From Collaborative RCE Knowledge Library

Jump to: navigation, search

Categorized by Knowledge Area


Item name: "Skype" Trojan Analysis
Rating: 0.0 (0 votes)
Author: Nicolas Brulez                        
Home URL: http://securitylabs.websense.com/
Last updated: January 2, 2007
Version (if appl.):
Direct D/L link: http://securitylabs.websense.com/content/Blogs/2642.aspx
Description: This blogpost shows how the author reversed a malware that was spreading through Skype.
Interesting reference are the decryption and IE injection analysis part.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Binary Auditor Crackmes/Reversemes
Rating: 5.0 (1 vote)
Author: Dr. TS and REA                        
Home URL: http://www.binary-auditing.com
Last updated:
Version (if appl.): 1.001
Direct D/L link: Locally archived copy
Description: The archive of the now defunct binary-auditor website. As far as I know, this is the most recently uploaded compilation. Included in the archive is the beginner guide.
Also listed in: Generic Reversing Technique Crackmes, Windows Reversing Technique Crackmes
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
Rating: 5.0 (1 vote)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: June 27, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/IntroX86.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--

Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation.

25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis.

This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.

The instructor-led lab work will include:

* Stepping through a small program and watching the changes to the stack at each instruction (push, pop, call, ret (return), mov)
* Stepping through a slightly more complicated program (adds lea(load effective address), add, sub)
* Understanding the correspondence between C and assembly control transfer mechanisms (e.g. goto in C == jmp in ams)
* Understanding conditional control flow and how loops are translated from C to asm(conditional jumps, jge(jump greater than or equal), jle(jump less than or equal), ja(jump above), cmp (compare), test, etc)
* Boolean logic (and, or, xor, not)
* Logical and Arithmetic bit shift instructions and the cases where each would be used (shl (logical shift left), shr (logical shift right), sal (arithmetic shift left), sar(arithmetic shift right))
* Signed and unsigned multiplication and division
* Special one instruction loops and how C functions like memset or memcpy can be implemented in one instruction plus setup (rep stos (repeat store to string), rep mov (repeat mov)
* Misc instructions like leave and nop (no operation)
* Running examples in the Visual Studio debugger on Windows and the Gnu Debugger (GDB) on Linux
* The famous "binary bomb" lab from the Carnegie Mellon University computer architecture class, which requires the student to do basic reverse engineering to progress through the different phases of the bomb giving the correct input to avoid it “blowing up”. This will be an independent activity.


Knowledge of this material is a prerequisite for future classes such as Intermediate x86, Rootkits, Exploits, and Introduction to Reverse Engineering (all offered at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Articles, Generic Reversing Technique Tutorials, X86 Internals Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: CoDe_ReMe solution
Rating: 4.0 (1 vote)
Author: NullPointerException (aka AttonRand)                        
Home URL: N/A
Last updated: March 23, 2010
Version (if appl.): N/A
Direct D/L link: Locally archived copy
Description: This tutorial describes how to solve CoDe_ReMe by CoDe_InSiDe.
document format.
Also listed in: Windows Reversing Technique Crackmes
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Manual binary mangling with radare
Rating: 4.0 (1 vote)
Author: pancake                        
Home URL: http://rada.re/
Last updated: November 6, 2009
Version (if appl.):
Direct D/L link: http://phrack.org/issues/66/14.html
Description: 1 - Introduction
1.1 - The framework
1.2 - First steps
1.3 - Base conversions
1.4 - The target

2 - Injecting code in ELF
2.1 - Resolving register based branches
2.2 - Resizing data section
2.3 - Basics on code injection
2.4 - Mmap trampoline
2.4.1 - Call trampoline
2.4.2 - Extending trampolines

3 - Protections and manipulations
3.1 - Trashing the ELF header
3.2 - Source level watermarks
3.3 - Ciphering .data section
3.4 - Finding differences in binaries
3.5 - Removing library dependencies
3.6 - Syscall obfuscation
3.7 - Replacing library symbols
3.8 - Checksumming

4 - Playing with code references
4.1 - Finding xrefs
4.2 - Blind code references
4.3 - Graphing xrefs
4.4 - Randomizing xrefs

5 - Conclusion
6 - Future work
7 - References
8 - Greetings

"Reverse engineering is something usually related to w32 environments where
there is lot of non-free software and where the use of protections is more
extended to enforce evaluation time periods or protect intellectual (?)
property, using binary packing and code obfuscation techniques.

