Heading home from another great week at Hack-In-The-Box in Amsterdam. I had the opportunity to present on malicious office documents in the COMMSEC track, you can find my slides at the HITB site: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-still-breaching-your-perimeter-a-deep-dive-into-malicious-documents/ or here https://0xevilc0de.com/cons/2018/hitb_ams/2018_HITB_AMS.pdf I’ll post the video when it’s available. Looking forward to next year!
Read moreNews
Debugging a 64-bit DLL
Debugging a DLL is not quite as straight forward as an executable, since you have to use rundll32 to load it and invoke DllMain. This is a brief posting discussing how to load a 64-bit DLL and break on DllMain, the sample I am using is Dridex and can be found on VirusTotal.
Read moreReading List
Here is a list of several texts that I have found to be indispensable. Software Security The Art of Software Security Assessment (2 Volumes) Mark Dowd, John McDonald, Justin Schuh 978-0-321-44442-4
Read moreLocating DLL Name from the Process Environment Block (PEB)
I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be done for a variety of reasons and in a variety of ways. In this article, we’ll explore one method I recently encountered. I typically become suspicious of this activity when I see the following assembly instructions: mov ebx, fs:[ 0x30 ] mov ebx, [ ebx + 0xC ] mov ebx, [ ebx + 0x14] mov esi, [ ebx + 0x28 ]
Read moreExploring the Process Environment Block (PEB) with WinDbg
The source code for this example can be found here. The assembly is: mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB mov ebx, [ ebx + 0x0C ] ; // get PEB->Ldr mov ebx, [ ebx + 0x1C ] ;// PEB->Ldr.InInitializationOrderModuleList mov ebx, [ ebx + 0x08 ] ; // get the entries base address
Read more