To date I've already written 644 pages to help the security community and, hopefully, more articles will be released in the coming months:
9.
8.
7.
6.
5.
4.…
This tweet is for beginners in reversing. A well-known type of malware is a downloader, which fetches a second malicious stage from the Internet. Most of them use WinINet APIs and a possible sequence of API calls is shown on the following pictures.
#malware
#security
#assembly
After taking a necessary break, I returned writing new articles. To keep myself motivated, little by little I will be producing several articles in parallel:
- Exploiting Reversing: article 02
- MAS 08, 09, 10 and 11.
- CPP reversing series: article 01 (finally).
Next week…
The sixth article in the Malware Analysis Series (MAS) is available:
The C2 configuration extractor is slightly less trivial than expected.
Thank you
@ilfak
and
@HexRaysSA
for supporting and providing me with IDA Pro.
#malwareanalysis
#malware
Next week I'll release the first post of a long series of articles about malware analysis. The first article will cover a simple malware (Hancitor), which we'll unpacking and extract C2 configuration (Python 3, since always) in the "part 1". Details coming soon....
#malware
I've released Malwoverview 4.0.3:
Malwoverview gathers information from Malpedia, Alien Vault, Polyswarm, URLHaus, VT, Hybrid Analysis, Malshare and ThreatCrowd. It also checks Android devices for malicious packages.
#ThreatHunting
#cybersecurity
In malware analysis, every detail is important. This picture comes from a malicious DLL, whose exported function is called by an executable (not found on VT). You'll find these instructions several times, so it's relevant to understand what's going on.
#malware
#CyberSecurity
In malware analysis, the focus is on binaries and their details (C2, persistence, injections/hooking, anti-forensics techniques). On the other hand, maldocs are trivially simple to solve and most of them take 5 minutes or less to collect information. Don't waste time.
#malware
While reversing and analyzing malware threats, each piece of information is relevant. The sequence of pictures shows the preparation made by the malware for a later code injection into a specific process. Pay attention to details.
#malware
#reversing
#security
#programming
Malwoverview is able to collect information about a malware from VirusTotal, Hybrid Analysis, URLHaus, Malpedia, Polyswarm, Malshare, Alien Vault, Valhalla and ThreadCrowd. Additionally, it checks packages from Android mobiles.
#ThreatHunting
#Malware
I just started writing the third article of MAS (Malware Analysis Series). I should have released it in early/mid March, but several job projects made it impossible. I hope to release new articles every 45 days from now on.
#malwareanalysis
People say everyone should use Rust instead of C/C++ because Rust is memory safe while C/C++ wouldn't be, but that's not true (not even close). The main problem with C/C++ is that many developers do not care about security while programming and do not use various available…
I've been very slowly working on the following in my spare time:
1. MAS
2. C++ reversing series (C++ 20 included)
3. IDA Pro programming series (it could be part of MAS or not).
4. Windows reversing
5. Malwoverview
Let's get to work.
#malware
#reversing
#programming
#idapro
Malwoverview 5.4.1 has just been released:
It works on Windows, Linux and macOS.
Once again: even though I am forever away from the malware analysis, I will continue to maintain Malwoverview and write articles on R.E.
#threathunting
#malware
If you have just started learning reverse engineering and malware analysis, you should pay attention to simple and well-known tricks that still have been used by adversaries when analyzing the resulting assembly code.
#idapro
#reversing
People have asked if I'm going to keep writing articles about reversing. At this time, I'm working on the following articles:
- MAS 7
- MAS 8 (different from previous ones)
- CPPRS (C++ reversing series)
- MASLim (malware analysis on Linux/iOS/macOS)
#malware
#idapro
During malware analysis, the fundamental steps before starting the real analysis are: unpacking, resolving imports and strings de-obfuscation.
Learning programming (C/C++/C# and Python) is always useful.
#malware
#reversing
#programming
#idapro
#cybersecurity
Malwoverview is able to collect information about malware threats from Polyswarm, Malshare, Alien Vault, Valhalla, ThreadCrowd, VirusTotal, Hybrid Analysis, URLHaus and Malpedia. It also checks packages from Android mobiles.
#ThreatHunting
#Malware
Last week I released the second article of MAS (Malware Analysis Series) and links follow below:
(article 1 - 36 pages):
(article 2 - 96 pages):
I start writing the 3rd one very soon.
#malwaranalysis
#reversing
#malware
I started writing a new series about C++ reversing (mainly focused on C++ Standard Library --containers, iterators and templates, in general) using short and educational programs. Of course, the reversing task is slightly harder...