These kind of protections are also used by viruses and worms to evade
anti-virus engines in order to detect sandboxes. This makes reverse
engineering a double-edged sword..."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles, Linux Internals Articles, Linux Protection Technique Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Silver Needle in the Skype
Rating: 4.0 (1 vote)
Author: Philippe Biondi, Fabrice Desclaux                        
Home URL: http://www.secdev.org
Last updated: March 2, 2006
Version (if appl.):
Direct D/L link: http://www.secdev.org/conf/skype_BHEU06.pdf
Description: Phillipe Biondi and Patrice Desclaux from EADS completely reversed Skype.
In 3 steps (binary analysis, network analysis, advanced skype manipulation) they show you the beast and how clever it was designed. But it also shows negative points: a security policy with skype is nearly impossible, it can be exploited as a botnet, it is very difficult to monitor its traffic to prevent the bad from the rest. A must read.
Also listed in: Generic Anti Reversing Articles, Generic Protection Technique Articles, Generic Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Subverting Windows Embedded CE 6 Kernel
Rating: 4.0 (1 vote)
Author: Petr Matousek                        
Home URL: http://www.fnop.org
Last updated: July 1, 2008
Version (if appl.):
Direct D/L link: http://www.fnop.org/public/download/COSEINC/subverting_wince6.pdf
Description: In this talk, the author (ex-member of 29A) presents various ways to subvert Windows Embedded CE 6 kernel to hide certain objects from the user. Architecture and inner mechanisms of the Windows Embedded CE 6 kernel and comparison with Windows CE 5 kernel are discussed first, with a focus on memory management, process management, syscall handling, and security.

Next Petr explains the methods he used for hiding processes, files, and registry keys - mainly direct kernel object manipulations, hooking of handle- and non-handle-based syscalls not only via apiset modifications but also using previously not documented ways. The author also discusses ways to detect rootkits installed on the device. A fully functional prototype rootkits, detection programs and various monitoring utilities are presented and examined.
Also listed in: Windows Mobile Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Practical malware analysis
Rating: 3.0 (1 vote)
Author: Kris Kendall, Chad McMillan                        
Home URL: http://www.mandiant.com/
Last updated: 2007
Version (if appl.):
Direct D/L link: http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
Description: This PDF from BlackHat'07 is interesting cause it gets straight to the point, only essential information are written on it.
It shortly describes how to set up en environment, malware analysis on windows, difference between static and dynamic, and quick words about armored malware (packing, encryption) as well as tools to sort it out.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: State Of Malware: Family Ties
Rating: 3.0 (1 vote)
Author: Ero Carrera & Peter Silberman                        
Home URL: http://www.mandiant.com/
Last updated: April 12, 2010
Version (if appl.):
Direct D/L link: https://media.blackhat.com/bh-eu-10/whitepapers/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-wp.pdf
Description: The two guys have been collecting some of the widest spread malware on the net, and studied them to cluster them into families and find correlations between malware from different sources and with different goals.

They introduced a graph tool, BinCrowd, from Zynamics.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: x86 Disassembly Using C and Assembly Language
Rating: 2.0 (1 vote)
Author: Wikimedia foundation                        
Home URL: http://www.wikibooks.org/
Last updated: January 14, 2008
Version (if appl.):
Direct D/L link: Locally archived copy
Description: About
This book is about the disassembly of x86 machine code into human-readable assembly, and the decompilation
of x86 assembly code into human-readable C or C++ source code. Some topics covered will be common to all
computer architectures, not just x86-compatible machines.

Coverage
This book is going to look in-depth at the disassembly and decompilation of x86 machine code and assembly
code. We are going to look at the way programs are made using assemblers and compilers, and examine the way
that assembly code is made from C or C++ source code. Using this knowledge, we will try to reverse the
process. By examining common structures, such as data and control structures, we can find patterns that enable
us to disassemble and decompile programs quickly.
Also listed in: Generic Reversing Technique Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: A Journey to the Center of the Rustock.B Rootkit
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Home URL: http://www.reconstructer.org
Last updated: January 20, 2007
Version (if appl.): 1.0
Direct D/L link: http://antirootkit.com/articles/A-Journey-to-the-Center-of-the-Rustock-B-Rootkit/index.htm
Description: "You try to look innocent, but what's behind the curtain? Whatever you hide or pretend will be detected - this is certain!" On 27th December 2006 I found a sample of the Rustock.B Rootkit at www.offensivecomputing.net, which was only sparsely analyzed at this time. I was keen to study its behaviour, as I’ve heard a lot of stories about this infamous Rootkit. Rustock included several techniques to obfuscate the driver which could be stumbling blocks for the researcher. Analyzing the binary was quite fun. Recalling the work I’ve done over the last few days, it is clear that Rustock is quite different from most other Rootkits I’ve seen in the past. It is not much because Rustock uses new techniques, but rather because it combines dozens of known tricks from other malware which makes it very effective.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Abusing Mach on Mac OS X
Rating: 0.0 (0 votes)
Author: nemo                        
Home URL: felinemenace.org
Last updated: May 2006
Version (if appl.):
Direct D/L link: http://uninformed.org/?v=4&a=3&t=txt
Description: "Abstract: This paper discusses the security implications of Mach being
integrated with the Mac OS X kernel. A few examples are used to illustrate how
Mach support can be used to bypass some of the BSD security features, such as
securelevel. Furthermore, examples are given that show how Mach functions can
be used to supplement the limited ptrace functionality included in Mac OS X.

