As suggested by Intel in their Intel Analysis of Speculative Execution Side Channels whitepaper, the recommended mitigation for Spectre (CVE-2017-5753) is to use the LFENCE instruction (“LFENCE does not execute until all prior instructions have completed locally, and no later instruction…
This is a python script designed to automatically find XSS (cross-site scripting), directory traversal/LFI (local file inclusion) and open redirect vulnerabilities. It uses a predefined dictionary for XSS/LFI attacks that can easily be extended. The open redirect vulnerabilities are checked…
Reportedly the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one.…
ByteFUZZ is a file format fuzzer that can do blind fuzzing, by replacing bytes from the original/seed file. Once the files are generated, it will call the target program with the fuzzed files as arguments and check to see if…
This is an IDA script that can do a memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code auto eax; auto start; auto end; auto f; f = fopen(“dump.bin”, “w”); start =…
Command Description $./volatility –filename=. –profile=WinXPSP2x86 psscan Check for hidden processes (would show as False in pslist or psscan) $./volatility –filename=. –profile=WinXPSP2x86 psxview Check for hidden processes (would show as False in pslist or psscan) $./volatility –filename=. –profile=WinXPSP2x86 envars -p 123…
Linux uses a swap partition, that represents the system’s virtual memory. The swappiness represents how often the system will copy stuff from RAM to disk/virtual memory. The more RAM you have, the less you need to copy to disk and…
This is a script developed in python to extract forensic artefacts from a file/memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code It can extract filenames, registry keys, urls, e-mail…
This script can generate fuzzing files with valid AVI/BMP/CUE/GIF/JPG/PDF/PNG headers. The body can be a constant set of characters or random characters (useful to determine the offset when the program crashes). The code is available on github. You can download…