d4dot.exe -strtyp delegate -strtok <deobfuscation function token> <file>
GitHub
GitHub - de4dot/de4dot: .NET deobfuscator and unpacker.
.NET deobfuscator and unpacker. Contribute to de4dot/de4dot development by creating an account on GitHub.
https://youtu.be/1RNcZpBLZHs
Manual unpacking using dnspy and class constructor ( .cctor )
Note. No need actually for using ilspy you can modify the entry point by editing module settings:
Right click on it in modules tree
Edit module
Choose mananged
Choose the main method
Save module
Manual unpacking using dnspy and class constructor ( .cctor )
Note. No need actually for using ilspy you can modify the entry point by editing module settings:
Right click on it in modules tree
Edit module
Choose mananged
Choose the main method
Save module
YouTube
Malware Analysis - When De4dot fails, Removing Anti Tamper from NullShield
Decompilation fails and de4dot cannot deobfuscate this trojan spy named Evrial. We discover code in the module's constructor (.cctor) that fixes the assembly.
Malware analysis courses: https://malwareanalysis-for-hedgehogs.learnworlds.com/courses
Buy me…
Malware analysis courses: https://malwareanalysis-for-hedgehogs.learnworlds.com/courses
Buy me…