Reversing Control Structures with Ghidra: Loops

In this video we’ll take a look at several basic looping structures in a C program, compile from source and reverse them using Ghidra. Our goals will be to analyze the resulting program flow using both the listing view (disassembly) and the decompiler, identify key logic and discuss the underlying assembly instructions. Understanding basic control structures is one of the first steps in developing key reverse engineering skills. The source code for the sample program can be found on my Github: https://github.com/jstrosch/learning-reverse-engineering/tree/master/Control%20Structures

Read more

Getting Started Reversing C++ Objects with Ghidra (Part 1)

In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify when the objects are created, recognize the size/structure of the memory allocation and how it’s used by the object and explore the use of virtual functions and virtual function tables. Recognizing the use of C++ objects is helpful a variety of reverse engineering activities, to include malware analysis and software exploitation. This will be the first in a series of videos exploring the reverse engineering of object-oriented languages….

Read more

Reversing Basic C++ Objects with Ghidra: Inheritance and Polymorphism (Part 2)

In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify the size/structure of the memory allocation and how it’s used by the object and explore the use of virtual functions and virtual function tables, inheritance and polymorphic behavior. Recognizing the use of C++ objects is helpful a variety of reverse engineering activities, to include malware analysis and software exploitation. This is the second video in a series exploring the reverse engineering of object-oriented languages. Source code can be…

Read more

Malware Analysis – Triaging Emotet (Fall 2019)

This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up provides the tools/techniques for assessing the malicious samples and gathering initial indicators of compromise (IOCs). While Emotet will certainly continue to evolve, the approach outlined here will provide a solid foundation for anyone looking to continue to analyze Emotet (or similiar). Please Click Enable Content Since resuming operations in September 2019, Emotet has not failed in regaining a foothold as a dominent botnet.[1] To accomplish this, Emotet regularly utilizes macro-enabled Microsoft Office documents to retrieve and drop…

Read more

Analyzing Malicious Office Documents with OLEDUMP

Microsoft office documents are a common vehicle used by malware authors to deliver malware. These documents, used for malicious purposes, are commonly referred to as maldocs. While there has been a variety of ways in which they have been used, one of the more prevalent is through the use of macros. Macros are written in Visual Basic for Applications (VBA), which is well documented on the Microsoft Developer Network (MSDN). This API allows malware authors to hook into life-cycle events of a document, such as AutoOpen, AutoClose and AutoExit (MSDN) in order to achieve code execution with minimal interaction from…

Read more