As promised in the previous blog, I will share my understanding on the dotNet header and how to parse it.
dotNet CLI header is found in
.text section of the PE file. We only need to focused on this section to make things work ✌.
Basically this is the formula from RVA2OffSet.
.textis larger or equal to VA of
dotNet MetaData Directory
.textis larger than VA of
dotNet MetaData Directory.
Hey guys! Just released a tool named ✨ pydotNetCLI ✨ that make my life easier when extract the resource file from dotNet malware samples as we know dotNet resource file stored inside dotNet CLI header which is not from the
.rsrc section of the PE file. In this initial version, I will just focusing on the resource extraction and hopefully will add more header information or functions if time allows.
The initial intention of this tool just to improve my understanding on the dotNet CLI header structure, but it ends up as a resource extractor 🤣.
Will make a explanation on how I parse it in the next blog post!
Next blog post over HERE!!
What is the capability of
icalcs 🤔 and how does the malware 😈 abuse it during their operation.
Based on ss64.com, it is capable of:
Change file and folder permissions — display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS
Some of the common
icacls parameter that malware used are
/grant. Sometimes, malware abuses
takeown (Used to take ownership of a file) and
icacls /reset execution combo to get access of certain service.
As what I found, malware will execute
Using Qiling to automate WinApi hash finding tasks and also did a lazy quick win against stack string obfuscation.
Before working on that, make sure download the requirement dlls and registries into your work folder (e.g. ~/qiling/examples/rootfs/x86_windows)
You can get the collector script 📜 here :
Basically, in order to work with the emulation, it is better to identify:
✔ Desired section of the code that will be execute by the tool (e.g. hashing algorithm)
✔ Getting its start and end address which then will put them into
ql.run for execution later
✔ Identify any arguments/registry (eax/
ql.reg.ebx etc.)/stacks that needs…
Normally in order to disable some windows related service (e.g. Windows Defender, or certain registry key or files) always required higher/another level of privilege to do it. For example, SolarWinds escalated its privilege to disable windows defender service by abusing privileges constant such as
SeDebugPrivilege. Therefore, in this story, it will show how Snake malware perform an escalated action via
AdvanceRun.exe on its removal script via a service account
TrustedInstaller to disable Windows related services.
It is not a priv. escalation as it still requires admin privilege to run AdvanceRun.exe
Even if your are in an admin account, there are…
Most of the Android Malware will request for Android’s Accessibility Services (AAS) before it execute any malicious activities.
Good read regarding to AAS -> HERE
Usually it can be find in the app’s “entry point” since it is the gate for the malicious play 👹 👺
In the class MainActivity, the app will pop out a alert dialog for user to enable the AAS.
Most of the C# malware will load the decrypted loader module in memory to avoid signature based detection. The In-Memory file loader can be done by using [System.Reflection] Assembly Class which will load the file (.dll etc.) bytes into it and invoke/call any function that found inside the loaded file.
Some good reading on C# .Net Assembly.
Here is my analysis of the Darkside ransomware.
Will attach more screenshot regarding of my analysis this time 😏
Didn’t connect to the C2 during the analysis
Utilizing COM bypass UAC privilege (When Access Token Method Failed)
Most of the malware nowadays are using custom string decoding algorithm to hide the juicy strings that provide key information of sample. It will be great if we are able to decode all the string and add them in the code comment so that we can analyze is side-by-side and understand the malware better. As for this, I had wrote a Ghidra decoding script in Python for Qakbot.
Based on the experience, malware will always declare certain function many times for its decoding routine.
After poking around with it, function FUN_10010eff seems have something juicy since it loads some hex…
This is a Windows C++ reversing challenge created by me for the University CTF challenge. Will using Ghidra, xdbg64 and brainz to solve it.
This challenge is inspired by the malware which perform code injection in its own child process and malware which create mutex to control the execution flow. Don’t Sum Ting Wrong here and there plz 😋
The sample will duplicate self process and pipe out the to read to file’s text stream from parent to child process.
Later it will check does the text.txt exist in the same directory.
If yes, then it will continue to read…