Posts By: malwrforensics

For 64-bit executables/PE files, there are a couple of changes in the PE header offsets. Don’t consider the size of the OptionalHeader as 0x74, instead use the “SizeOfOptionalHeader” from the _IMAGE_FILE_HEADER. There is no longer a BaseOfData field, instead ImageBase is 8 bytes long. More details on _IMAGE_OPTIONAL_HEADER64 you can found here.

Here are some detailed instructions on how to install pydbg. In its most basic form, you need the following to execute a program: from pydbg import * from pydbg.defines import * def exception_handle(dbg):     print(dbg.dump_context()) raw_input(“Press enter to continue…”)     return DBG_EXCEPTION_NOT_HANDLED def debug(exe_path, params):     dbg = pydbg()     pid… Read Article →

Set the Windows VM for debugging:     bcdedit /debug on     bcdedit /dbgsettings serial debugport:1 baudrate:115200 In the VM settings, associate a pipe to the COM1 port: \\.\\pipe\debugk (windows) or /tmp/debugk (linux)   Here is a list of some useful windbg commands: lm – list modules !address <addr> – show details about addr !peb… Read Article →

This is a python script for Immunity debugger that sets breakpoints on “interesting” APIs. Here is the list of APIs (in no particular order): “ZwRaiseHardError” “bind” “listen” “socket” “DeviceIoControl” “ZwCreateFile” “ZwCreateSection” “ZwQueryInformationFile” “ZwQueryAttributesFile” “ZwCreateUserProcess” “ZwOpenKeyEx” “ZwOpenKey” “ResumeThread” “CopyFileA” “CopyFileExW” “CopyFileW” “CreateDirectoryA” “CreateDirectoryW” “CreateMutexA” “CreateMutexW” “CreateFileA” “CreateFileW” “CreateProcessA” “CreateProcessW” “CreateProcessInternalA” “CreateRemoteThread” “WinExec” “OpenProcess” “Sleep” “IsDebuggerPresent” “WriteProcessMemory” “_write” “ZwWriteFile”… Read Article →

As suggested by Intel in their Intel Analysis of Speculative Execution Side Channels  whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (“LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes”). This will stop the bounds check bypass method that relies… Read Article →

This is a python script designed to automatically find XSS (cross-site scripting), directory traversal/LFI (local file inclusion) and open redirect vulnerabilities. It uses a predefined dictionary for XSS/LFI attacks that can easily be extended. The open redirect vulnerabilities are checked against The tool is released for testing purposes ONLY! How to use: Just point and… Read Article →

Reportedly the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one. As the program starts, it will check if it’s not already running and if not,… Read Article →

ByteFUZZ is a file format fuzzer that can do blind fuzzing, by replacing bytes from the original/seed file. Once the files are generated, it will call the target program with the fuzzed files as arguments and check to see if there is a crash. Let’s see it in action 🙂 If you want to just… Read Article →

This is an IDA script that can do a memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code/data/strings. auto eax; auto start; auto end; auto f; f = fopen(“dump.bin”, “w”); start = 0x400000; end = 0x500000; eax = start; while ( eax < end ) {  … Read Article →

Scroll To Top