|
|
Front Page News
-
|
|
In the course of security consulting, I often find myself in a situation where I've identified a security vulnerability but I need to create a proof-of-concept to show the feasibility of the vulnerability's exploitability.
Recently, I found an elevation-of-privilege...
|
-
|
|
I was developing some automation code recently and found that a process that I was injecting code into was crashing. At first I thought it was an error in my injected code, but when I looked at the crash-dump, I was amazed to see that the issue was in...
|
-
|
|
I am working on an automation system that involves forcefully terminating a process that creates an icon in the Taskbar Notification Area (no, not the "system tray"). It is the responsibility of the process that creates an icon in the Taskbar Notification...
|
-
|
|
I'm reviewing the source code for a rather large project this week and I wanted to update my Facebook status by saying something like, "Jason is reviewing 100,000 lines of Java for security vulnerabilities." However, being the perfectionist that I am...
|
-
|
|
Please see PART 1.
While the return value of FindWindowA is used to determine whether or not Outlook terminates its process, there's another issues when it comes to using a separate profile.
Outlook calls MAPILogonEx without the MAPI_NEW_SESSION bit...
|
-
|
|
After submitting my first patent two years ago to the US Patent Office, it has finally been published online!
You can read all the juicy details here and you can see diagrams here if you have a TIFF-renderer browser plug-in.
This patent was from when...
|
-
|
|
If you use Outlook and have multiple e-mail account profiles, you know how frustrating it is to have Outlook restrict you to a single running instance of Outlook per interactive login. For those of you not familiar with this "feature", here's the scoop:...
|
-
|
|
Friday, April 20th will be my final day at Microsoft. I will be joining NGS in the coming weeks as a Principal Security Consultant.
I've copied all of my old blog posts from http://blogs.msdn.com to http://www.malwareanalysis.com though unfortunately...
|
-
|
|
In a previous post, I talked about changing the Subsystem field in the IMAGE_OPTIONAL_HEADER to trick OllyDbg into loading a driver for the purpose of unpacking. However, making this single change is often not enough to be able to load the driver as...
|
-
|
|
While analyzing a malware sample today, I came across an interesting function. It uses red-herring local variables and red-herring global variables, and even once you get rid of that code, it's still unclear as to what the function does.
Since...
|
-
|
|
I bought my plane ticket a few hours ago for Virus Bulletin 2006. I'm looking forward to rubbing elbows with other virus analysts and discussing the latest and greatest reverse engineering tools and methods.
If you're going to VB'06 as well, send me...
|
-
|
|
I was looking at a malware sample last week that used a variation of Joanna Rutkowska's infamous Red Pill (http://invisiblethings.org/papers/redpill.html) to determine whether or not the malware was being run from inside a Virtual Machine....
|
-
|
|
People often ask me how to unpack DLLs and drivers. A common assumption is that it is necessary to use OllyDbg's LOADDLL for unpacking DLLs and that a ring-0 debugger such as SoftICE or WinDbg is necessary for unpacking drivers. With a little tweaking,...
|
-
|
|
It is common to hear reverse engineers throw around the phrase, “forty-thousand hex”. To someone unfamiliar with reverse engineering or debugging in Windows, this phrase would probably be interpreted to mean the value 0x00040000. However, when reverse...
|
-
|
|
I do most of my malware analysis statically, which is to say that I typically analyze malware by looking at a static disassembly of it as opposed to stepping through it in a debugger. However, sometimes I come across complicated or confusing code that...
|
-
|
|
I was analyzing Win32/Valla.2048 today, a file infector written in x86 Assembly. It keeps almost all of its variables (file handles, API function addresses, etc.) at the end of its section and it references these variables relative to EDI:
...
|
-
|
|
Scott Lambert and I will be giving a two-day training course at Black Hat in Las Vegas this summer on Advanced Malware Deobfuscation (http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-sl-advmal.html).
This isn't a class where we lecture you...
|
-
|
|
I find myself often using hex-strings of assembly instructions in C++ programs, for example, "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" (snippet from http://www.phrack.org/phrack/49/P49-14, as a canonical example of shellcode)....
|
-
|
|
"You got a pocket pager? What are you, a doctor?"- Dr. Gillian Taylor, Star Trek IV
No, I'm not a doctor. I'm the Virus Analyst on-duty this week. But I am carrying around a pager (in case an important new threat comes out).
As luck would have...
|
-
|
|
Greg Hoglund recently wrote on his website about the game World of Warcraft searching for rogue DLLs in its own process space in order to catch code injected for cheating. This parallels an anti-debugging trick that can be found in malware. Malware...
|
-
|
|
I've been writing quite a bit of IDC script (http://www.datarescue.com/idabase/idaclike.htm) lately to help improve the efficiency of my malware analysis work. One of the scripts I was writing recently needed to know the Virtual Address of a section...
|
-
|
|
Most malware these days is obfuscated with "packers." These packers take an executable file as input and will often do a combination of compressing, encrypting, and obfuscating it. The packer produces as output an executable containing an unpacking...
|
-
|
|
I've spent the past few days putting together my trip report for REcon 2005 in Montreal. The talks were great, I had a lot of fun, and the best part was meeting all of the very influential people from the reverse engineering community. Here are some...
|
-
|
|
Malicious software will often contain anti-debugger code to make it more difficult to analyze the target. One of the many common anti-debugger tricks is breakpoint-searching. This involves scanning areas of memory for breakpoints set by the analyst...
|
-
|
|
Have you ever seen code that you know belongs to a function, but IDA refuses to create a function out of it? If so, you're probably familiar with disassemblies that look like this:
Figure 1. If IDA doesn't interpret code as a part of...
|
|
|