Open in app

Sign In

Write

Sign In

GhouLSec
GhouLSec

137 Followers

Home

About

Jan 13

[Misc Series #2] Debug trick with Image File Execution Options (IFEO)

Sometimes we want to debug some child process that will contains some parameters from its parent process, especially some windows native process. …

Debugging

2 min read

[Misc Series #2] Debug trick with Image File Execution Options (IFEO)
[Misc Series #2] Debug trick with Image File Execution Options (IFEO)
Debugging

2 min read


Dec 20, 2022

[RedDev #5] Rundll32 COM Hijack executor in C++

Due to my curiosity on the rundll32.exe that will trigger a COM execution via -sta/-localserver switch, I decided to dig into the rundll32.exe code further to understand why does it so. Investigation During the initial phase, rundll32.exe itself will parse the argument passed into it via RunDLL_ParseCommand. This function will determine…

Cybersecurity

6 min read

[RedDev #5] Rundll32 COM Hijack executor in C++
[RedDev #5] Rundll32 COM Hijack executor in C++
Cybersecurity

6 min read


Nov 10, 2022

[Vuln Series #1] CLFS Vulnerability Analysis

The sample most probably related to CVE-2022-24521 which is related to CLFS parsing bug. The vulnerability is due to the parsing issue of the CLFS on specially crafted log file (.BLF / Base Log File) which allow user to alter the kthread.previous_mode and enable write permission on kernel memory address…

Exploitation

6 min read

[Vuln Series #1] CLFS Vulnerability Analysis
[Vuln Series #1] CLFS Vulnerability Analysis
Exploitation

6 min read


Jun 4, 2022

[Mal Series #23] Malware Loader — Bumblebee

Some of the function for the analyzed sample is similar with the one mentioned in SentinelOne blog. The difference might be additional anti-debug checks and obfuscation. Sample here from abuse.ch Overall here are the Bumblebee’s general behavior that I’m able to find. Anti-debug using al-khaser library Decode c2 using RC4 …

Cybersecurity

4 min read

[Mal Series #23] Malware Loader — Bumblebee
[Mal Series #23] Malware Loader — Bumblebee
Cybersecurity

4 min read


May 16, 2022

[CTF Series #12] Mini Linux Forensics — MUS22

Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for…

Linux

4 min read

[CTF Series #12] Mini Linux Forensics — MUS22
[CTF Series #12] Mini Linux Forensics — MUS22
Linux

4 min read


Mar 24, 2022

[Mal Series #22] Weird Embedded PDF file

PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link. The malicious sample is available in abuse.ch Screenshots Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of…

Cybersecurity

4 min read

[Mal Series #22] Weird Embedded PDF file
[Mal Series #22] Weird Embedded PDF file
Cybersecurity

4 min read


Feb 5, 2022

[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator

I will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. …

Malware Analysis

4 min read

[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator
[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator
Malware Analysis

4 min read


Dec 4, 2021

[Mal Series #21] BazarLoader

Here is the bazarloader DLL sample extracted from a MFC parent file. The bazarloader DLL is heavily obfuscated (seems like llvm obfuscator) and the deobfuscation algorithm has been complicated in a intended way to make analysis ‘harder’. e.g. Inside ZwRaiseHardError , you can see those additional mathematical operation is meaningless…

Malware

3 min read

[Mal Series #21] BazarLoader
[Mal Series #21] BazarLoader
Malware

3 min read


Nov 6, 2021

[CTF Series #11] C# P/Invoke + Reflective load

This is one of the binary that I had created for this year University CTF competition. This challenge is inspired by some red teaming C# script and malware (e.g. Agent Tesla) Challenge name: ParentSharp General binary description: Little obfuscated C# Binary with reflective load and P/Invoke methods with annoying runtime…

Malware Analysis

5 min read

[CTF Series #11] C# P/Invoke + Reflective load
[CTF Series #11] C# P/Invoke + Reflective load
Malware Analysis

5 min read


Nov 2, 2021

[Mal Series #20] Android libarm_protect packer

Just came across with some android malware that packed with libarm_protect packer. Here is the manifest of the packed android application. You can see from the <application> tag, the app will starts with class called arm.StubApp The StubApp seems like works as a payload unpacker that…

Malware Analysis

2 min read

[Mal Series #20] Android libarm_protect packer
[Mal Series #20] Android libarm_protect packer
Malware Analysis

2 min read

GhouLSec

GhouLSec

137 Followers

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Following
  • Cyborg Security

    Cyborg Security

  • SOCFortress

    SOCFortress

  • Jonathan Johnson

    Jonathan Johnson

  • Numen Cyber Labs

    Numen Cyber Labs

  • Oliver Lyak

    Oliver Lyak

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech