Here is the bazarloader DLL sample extracted from a MFC parent file.

The bazarloader DLL is heavily obfuscated (seems like llvm obfuscator) and the deobfuscation algorithm has been complicated in a intended way to make analysis ‘harder’.

e.g. Inside ZwRaiseHardError , you can see those additional mathematical operation is meaningless…

This is one of the binary that I had created for this year University CTF competition. This challenge is inspired by some red teaming C# script and malware (e.g. Agent Tesla)

Challenge name: ParentSharp

General binary description: Little obfuscated C# Binary with reflective load and P/Invoke methods with annoying runtime…

Hey guys! Just released a tool named ✨ pydotNetCLI ✨ that make my life easier when extract the resource file from dotNet malware samples as we know dotNet resource file stored inside dotNet CLI header which is not from the .rsrc section of the PE file. In this initial version, I will just focusing on the resource extraction and hopefully will add more header information or functions if time allows.

The initial intention of this tool just to improve my understanding on the dotNet CLI header structure, but it ends up as a resource extractor 🤣.

Screenshot

Output from pydotNetCLI 😉

Will make a explanation on how I parse it in the next blog post!

Next blog post over HERE!!

Link to the GitHub

https://github.com/ghoulgy/pydotNetCLI

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store