Reversing Data Structures with Ghidra: Structures

In this video we’ll take a look at a couple of different structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting structures using both the listing view (disassembly) and the decompiler, identify member usage, overall size and element size. We’ll also discuss the different between using the stack and heap for structure memory as well as explore padding and it’s impact on overall structure size. I’ll also discuss some inconsistencies with Ghidra output. A discussion on reversing arrays can be found at: https://youtu.be/eNxckomOing The source code for the…

Read more

Reversing Data Structures with Ghidra: Arrays

In this video we’ll take a look at several different arrays in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify array usage, overall size and element size. I’ll also discuss some inconsistencies with Ghidra output, how to identify and how to correct. The source code for the sample program can be found on my Github:https://github.com/jstrosch/learning-reverse-engineering/tree/master/Control%20Structures

Read more

Maldoc uses template injection for macro execution

I recently came across a handful of malicious office documents (maldocs) whose network traffic struck me as a slightly odd. As you can see in the screenshot below, there are several HTTP requests to the hxxp://moveis-schuster-com.[ga] domain and some of these requests appear to be for a DOTM file. A DOTM file is a macro-enabled office template file, so I dug in a bit more. As is typical in my workflow, I first inspected the document using oledump – no macros. This is no surprise as the HTTP traffic would indicate that the macros come later. My next step was…

Read more

Reversing Control Structures with Ghidra: Loops

In this video we’ll take a look at several basic looping structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify key logic and discuss the underlying assembly instructions. Understanding basic control structures is one of the first steps in developing key reverse engineering skills. The source code for the sample program can be found on my Github: https://github.com/jstrosch/learning-reverse-engineering/tree/master/Control%20Structures

Read more

Getting Started Reversing C++ Objects with Ghidra (Part 1)

In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify when the objects are created, recognize the size/structure of the memory allocation and how it’s used by the object and explore the use of virtual functions and virtual function tables. Recognizing the use of C++ objects is helpful a variety of reverse engineering activities, to include malware analysis and software exploitation. This will be the first in a series of videos exploring the reverse engineering of object-oriented languages….

Read more