What are you using for #reverseengineering #reversing #binaryanalysis #malwareanalysis ?
(Boosts welcome)
malwareanalysis
The tenth article (35 pages) of the Malware Analysis Series (MAS) is available on:
https://exploitreversing.com/2025/01/15/malware-analysis-series-mas-article-10/
I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.
I promised to write a series of ten articles, and this is the last one. I hope that over the years I have provided professionals around the world with a little help in improving their malware analysis and reverse engineering skills. The series is now complete and this was my last contribution on malware analysis.
Next week (JAN/22) the third article of the Exploiting Reversing Series (ER 03), which is my long-term series, will be released. I hope you like it.
Have an excellent day.
#linux #malware #reverseengineering #reversing #idapro #malwareanalysis #elf #crypto #ransomware
The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:
https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/
I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.
Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).
Have a great day.
#windows #shellcode #malware #reverseengineering #reversing #idapro #malwareanalysis
So far, I have written 706 pages to help the security community. My goal will be writing new articles of the Exploiting Reversing Series (ERS), which is focused on security research. However, I am planning to write one or two additional articles of my previous series MAS (Malware Analysis Series) to finish it off.
10. https://exploitreversing.com/2024/01/03/exploiting-reversing-er-series-article-02/
09. https://exploitreversing.com/2023/04/11/exploiting-reversing-er-series/
08. https://exploitreversing.com/2024/08/07/malware-analysis-series-mas-article-08/
07. https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
06. https://exploitreversing.com/2022/11/24/malware-analysis-series-mas-article-6/
05. https://exploitreversing.com/2022/09/14/malware-analysis-series-mas-article-5/
04. https://exploitreversing.com/2022/05/12/malware-analysis-series-mas-article-4/
03. https://exploitreversing.com/2022/05/05/malware-analysis-series-mas-article-3/
02. https://exploitreversing.com/2022/02/03/malware-analysis-series-mas-article-2/
01. https://exploitreversing.com/2021/12/03/malware-analysis-series-mas-article-1/
#windows #idapro #kerneldrivers #kernel #infosec #reversing #malwareanalysis #vulnerability #securecode
To date I've already written 644 pages to help the security community and, hopefully, more articles will be released in the coming months:
9. https://exploitreversing.com/2024/01/03/exploiting-reversing-er-series-article-02/
8. https://exploitreversing.com/2023/04/11/exploiting-reversing-er-series/
7. https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
6. https://exploitreversing.com/2022/11/24/malware-analysis-series-mas-article-6/
5. https://exploitreversing.com/2022/09/14/malware-analysis-series-mas-article-5/
4. https://exploitreversing.com/2022/05/12/malware-analysis-series-mas-article-4/
3. https://exploitreversing.com/2022/05/05/malware-analysis-series-mas-article-3/
2. https://exploitreversing.com/2022/02/03/malware-analysis-series-mas-article-2/
1. https://exploitreversing.com/2021/12/03/malware-analysis-series-mas-article-1/
#windows #idapro #kerneldrivers #kernel #infosec #reversing #malwareanalysis #vulnerability #securecode
To date I've already written 644 pages to help the security community and, hopefully, more articles will be released in the coming months:
9. https://exploitreversing.com/2024/01/03/exploiting-reversing-er-series-article-02/
8. https://exploitreversing.com/2023/04/11/exploiting-reversing-er-series/
7. https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
6. https://exploitreversing.com/2022/11/24/malware-analysis-series-mas-article-6/
5. https://exploitreversing.com/2022/09/14/malware-analysis-series-mas-article-5/
4. https://exploitreversing.com/2022/05/12/malware-analysis-series-mas-article-4/
3. https://exploitreversing.com/2022/05/05/malware-analysis-series-mas-article-3/
2. https://exploitreversing.com/2022/02/03/malware-analysis-series-mas-article-2/
1. https://exploitreversing.com/2021/12/03/malware-analysis-series-mas-article-1/
#windows #idapro #kerneldrivers #kernel #infosec #reversing #malwareanalysis #vulnerability #securecode
The seventh article in the Malware Analysis Series (MAS) is available:
https://exploitreversing.com/2023/01/05/malware-analysis-series-mas-article-7/
Thank you ilfak and HexRaysSA for supporting me from the beginning of this project.
(re-post from Nov/24)
The sixth article in the Malware Analysis Series (MAS) is available:
https://exploitreversing.com/2022/11/24/malware-analysis-series-mas-article-6/
The C2 configuration extractor is slightly less trivial than expected.
Thank you @ilfak and @HexRaysSA for supporting and providing me with IDA Pro.
Edited 2y ago
🦀 🧵 Rust reversing thread: Let's use panic metadata embedded inside Rust binaries to help us reverse engineer!
(If you prefer reading this thread as a blog post, you can read it here! Using panic metadata to recover source code information from Rust binaries - cxiao.net)
If you've ever looked inside the strings of a Rust binary, you may have noticed that many of these strings are paths to Rust source files (.rs extension). These are used when printing diagnostic messages when the program panics, such as the following message:
thread 'main' panicked at 'oh no!', src\main.rs:314:5
The above message includes both a source file path src\main.rs, as well as the exact line and column in the source code where the panic occurred. All of this information is embedded in Rust binaries by default, and is recoverable statically!
Examining these can be useful in separating user from library code, as well as in understanding functionality. This is especially nice because Rust's standard library and the majority of third-party Rust libraries are open-source, so you can use the panic strings to find the relevant location in the source code, and use that to aid in reversing.
Edited 1y ago
Starting a small thread of malware analysis tools for those times when you NEED INDICATORS YESTERDAY, ie tools I have used that are easy to use and give good leads for further analysis with minimal effort.
First: GarbageMan for .NET binaries, from WithSecure Labs: https://labs.withsecure.com/tools/garbageman
This tool displays the values of objects and relationships between objects inside the .NET runtime’s managed heap memory. It can either work off a memory dump file, or snapshot a running process at regular intervals. It also capture stack traces, and a list of loaded assemblies.
I have done all of the following with it:
Look at all System.Byte[] objects and grab those with values that have the PE headers at the beginning. There’s actually a built in menu option for this (along with tons of other useful searches, such as just grabbing everything that looks remotely like an URL)
Look for “interesting” object types like HttpWebRequest or anything under System.Security.Cryptography, and look at the parents or children of those objects to either find plain text indicators, or to get an idea of how indicators are obfuscated / encrypted
Snapshot a process every 20ms, and look at the list of loaded assemblies in each snapshot to see if / when the binary starts delivering another payload assembly.
Use as a very rough tracing tool by snapshotting at regular intervals, and seeing how the stack trace changes for each snapshot.
Also it persists all of the values of parsed objects to a plain SQLite database 
So you can just do arbitrary SQL queries on the results as well. I haven’t even begun exploring this yet.
Edited 2y ago