#reversing
#reverseengineering
#cpp
#idapro
Pieces of thread synchronization code are usually skipped over during malware analysis (time is restricted to C2, persistence, injection/hooking...), but they offers details and rich information on the sample. C programming is always great.
#malware
#programming
#cybersecurity
Malwoverview 2.0.7 is online! This version allows installation using pip:
$ pip3.7 install malwoverview (Linux)
$ python -m pip install malwoverviewwin (Windows)
Further information is available on:
(Github)
#malware
#dfir
#threathunting
#security
Basics on malware analysis for beginners: most people only pay attention to the called APIs, but it might be interesting to pay attention to how arguments are constructed.
#reversing
#malwareanalysis
#cybersecurity
While I'm still writing the first article of MAS (Malware Analysis Series), which I'm late because heath issues in family and also I was assigned to two private tranings, I leave a simple article about maldocs:
(PDF):
#malware
I keep encouraging professionals to learn C/C++/C# programming because it can improve their skills on reversing malware. This quite simple downloader (from my C# course) generates 567 functions (after published it is a native code - 147K) to be analyzed on IDA Pro.
#programming
I've been writing the "Malware Analysis and Reverse Engineering" course, which will have 15 sections (planned). The focus will be on providing information and techniques. As my deadline is November, so there is still time and details will come later.
#malware
#reversing
Malwoverview 4.3.4 is available:
It offers information from VT, HA, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, ThreatCrowd, Valhalla, Malware Bazaar and ThreatFox.
It's also able to scan Android devices against VT and HA.
#threathunting
Malware samples, shared by
@vxunderground
, which are using stolen NVIDIA and long expired certificates. You can easily download them from Malware Bazaar and Triage using Malwoverview:
Once again: credits to
@vxunderground
#malware
While I'm still writing the 2nd article of Malware Analysis Series (MAS), which I'm on page 43 and far from the end, I dropped a short and simple write-up on malicious document to help beginners on threat analysis.
#maldoc
#threatanalysis
I've been very busy and focused on security researches (15 hours a day), so it's almost impossible to publish something on Twitter. Anyway, I'm leaving some pretty basic code involving privileges.
My goal is to post one tweet every two weeks :)
#malware
#idapro
#assembly
While analyzing malware sample, we're usually interested in unpacking the sample, de-obfuscating it, finding C2 communication, code injection injections and hookings, persistence and so on. Eventually, pay attention to details could help you.
#malware
#reversing
#programming
After many years, malware continue using simple virtual machine detection such as temperature checking in different languages such as C++, Powershell, and so on... I've quickly written a short and bare code in .NET C# to show the trivial technique.
#malware
#programming
#dotnet
Malware communicates through a C2 using network API sets such as WinSock2, WinINet, COM interface (CoCreateInstance( ), CoInitialize( ), ...), WinSock Kernel and NDIS library.
Learning details could help you. This example is about WinINet APIs.
#malware
#reversing
#assembly
My colleague Elias Bachaalany (
@0xeb
) has kept an excellent channel about IDA Pro (
@allthingsida
) with videos about its advanced features. No doubts, it's worth subscribing and following it.
#idapro
#reverseengineering
Although I have permanently transitioned to vulnerability research, I have plans to release new versions of Malwoverview and continue maintaining it after I finish writing the five pending articles:
There've been 91K downloads so far.
#threathunting
I've been writing C, C++, Rust and Kernel Drivers courses, and it's always great to teach programming to other security researchers.
Nobody needs to be a programmer before working with reverse engineering and OS internals, but these skills could help you.
#programming
I've commented another slide of my SANS 2020 presentation. Although concepts are very simple, I hope it can encourage new professionals to follow the reverse engineering career.
By the way, my slides follow:
#malware
#programming
#reversing
#security
People ask why I haven't spoken at conferences in the last four years. In fact, my decision was made in 2022 for several reasons:
1. Due to the nature of my work (Windows/Hypervisors/Browsers exploitation), I cannot comment or present anything (and it isn't recommended).
2. The…
I am not completely sure whether I will keep it as second or third article (I'm also writing an article on native binaries including COM reversing), but I already started writing the second and third articles of the MAS (Malware Analysis Series).
#malwareanalysis
Chromium IPC Sniffer: This utility helps you explore what Chrome processes are saying to each other under the hood in real-time, using Wireshark.
