Automating Malware Deobfuscation with Binary Ninja
Writing a Static Unpacker
This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”) and therefore we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery.
+ The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage.
+The next exercise will teach attendees how to use PEFile to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise
The next exercise will teach attendees how to use Binary Refinery to carve binary files from the decrypted resource
Code
Slides
Workshop Manual
Writing a Static Unpacker
This section will teach participants how to automate unpacking and decryption of malware samples. This will be accomplished using the Qakbot sample as an example. The Qakbot sample is packed (obfuscated using an external program that “unpacks itself”) and therefore we will perform multiple hands-on exercises to automate the extraction of Qakbot from its packed form using Binary Ninja, PEFile and Binary Refinery.
+ The first exercise will teach attendees how to use Binary Ninja to identify the encryption algorithm used by the first stage of the packer and how to extract key information to decrypt the second stage.
+The next exercise will teach attendees how to use PEFile to extract an embedded resource from the packed binary. Once extracted, the resource will then be decrypted using the key information from the first exercise
The next exercise will teach attendees how to use Binary Refinery to carve binary files from the decrypted resource
Code
Slides
Workshop Manual
👍6
Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
(Used by APT-60)
#apt #analysis #cve
(Used by APT-60)
#apt #analysis #cve
👍7🌚1
The SOS Intelligence CVE Chatter Weekly Top Ten
This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.
https://sosintel.co.uk/category/cve-top-10/
———
CISA (America's Cyber Defence Agency )
Bulletins provide weekly summaries of new vulnerabilities.
https://www.cisa.gov/news-events/bulletins
———
This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.
https://sosintel.co.uk/category/cve-top-10/
———
CISA (
Bulletins provide weekly summaries of new vulnerabilities.
https://www.cisa.gov/news-events/bulletins
———
👍5❤1
Silly EDR Bypasses and Where To Find Them
Credit: Marcus Hutchins
_ Article _
https://github.com/MalwareTech/EDRception.git
#edr #redteam
Credit: Marcus Hutchins
A proof of concept for abusing exception handlers to hook and bypass user mode EDR hooks.
_ Article _
https://github.com/MalwareTech/EDRception.git
#edr #redteam
👍6
Forwarded from Infosec Fortress
DEF CON 24 - Joshua Drake, Steve Christey Coley - Vulnerabilities 101
#vulnerability
#research
#vr
#conference
Video
———
🆔 @Infosec_Fortress
#vulnerability
#research
#vr
#conference
Video
———
🆔 @Infosec_Fortress
YouTube
DEF CON 24 - Joshua Drake, Steve Christey Coley - Vulnerabilities 101
If you’re interested in vulnerability research for fun or profit, or if you’re a beginner and you’re not sure how to progress, it can be difficult to sift through the firehose of technical information that’s out there. Plus there are all sorts of non-technical…
❤3👍3
Forwarded from Source Chat (Friend)
Please open Telegram to view this post
VIEW IN TELEGRAM
Forwarded from Order of Six Angles
The tragedy of low-level exploitation
https://gynvael.coldwind.pl/?id=791
похожие мысли всегда в голове крутились
https://gynvael.coldwind.pl/?id=791
похожие мысли всегда в голове крутились
gynvael.coldwind.pl
FAQ: The tragedy of low-level exploitation
👍4🤣3
How detect data exfiltration:
https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/
https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/
APNIC Blog
How to: Detect and prevent common data exfiltration attacks | APNIC Blog
Guest Post: Mitigate for APT threats with these best practices for detecting and preventing data exfiltration attacks.
🔥3👍2🤣1
Forwarded from r0 Crew (Channel)
Native function and Assembly Code Invocation
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/
#reverse #idapro
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/
#reverse #idapro
Check Point Research
Native function and Assembly Code Invocation - Check Point Research
Introduction For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level…
👍5
Win32 Reverse TCP Shellcode
Credit: Xenofon Vassilakopoulos
Pt1: https://xen0vas.github.io/Win32-Reverse-Shell-Shellcode-part-1-Locating-the-kernelbase-address/
Pt2: https://xen0vas.github.io/Win32-Reverse-Shell-Shellcode-part-2-Locate-the-Export-Directory-Table/
Pt3: https://xen0vas.github.io/Win32-Reverse-Shell-Shellcode-part-3-Constructing-the-reverse-shell-connection/
Code:
https://github.com/xen0vas/Win32-Reverse-TCP-Shellcode.git
#shellcode #asm #winasm
Wanna learn how to write shellcode for your specific purpose in windows?
This is what you need !
Credit: Xenofon Vassilakopoulos
Pt1: https://xen0vas.github.io/Win32-Reverse-Shell-Shellcode-part-1-Locating-the-kernelbase-address/
Pt2: https://xen0vas.github.io/Win32-Reverse-Shell-Shellcode-part-2-Locate-the-Export-Directory-Table/
Pt3: https://xen0vas.github.io/Win32-Reverse-Shell-Shellcode-part-3-Constructing-the-reverse-shell-connection/
Code:
https://github.com/xen0vas/Win32-Reverse-TCP-Shellcode.git
#shellcode #asm #winasm
👾9👍1