A Blog about Malware Analysis and Reverse Engineering

In this video we’ll take a look at several basic looping structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify key logic and discuss the underlying assembly instructions. Understanding basic control…

In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify when the objects are created, recognize the size/structure of the memory allocation and how it’s used by the object and explore the use…

In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify the size/structure of the memory allocation and how it’s used by the object and explore the use of virtual functions and virtual function…

With the recent resurgence of the use of Excel 4 macros in malicious excel documents, I’ve found myself scouring the internet looking for language references. One such function that was particularly difficult to find documentation for was Get.Workspace, which takes a integer value as an argument and returns information about the environment. Since it appears…

Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros, the password protection is typically encountered when accessing the project through the Office/VBA IDE (which I typically use for dynamic analysis). This happens rare enough that I often forget the steps of removing the…

Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of malicious office documents that lacked any observable process behavior – such as the execution of Powershell or JavaScript via cscript/wscript. As I began looking into this document, it became apparent why –…

A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the code inside, a technique known as “process hollowing”. The primary goal of this post is to identify this technique and understand how it is employed. I’ve also posted a video that walks…

Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed several techniques to help complicate analysis and even evade sandboxes. The document begins with an image that instructs the user to enable content, which will cause the macros to execute. However, instead of immediately…

If you’re seeing DNS queries for teredo.ipv6.microsoft.com you may be interested in disabling it (more at MSDN and WikiPedia). On Windows 7, you can run the following command from an elevated/administrator command prompt and say good bye!