Reverse engineer, creator of
@x64dbg
and 100+ other projects. Love binary analysis and Windows internals. Dreaming about doing open source full time...
Gave a guest lecture "Windows Internals Crash Course" at the Ruhr-Universitรคt Bochum today. No novel research, but might be interesting for people getting into started. Thanks to
@mr_phrazer
for the invite!
Wrote a little tool to generate a proxy for DLL hijacking. ASM stubs are often used for this purpose, but with some trickery you can use forwards with absolute paths!
#infosec
#redteam
#Memes
Great series of blog posts by
@justuspolzin
that makes Mixed Boolean-Arithmetic obfuscation very accessible: . There is even a web interface available to play with!
Wrote a simple prototype sandbox last night to emulate code in minidumps:
It has a basic framework to implement missing syscalls in python and it could be useful for extracting malware configuration.
@unicorn_engine
#infosec
#Emotet
#config
A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS:
Very interesting to see an example of the SIMICS API being used. If you're not familiar you can check out this free course on it:
Today I wrote some simple go tools to perform a Man-in-the-middle (MITM) attack on an IMAP server because I forgot my password. See
#infosec
#ios
Using
@corednsio
and
@emersion_fr
's great go-imap library!
Excited to announce a very special guest for the next stream, creator of x64dbg himself
@mrexodia
!
Check it out 10AM PST this Saturday, and bring your questions!
Finally got around to polishing my AppInitHook framework: . I have successfully used it for years to reverse engineer and customize random applications, take a look!
A few days ago I had a discussion with
#ChatGPT
about how to structure a reverse engineering course. One of the suggested topics was to teach people the "CREATE methodology". With a bit of probing I was able to generate this paper:
Interesting stuff!
Finally got around to implementing an automatically generated single-header version of the phnt library by
@SystemInformer
. Include it and you can start using native functions.
Ever needed to debug code with heavily templated C++ symbols, hundreds of characters in length? This new
@x64dbg
Symbol tl;dr plugin was designed to help with that by showing you a tl;dr with the important parts.
Looks nice! Any performance numbers or comparison with ? I did some experiments with in the past and was only able to squeeze about ~350k instructions/second out of Ghidra's C++ implementation ()
My dream has finally come true. I've been working on a 160kb virtual machine named Blink. It's now capable of emulating programs as complex as GCC and Qemu. We can now vendor Linux toolchain binaries in our build configs and have them run across platforms.
It's common knowledge that the best source for Windows native API definitions is the collection of System Informer (formerly Process Hacker) phnt headers. Surprisingly, there were no online docs for them, so I created a simple website:
Making Sense of x86 Microarchitecture
@mattgodbolt
outlines useful resources for gaining a deeper understanding of x86 microarchitecture, such as Agner Fog's optimization manuals, and explains how his own investigations led to attribution in the Spectre and Meltdown attacks.
A colleague once told me "one weird trick" to save disk space.
Simply print the file in a good OCR font and delete the file. It'll take zero disk space. Later you can scan it back in and OCR it.
Finally an interesting tool I worked on was make public by
@gamingatdenuvo
! Itโs very useful to cross-reference your applicationโs logs with the memory usage of the process tree.
The little Easter eggs (pun intended) in
#x64dbg
always make me chuckle ๐
Also, a good time to remind everyone that x64dbg is developed by one person in their free time ๐
If you use it professionally, support free software
@HexRaysSA
Wouldnโt it be more user-friendly to say โThe function <name/address> is too big (128k, max 64k), would you like to decompile it anyway?โ Yes/No
I find myself trying random numbers for the setting too, because the error doesnโt indicate how big the function actually isโฆ
@ShitSecure
You might like this quick script I wrote over the weekend:
You can use forwards to perform DLL hijacking without having to write any stubs. For functions you can also use some MASM that does 'jmp [original_api]' to not have to deal with any parameters.
I am pleased to announce that I recently published a paper in the 2nd International Fuzzing Workshop in Seattle. The paper is a registered report, and is about exploring a new technique (grammar mutation) to test software programs.
Link:
Thanks for giving dumpulator a try! Note that you can take a dump of an empty process and map shellcode in memory yourself to get a nice wrapper around unicorn.
@goatmilkkk
@hasherezade
If you want a slightly more fleshed out parser for the Nt functions you can look at
It uses phnt () and libclang to extract the arguments (+enum values) and outputs everything to JSON.
๐บ New Tutorial Video ๐บ
Join us with special guest
@mrexodia
for a demo of
#Dumpulator
a binary
#emulator
!
๐ Easy to use
#Python
, emulation in 5 lines of code
โ๏ธ Complete Win32/64 env for emulation (minidump)
๐พ One-click
#malware
config extraction
@_n1ghtw0lf
Also something worth exploring is the C# scripting plugin:
And confusingly DbgCmdExec (queues a command asynchronously) causes a race condition in your example. Likely you want DbgCmdExecDirect instead (executed the implementation of the command directly)
Very nice! You can probably speed it up by replacing the hardware breakpoint with switching the return address to a stub that does what you need instead. Could also get rid of int3 by replacing it with a regular inline hook.
LogNT32 - Trace all ntdll function calls without a pre-defined list of headers
Useful for performing a quick analysis of a potentially malicious 32-bit exe, or to get an insight into the inner-workings of Windows API functions!
Finally got EagleVM in a somewhat stable place after actually writing some tests. Pretty happy with the current state of the project but there is still a lot I want to add. Looking forward to soon releasing the 1.0 ๐ค
@0xrepnz
Was originally an inside joke,
@mrexodia
getting PHP running in kernel (NtPhp) and me getting LUA running in kernel (NtLua), so I wouldn't look for any reasoning behind the choice ๐คฃ (That being said I hate Python and it's "style" so wouldn't touch it anyways .)
An ensemble approach for automated theorem proving based on efficient name invariant graph neural representations. ~ Achille Fokoue et als.
#ATP
#NeuralNetwork
Magnifier is a UI that helps reverse engineers explore decompiled programs interactively without all the manual note-taking. Read about this excellent work from our intern,
@tcode2k16
!
This part of the Python ecosystem is very unfortunateโฆ I feel as though technology () is being deprecated, without a proper alternative being part of the languageโฆ
It's a pleasure to announce the release of open-obfuscator: a free and open-source solution
for obfuscating Android and iOS applications (Java/Kotlin, C/C++/Objective-C)
@patrickklepek
Actually funnily enough a few friends of mine had the idea to do the opposite years ago: detect an ad is playing on the TV and replace it with stuff from a YouTube playlist. Unfortunately HDCP blocked this plan thoughโฆ ๐ฅฒ
The difference in audio for TV advertisements actually
@DuchyRE
@c3rb3ru5d3d53c
Luckily
@x64dbg
doesnโt trigger DbgUiRemoteBreakIn when attaching, so this isnโt a problem anymore if you use a modern debugger ๐
@hasherezade
Might be useful to combine it with . This script parses phnt to extract the arguments and it outputs JSON. Would be easy to adapt to your function tracing format.
@timmisiak
I feel that regardless of the language/technology you use for writing extensions, an IDE experience is a must-have. Writing IDAPython scripts is a massive pain without autocomplete/debugging. Something like with VS+hot-loading is beautiful ๐
Ever wonder why you canโt just copy paste function definitions into IDA?
Well now you can copy paste them into GeoCities style web form and then into IDA โฆ
Thanks
@mrexodia
:give: