Malware Analysis Tutorials: a Reverse Engineering Approach - Cодержание (Перевод Prosper-H, coldfire, ximera) Corkami - reverse engineering experiments and documentations. About Corkami - sources & PoCs - posters - order prints 2015/01/21 PNG Merge, a script to store several images in the same PNG 2014/01/28 Preserving arcade games 2014/01/29 Funky file formats I covered enough formats to get a complete calendar ! Mini 2014/07/30-2014/12/01 mini binary posters with black background ELF/PE/DEX/Mach-O/Class/COM/DOL TAR/GZ/BZ2/ZIP/RAR BMP/PNG/GIF/JPG/TIF/TGA/XBM/PPM/PGM x86/x64 PDF SWF WAV 101 walkthroughs WAV101 (2014/01/08) Happy new year! Overview 2014/05/17 PDF Secrets - hiding and revealing secrets in PDF documents more ...for more information, check the (old) blog map, and the downloads tab. PoCs links Funky File Formats PoCs PE CorkaMiX mini-posters' Chimeras (polyglots sharing data) PoC||GTFO SNES/Megadrive/PDF NSF/PDF with Gynvael Coldwind Schizophrenic files.
Unwind/unwind at master · evanw/unwind. SWF Investigator / Code / [r11] SWF Investigator | Flash security. Recent Updates May 22, 2013 — Preview 5 of the SWF Investigator is now available. This adds support for new SWF tags and contains bug fixes. Download SWF Investigator Preview 5 Perform quick, comprehensive, analysis of SWF applications Adobe® SWF Investigator is the only comprehensive, cross-platform, GUI-based set of tools, which enables quality engineers, developers and security researchers to quickly analyze SWF files to improve the quality and security of their applications. With SWF Investigator, you can perform both static and dynamic analysis of SWF applications with just one toolset. SWF Investigator lets you quickly inspect every aspect of a SWF file from viewing the individual bits all the way through to dynamically interacting with a running SWF. SWF Investigator Features From a static perspective, you can disassemble ActionScript 2 (AS2) and ActionScript 3 (AS3) SWFs, view SWF tags and make binary changes to SWF files.
Additional Benefits Getting Started Community Online Forum No. VERA - Cyber Security Research. Java_opcodes.pdf - corkami - JVM opcodes - reverse engineering experiments and documentations. Jsunpack-n - A generic JavaScript unpacker. Jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input: PDF files - samples/sample-pdf.file Packet Captures - samples/sample-http-exploit.pcap HTML files JavaScript files SWF files This project contains the source code which runs at the website Users can upload files, or enter script contents and URLs to decode.
If you choose to install jsunpack-n on your own system, you can run it with the following command to fetch and decode a URL: $ . Optionally, you can specify the -a option, which fetches further decoded URLs or paths. . $ . Other samples of malicious files exist within the samples directory. One common problem running jsunpack-n is when there is no output. Py2exe-extract - Extract python code_objects from executable file. Peepdf - PDF Analysis Tool | eternal-todo.com. Whats is this? UsageHow does it work? More info Google code project Download it! Follow peepdf on Twitter! What is this? Peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks.
Usage Usage: . Options: -h, --help show this help message and exit -i, --interactive Sets console mode. . $ . PPDF> help Documented commands (type help <topic>):========================================bytes errors js_eval open sctest changelog exit js_join quit search create filters js_unescape rawobject set decode hash log rawstream show decrypt help malformed_output references stream embed info metadata replace tree encode js_analyse modify reset vtcheck encode_strings js_beautify object save xor encrypt js_code offsets save_version xor_search Index How does it work?
How can I execute the tool? $ . $ . $ . PPDF> tree. [Python] ttfFromDocx. PDF Tools. I produced screencasts for my pdfid and pdf-parser tools, you can find them on Didier Stevens Labs products page. There are translations of this page, see bottom. pdf-parser.py This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. You can see the parser in action in this screencast. The stats option display statistics of the objects found in the PDF document.
The search option searches for a string in indirect objects (not inside the stream of indirect objects). Filter option applies the filter(s) to the stream. The raw option makes pdf-parser output raw data (e.g. not the printable Python representation). objects outputs the data of the indirect object which ID was specified. Reference allows you to select all objects referencing the specified indirect object. Type allows you to select all objects of a given type. Make-pdf-embedded.py creates a PDF file with an embedded file. Download: PDFTemplate.zip (https) Static analysis of a CVE-2011-2462 PDF exploit | eternal-todo.com. CVE-2011-2462 was published more than one month ago. It's a memory corruption vulnerability related to U3D objects in Adobe Reader and it affected all the latest versions from Adobe (<=9.4.6 and <= 10.1.1).
It was discovered while it was being actively exploited in the wild, as some analysis say. Adobe released a patch for it 10 days after its publication. I'm going to analyse a PDF file exploiting this vulnerability with peepdf to show some of the new commands and functions in action. As usual, a first look at the information of the file: I've highlighted the interesting information of the info command: one error while parsing the document, one object (15) containing Javascript code, one object (4) containing two ways of executing elements (/AcroForm, /OpenAction) and one U3D object (10), suspicious for its known vulnerabilities, apart of the latest one.
So we have several objects to explore, let's start from the /AcroForm element (object 4): So we take a look at page 3 of the document: Radare. And finally... Bokken 1.5. Once the development has finished, radare2 0.9 has been released and the project site has been updated, the moment has arrived: Bokken 1.5 is here! Take a look at the previous post to read some of the new features of this release and keep reading to see most of them in detail; for the rest... install Bokken and enjoy them!
