Category Security

PE header for x64

For 64-bit executables/PE files, there are a couple of changes in the PE header offsets. Don’t consider the size of the OptionalHeader as 0x74, instead use the “SizeOfOptionalHeader” from the _IMAGE_FILE_HEADER. There is no longer a BaseOfData field, instead ImageBase…

Fuzzing with pydbg

Here are some detailed instructions on how to install pydbg. In its most basic form, you need the following to execute a program: from pydbg import * from pydbg.defines import * def exception_handle(dbg):     print(dbg.dump_context()) raw_input(“Press enter to continue…”)…

(Kernel) debugging with windbg

Set the Windows VM for debugging:     bcdedit /debug on     bcdedit /dbgsettings serial debugport:1 baudrate:115200 In the VM settings, associate a pipe to the COM1 port: \\.\\pipe\debugk (windows) or /tmp/debugk (linux)   Here is a list of…

ImmunityDbg API breakpoints script

This is a python script for Immunity debugger that sets breakpoints on “interesting” APIs. Here is the list of APIs (in no particular order): “ZwRaiseHardError” “bind” “listen” “socket” “DeviceIoControl” “ZwCreateFile” “ZwCreateSection” “ZwQueryInformationFile” “ZwQueryAttributesFile” “ZwCreateUserProcess” “ZwOpenKeyEx” “ZwOpenKey” “ResumeThread” “CopyFileA” “CopyFileExW” “CopyFileW” “CreateDirectoryA” “CreateDirectoryW”…

Spectre (CVE-2017-5753) kernel updates

As suggested by Intel in their Intel Analysis of Speculative Execution Side Channels  whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (“LFENCE does not execute until all prior instructions have completed locally, and no later instruction…

WebPwnTool

This is a python script designed to automatically find XSS (cross-site scripting), directory traversal/LFI (local file inclusion) and open redirect vulnerabilities. It uses a predefined dictionary for XSS/LFI attacks that can easily be extended. The open redirect vulnerabilities are checked…

Fysbis backdoor analysis

Reportedly the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one.…

ByteFUZZ

ByteFUZZ is a file format fuzzer that can do blind fuzzing, by replacing bytes from the original/seed file. Once the files are generated, it will call the target program with the fuzzed files as arguments and check to see if…

IDA script to create a memory dump

This is an IDA script that can do a memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code auto eax; auto start; auto end; auto f; f = fopen(“dump.bin”, “w”); start =…