Hack-in-the-Box Amsterdam 2018

Heading home from another great week at Hack-In-The-Box in Amsterdam. I had the opportunity to present on malicious office documents in the COMMSEC track, you can find my slides at the HITB site: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-still-breaching-your-perimeter-a-deep-dive-into-malicious-documents/ or here https://0xevilc0de.com/cons/2018/hitb_ams/2018_HITB_AMS.pdf I’ll post the video when it’s available. Looking forward to next year!

Read more

Locating DLL Name from the Process Environment Block (PEB)

I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be done for a variety of reasons and in a variety of ways. In this article, we’ll explore one method I recently encountered. I typically become suspicious of this activity when I see the following assembly instructions: mov ebx, fs:[ 0x30 ] mov ebx, [ ebx + 0xC ] mov ebx, [ ebx + 0x14] mov esi, [ ebx + 0x28 ]

Read more