As mentioned before, one of the most important features added is the support of radare2 as backend. So now Bokken can work with either Pyew or Radare, each one having its own advantages and drawbacks. Most of the development efforts for this release have gone to improve the GUI in order to make it cleaner and easier to use. The disassembly view has gained in interactivity, and now it features, among others: Code navigation by clicking over: functions, basic blocks, address, section names, etc...Add comments, view and follow xrefs or view opcode information by right-clicking on a code line.
Other plugins added are: bokken-devel at inguma.eu. Windows Disassembler. Download PEBrowse64 Professional. for Vista64, Windows 7 (64-bit) and Windows 8 (64-bit)MSI file, 1,193 KBSHA256: 65ebc51dcf3ed5d184dfce2d8d2777c3a861206c6cc940ab5625b06bd43e9195PEBrowse Professional. for all versions of WindowsZIP file, 1,665 KBSHA256: 6465a1585938327cc03569785aca0b6a74ef7599425dbb006bc81eec4c3d4fc6 PEBrowse64 Professional (v5.2) is a 64-bit executable and requires the .NET framework.
It will display both Win32 and Win64 executables, native, managed and mixed. PEBrowse Professional (v10.1.4) is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies. With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger.
Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using either PEBrowse programs. Screenshot of PEBrowse64 Professional: Download PEBrowse64 Professional. IDA: About. What is IDA all about? IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive. An executive summary is provided for the non-technical user. Getting IDA IDA is available for many platforms, and can be licensed under different terms. Support & Community We have placed a sensible amount of support links and documentation online that can be valuable both to new, and advanced users. Additionally, our user board is a valuable source of hints and tips for the IDA Disassembler.
Technical Documentation Intro to the IDA Debugger. Screenshots. IDA + gdb remote debugging. In part 2 of this series we found a SQL injection vulnerability using static analysis. However, it is often advantageous to debug a target application, a capability that we’ll need when working with more complex exploits later on. In this segment we won’t be discovering any new vulnerabilities, but instead we will focus on configuring and using our debugging environment. For this we will be using Qemu and the IDA Pro debugger. If you don’t have IDA you can use insight/ddd/gdb instead, but in my experience IDA is far superior when it comes to embedded debugging.
Our target binaries from the TEW-654TR are little endian MIPS, so we need an emulator in order to run them on our host system. Qemu is the emulator of choice here, as it supports many different architectures and allows you to run an entire system or just a single executable. We will be doing the latter. eve@eve:~/qemu$ . Hey! If REQUEST_METHOD is set to “GET”, then the CGI script immediately exits. . #! Next, let’s set a breakpoint.
BinDiff. Zynamics BinDiff uses a unique graph-theoretical approach to compare executables by identifying identical and similar functions Description BinDiff is a comparison tool for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code. With BinDiff you can identify and isolate fixes for vulnerabilities in vendor-supplied patches. You can also port symbols and comments between disassemblies of multiple versions of the same binary or use BinDiff to gather evidence for code theft or patent infringement. Screenshots Screenshot 1: Changed functions are displayed in an easy-to-understand symmetric layout Screenshot 2: Changes in instructions are shown in yellow, new instructions are shown in red Screenshot 3: Linear disassembly style.
DarunGrim: A Patch Analysis and Binary Diffing Tool. Darun-grim-script -- scriptable version of DarunGrim3. Binwalk - Firmware Analysis Tool. As of 2013-11-15, binwalk is no longer maintained on GoogleCode. The code repository has moved to and all future releases and updates will be posted at binwalk.org. The GoogleCode repository remains for historical purposes only. Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs. It is simple to use, fully scriptable, and can be easily extended via custom signatures, extraction rules, and plugin modules. Binwalk supports various types of analysis useful for inspecting and reverse engineering firmware, including: Embedded file identification and extraction Executable code identification Type casting Entropy analysis and graphing Heuristic data analysis "Smart" strings analysis See the screenshots page for sample usage and output.
Important bugfix release - Version 1.2.2-1 fixes bugs which, in some scenarios, would cause binwalk to miss file signatures. PEdump. NtQuery/Scylla. [android] wuntee/otertool - GitHub. Powered by Google Docs. NETZOB: A Protocol Reverse Engineering Tool. Hyperdbg - A kernel debugger that leverages hardware-assisted virtualization. Free .NET decompiler :: JetBrains dotPeek. CODEGATE 2012 Prob #1 - /var/log/smokedchicken.log. I've lost my source code! Fortunately, I have a test program. But, Test program is not perfect. Please, I need your help. Дан архив 49F69C55C47B4AA87059F3EEF391F5A7 с запакованным ASProtect исполняемым файлом и запароленным ZIP-архивом внутри. Распакуем ASProtect. Загружаем в Olly, на точке входа видим стартовый код ASProtect: Ставим бряк на GetProcAddress и хардварный на исполнение на 00401000. Пропускаем первые два вызова - получение адресов VirtualAlloc / VirtualFree. Выходим из GetProcAddress, попадаем в цикл заполнения адресов: EDI = 0045D104 указывает на часть IAT.
И получаем первый кусок импортов: Восстанавливаем точку останова на GetProcAddress и попадаем на код формирования второго куска импортов: После останова на 00457EC9 получим второй кусок: Далее будет происходит формирование 3-го куска импортов, но он размазан в лапше переходов и получения адресов вспомогательных функций. Один адрес съеден ASProtect'ом, идем по 0044BC38: Очевидно, это переходник к GetProcAddress.