I’m excited to announce that my first Pluralsight course Analyzing Malware for .NET and Java Binaries is now live! You can find the course at the following URL – http://www.pluralsight.com/courses/dotnet-java-binaries-analyzing-malware. The ability to quickly analyze software is a critical skill for anyone handling malware. This course will teach you techniques for reverse engineering Java and .NET binaries, how to generate indicators of compromise and get hands on with malware.
Read moreCategory: malware
Hack-in-the-Box Amsterdam 2018
Heading home from another great week at Hack-In-The-Box in Amsterdam. I had the opportunity to present on malicious office documents in the COMMSEC track, you can find my slides at the HITB site: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-still-breaching-your-perimeter-a-deep-dive-into-malicious-documents/ or here https://0xevilc0de.com/cons/2018/hitb_ams/2018_HITB_AMS.pdf I’ll post the video when it’s available. Looking forward to next year!
Read moreDebugging a 32 or 64-bit DLL with WinDbg
Debugging a DLL is not quite as straight forward as an executable, since you have to use rundll32 to load it and invoke DllMain. This is a brief posting discussing how to load a 64-bit DLL and break on DllMain, the sample I am using is Dridex and can be found on VirusTotal.
Read moreReading List
Here is a list of several texts that I have found to be indispensable. Software Security The Art of Software Security Assessment (2 Volumes)Mark Dowd, John McDonald, Justin Schuh978-0-321-44442-4
Read moreLocating DLL Name from the Process Environment Block (PEB)
I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be done for a variety of reasons and in a variety of ways. In this article, we’ll explore one method I recently encountered. I typically become suspicious of this activity when I see the following assembly instructions: mov ebx, fs:[ 0x30 ] mov ebx, [ ebx + 0xC ] mov ebx, [ ebx + 0x14] mov esi, [ ebx + 0x28 ]
Read more