Hello reader. I am writing this paper for two reasons. The first reason is to provide
some documentation on the Mach side of Mac OS X for people who are unfamiliar
with this and interested in looking into it. The second reason is to document my own
research, as I am fairly inexperienced with Mach programming. Because of this
fact, this paper may contain errors. If this is the case, please email me at
nemo@felinemenace.org and I will try to correct it."
Also listed in: Mac OS Internals Articles, Mac OS Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Advanced MacOS X physical memory analysis
Rating: 0.0 (0 votes)
Author: Matthieu Suiche                        
Home URL: http://www.msuiche.net
Last updated: February 2010
Version (if appl.):
Direct D/L link: http://blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf
Description: In 2008 and 2009, companies and governments (e.g. Law Enforcement agencies) interests for Microsoft Windows physical memory grew significantly. Now it is time to talk about Mac OS X. This paper will introduce basis of Mac OS X Kernel Internals regarding management of processes, threads, files, system calls, kernel extensions and more. Moreover, we are going to details how to initialize and perform a virtual to physical translation under an x86 Mac OS X environment.
Also listed in: Mac OS Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Advanced malare analysis lab
Rating: 0.0 (0 votes)
Author: Wes Brown                        
Home URL: http://www.ioactive.com/
Last updated: July 4, 2010
Version (if appl.):
Direct D/L link: http://conference.hitb.org/hitbsecconf2010ams/materials/D2T3%20-%20Wes%20Brown%20-%20Advanced%20Malware%20Analysis%20Lab.pdf
Description: Among the techniques reviewed will be memory inspection, debugging, hooking, as well as PE file examination. Techniques that malware use to avoid being inspected will be discussed along with ways to work around them. The malware workshop environment will also be walked through and each tool demonstrated so that the workshop attendee would leave with a good grasp of how and when to use them.
Also listed in: Linux Malware Analysis Articles, Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: An Analysis of the iKee.B (Duh) iphone Botnet
Rating: 0.0 (0 votes)
Author: Phillip Porras, Hassen Saidi & Vinod Yegneswaran                        
Home URL: http://mtc.sri.com
Last updated: December 14, 2009
Version (if appl.): 1.1
Direct D/L link: http://mtc.sri.com/iPhone/
Description: This article describes big steps in iKee.B analysis. This bot used to spread through jailbroken iPhone devices that had the original SSH password unchanged.
Also listed in: IPhone Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Android Reverse Engineering - A Kick Start
Rating: 0.0 (0 votes)
Author: Dhanesh                        
Home URL: http://securityxploded.com/android_reversing.php
Last updated: November 14, 2010
Version (if appl.):
Direct D/L link: N/A
Description: The title pretty much says it all, get started with Android reversing!

Highlights of the Article:
* Show basic reversing of Andriod with simple crackme example
* Explains about the tools required for Andriod reversing and using them in right sequence.
* Describes in detail dissecting the Andriod code package to reveal the secrets.
Also listed in: Android Reversing Technique Articles, Android Reversing Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Anti-Anti Dump and Nonintrusive Tracers
Rating: 0.0 (0 votes)
Author: deroko                        
Home URL: http://www.accessroot.com/
Last updated:
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.10
Description: "A novel method to manage new anti-dump buffer-based protections used by latest protectors as AsProtect SKE, Armadillo etc (sources included)"
Also listed in: Windows Anti Reversing Articles, Windows Internals Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Anti-debugging trick: ZwSetInformationThread with ThreadHideFromDebugger
Rating: 0.0 (0 votes)
Author: jstorme                        
Home URL: http://www.woodmann.com/forum/showthread.php?t=13438
Last updated: February 23, 2010
Version (if appl.):
Direct D/L link: N/A
Description: The function ZwSetInformationThread can be used with the ThreadHideFromDebugger parameter to prevent any attached debuggers of a thread to receive any exceptions from it.
Also listed in: Windows Anti Reversing Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Basic OSX cracking
Rating: 0.0 (0 votes)
Author: ProZaq                        
Home URL: N/A
Last updated: 2006
Version (if appl.):
Direct D/L link: Locally archived copy
Description: "So here it is, a whole new OS. Your favorite tools are useless (with the exception of HexEdit) and you don't know where to begin. Although this tutorial will go through the basics, it is aimed at people who at least have a little knowledge about cracking under PPC and OS9. It's a shame that there isn't a decent file for beginners on PPC cracking. For those of you who are complete beginners, I can recommend that you read one of the dozen of tutorials on 68k cracking. Get the general idea about what it's all about and then move over to PPC (my previous file on PPC cracking might help you in the transition). Then finally, read this file."
Also listed in: Mac OS Internals Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Beginners Guide to Basic Linux Anti Anti Debugging Techniques
Rating: 0.0 (0 votes)
Author: M. Schallner                        
Home URL: http://home.pages.at/f001/
Last updated: May 2006
Version (if appl.):
Direct D/L link: http://www.codebreakers-journal.com/downloads/cbj/2006/CBM_3_1_2006_Schallner_Beginners_Guide_to_Basic_Linux_Anti_Anti_Debugging_Techniques.pdf
Description: This article from CodeBreaker's Journal is inspired from _mammon's tales and Silvio Cesare's work.

