Microsoft office documents are a common vehicle used by malware authors to deliver malware. These documents, used for malicious purposes, are commonly referred to as maldocs. While there has been a variety of ways in which they have been used, one of the more prevalent is through the use of macros. Macros are written in Visual Basic for Applications (VBA), which is well documented on the Microsoft Developer Network (MSDN). This API allows malware authors to hook into life-cycle events of a document, such as AutoOpen, AutoClose and AutoExit (MSDN) in order to achieve code execution with minimal interaction from…
Read moreCategory: malware
ToorCon XX
I had the opportunity to give a talk on malware obfuscation techniques this weekend at ToorCon XX, my talk was titled “Following a Trail of Confusion”. Here is the abstract: Modern malware uses a wide variety of code obfuscation techniques to hide it’s true intentions and to avoid detection. In this talk, we’ll explore the latest in native code obfuscation techniques as well as a few techniques commonly used with interpreted languages. We will spend time discussing such methods as dynamically constructing import tables, hiding and using shellcode, packing, string obfuscation, use of virtual machines and other anti-analysis techniques. We’ll…
Read moreFirst Pluralsight course now live!
I’m excited to announce that my first Pluralsight course Analyzing Malware for .NET and Java Binaries is now live! You can find the course at the following URL – http://www.pluralsight.com/courses/dotnet-java-binaries-analyzing-malware. The ability to quickly analyze software is a critical skill for anyone handling malware. This course will teach you techniques for reverse engineering Java and .NET binaries, how to generate indicators of compromise and get hands on with malware.
Read moreHack-in-the-Box Amsterdam 2018
Heading home from another great week at Hack-In-The-Box in Amsterdam. I had the opportunity to present on malicious office documents in the COMMSEC track, you can find my slides at the HITB site: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-still-breaching-your-perimeter-a-deep-dive-into-malicious-documents/ or here https://0xevilc0de.com/cons/2018/hitb_ams/2018_HITB_AMS.pdf I’ll post the video when it’s available. Looking forward to next year!
Read moreDebugging a 64-bit DLL
Debugging a DLL is not quite as straight forward as an executable, since you have to use rundll32 to load it and invoke DllMain. This is a brief posting discussing how to load a 64-bit DLL and break on DllMain, the sample I am using is Dridex and can be found on VirusTotal.
Read more