Skip to content

8u1a/Malware-analysis-and-Reverse-engineering

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Malware-analysis-and-Reverse-engineering

Some of my publicly available Malware analysis and Reverse engineering. (Reports, tips, tricks...)


Tracing C function fopen [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel Executive Subsytem

Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION
Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION

[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
[3] Lokibot analyzing - Reversing, API Hashing, decoding

What is COM and its Functionality, COM in Registry (Tools - COM viewers), COM Client-Server (Using Powershell/.NET COM Client), Reversing COM instances and methods in IDA (Structures, Types, ComIDA plugin), Interesting way of using COM Method in LokiBot malware sample

Some notes, tips and tricks when you are dealing with reversing Malware sample which using statically imported OpenSource library

This video covers guide during reversing and making PoC decryptor in Python. In the last part of the video I will be covering another Trick how you can dynamically invoke only the decryption routine of this Ransomware directly from Powershell and get all files decrypted.

Managed code vs UnManaged code. Difficulties during reversing and debugging.
One nice example is Powershell ItSefl.

Video covers Deobfuscation of latest SmartAssembly 8+ (commercial obfuscator for .NET) using SAE (Simple-Assembly-Explorer) and Recreating original module using DnSpy. [Samples Download]

Sample, my prepared annotated IDA IDB, Bochs image: [Download-Pass:infected]

Video about .NET reversing of P/Invoke, D/Invoke and Dynamic P/Invoke implementation which serve for calling unmanaged code from managed. Covering tool Get-PDInvokeImports [Get-PDInvokeImports]

Deep dive into reverse engineering APT29 C2-Client Dropbox Loader.

About

Some of my publicly available Malware analysis and Reverse engineering.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 98.1%
  • PowerShell 1.4%
  • Other 0.5%