#chrome
#ipc
#cybersecurity
I started writing a long and detailed first training on rootkits analysis (including programming, of course), which will be produced slowly, but one of its slides follows below.
Everything is important: concepts, programming, tools and analysis.
#malware
#programming
#rootkits
If you intend to exploit browsers (v8/chrome), don't forget to read all source files, which contain tons of rich information, and as an example we have Maps (they hold object's type, size, element/properties' location...), where similar objects (same memory layout) are…
Maldocs are the main vector of malware infection these days (about 70%). Understanding them are not usually difficulty (certainly, dozens times easier than any malicious binary), but it's so important to learn how to do it.
#malware
#maldocs
#cyberthreats
#cybersecurity
After taking a 30-day break from writing articles due to work tasks and changes in my career, I'm slowly picking up and opening another two series: C++ Reversing and iOS/macOS/Android malware analysis. I hope to be able to release something in the next 60 days.
#malware
#idapro
Before releasing new articles on reversing engineering, I had promised an introductory and short article about Malwoverview and Tines (
@tines_io
) to help professionals to use them, so here it is:
Next articles will be about reversing engineering and…
(interesting) WinDiff is an open-source web-based tool which allows browsing and comparing symbol and type information of MS Windows binaries across different versions of the OS.
WinDiff:
Github repository:
#windows
#kernel
Malwoverview 3.0.0 is available!
This version includes information gathering by IP from VT and Polyswarm, Yara information from Malshare, searching for URL and payload by tag from URLHaus and searching for domain/URL from Polyswarm.
#ThreatHunting
Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration:
I've just published "MAS" Article 1 -- version 1.1. As I'd simplified the original script on page 30, I left (by mistake) two dead lines there (now both removed)
The new version (A.1) of the PDF (and next updates) will be published here:
#malware
I hope to be releasing the new version of Malwoverview in the next few days, including new features and most importantly, dozens of fixes and changes.
#threathunting
#malware
We usually overlook several important instructions during analysis because the common targets are C2, injection methods, persistence, exploits and anti-forensics, but if you pay attention to details, you'll note details that might be relevant for an investigation.
#malware
I have been slowly writing the next articles:
1. MAS 08: Introduction to MacOS malware analysis.
2. ER 03: macOS/iOS (part 01)
3. MAS 09: Shellcode Analysis
4. ER 04: Browsers or Hypervisors (part 01)
5. RE 05: Hypervisors or Browsers (part 01)
MAS 09 will be the last article…
Malwoverview 5.0.2 is available:
If you haven't test it yet, Android malware samples and third-party apps on Android mobile devices (no rooting required) can be scanned on Virus Total.
#ThreatHunting
#malware
For a very particular reason, I needed to compile the WinAFL fuzzer, though the project offers binary versions for x86 and x64, and I've noticed why many people have problems to do it on their own. Thus, I've made a short procedure to do it:
#fuzzing
I've been busy for the last few weeks, but here's a basic tip on how on setting IDA Pro + WinDbg.
Most of the time, I use windbgx + TTD to vulnerability research, but in some situations having IDA Pro + WinDbg integrated is a time saver.
#idapro
#windbg
#windbgx
#cybersecurity
Have you got interested in installing the CFPsec script to check Call for Papers and Upcoming Conferences?
I've made the installation easier:
pip install cfpsec
You won't miss Call For Papers anymore ;)
#conferences
#security
Few months ago I delivered my last article: . I will continue writing articles from my previous area and hopefully I will be releasing new ones in about six weeks, even it's hard to find time to draft new texts. Let's see.
#reversing
#drivers
In any vulnerability research procedure:
1. Collect information about the target.
2. Do a good reverse engineering.
3. Try to understand everything about how the target works.
4. List and track possible interactions and privilege rights.
5. Debug it! Ever!
#vulnerability
Malwoverview 4.1 is available! This version includes VALHALLA service from
@thor_scanner
.
Malwoverview offers information from Malpedia, Alien Vault, VT, Hybrid-Analysis, URLHaus, Malshare, ThreatCrowd, Polyswarm and Valhalla.
#ThreatHunting
#malware
Windows 11 has a simple and useful sandbox feature, great for creating disposable virtual machines, where you can run and analyze binaries for vulnerability research and malware analysis. Apparently, it's still a little-known feature.
#windows
#sandbox
For people asking me if I will publish a new version of Malwoverview, the answer is YES, and more details will be released in the coming weeks. Even if I am forever away from malware analysis, I will maintain the project.
#malware
#threathunting