"Anti-debugging techniques are a common method for protecting software applications. Meanwhile such kind of protection tricks are often used, several approaches work against such kind of protection. One known method are anti-anti tricks which circumvent the mentioned protection schemes. This paper confines to techniques and methods used for Linux platform applications, especially dealing with the operation platforms specific tools."
Also listed in: Linux Anti Reversing Articles, Linux Protection Technique Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Breaking Mac OS X
Rating: 0.0 (0 votes)
Author: Neil Archibald                        
Home URL: http://www.suresec.org
Last updated: April 8, 2007
Version (if appl.):
Direct D/L link: http://felinemenace.org/~nemo/slides/breaking_mac_osx.ppt
Description: This powerpoint is a good sum up of what is possible to do on MacOS X, based on previous research (HD Moore, Nemo, Phrack), the author covers PPC and X86 shellcoding tips as well as most-commons vulnerabilities.
Also listed in: Mac OS Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Capture, care and analysis of Malware made easy
Rating: 0.0 (0 votes)
Author: Blake McNeill                        
Home URL: http://www.linklogger.com/blog/index.php
Last updated: January 3, 2007
Version (if appl.):
Direct D/L link: http://www.linklogger.com/vm_capture.htm
Description: This article describe the process of setting up an environment with Virtual PC 2007 to capture malware on Windows. Although being quite old it is interesting to see an alternative to VMWare.



"One of the best ways to learn about something is to play with it and see what it does and how it behaves in a controlled environment. This also applies to learning about worms and viruses, but the problem with doing this is typically the computer you used to experiment with was trashed in the process and rebuilding a computer from scratch can be a huge hassle. Now if could simply drop the now infected computer in the garbage when you were done playing, and with no cost, then there would be very little preventing you from learning about malware, if you so wished."
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Code Obfuscation and Malware Detection by Abstract Interpretation
Rating: 0.0 (0 votes)
Author: Mila Dalla Preda                        
Home URL: http://profs.sci.univr.it/~dallapre/
Last updated: February 2007
Version (if appl.):
Direct D/L link: http://profs.sci.univr.it/~dallapre/MilaDallaPreda_PhD.pdf
Description: This Ph.D thesis deals with code obfuscation and malware detection focus, through a formal approach based on program semantics and abstract interpretations.
Also listed in: Generic Anti Reversing Articles, Generic Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Conficker C P2P Protocol and Implementation
Rating: 0.0 (0 votes)
Author: Phillip Porras, Hassen Saidi and Vinod Yegneswaran                        
Home URL: http://mtc.sri.com/
Last updated: September 21, 2009
Version (if appl.):
Direct D/L link: http://mtc.sri.com/Conficker/P2P/index.html
Description: This report presents a reverse engineering of the obfuscated binary code image of the Conficker C peer-to-peer (P2P) service. It implements the functions necessary to bootstrap an infected host into the Conficker P2P network through scan-based peer discovery, and allows peers to share and spawn new binary logic directly into the currently running Conficker C process. Conficker's P2P logic and implementation are dissected and presented in source code form. The report documents its thread architecture, presents the P2P message structure and exchange protocol, and describes the major functional elements of this module.

MD5 of the sample analyzed: 5e279ef7fcb58f841199e0ff55cdea8b
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Cryptexec: next-generation runtime binary encryption
Rating: 0.0 (0 votes)
Author: Zeljko Vrba                        
Home URL: http://www.phrack.org
Last updated: 2005
Version (if appl.):
Direct D/L link: http://phrack.org/issues/63/13.html#article
Description: 1 Introduction
2 OS- and hardware-assisted tracing
3 Userland tracing
3.1 Provided API
3.2 High-level description
3.3 Actual usage example
3.4 XDE bug
3.5 Limitations
3.6 Porting considerations
4 Further ideas
5 Related work
5.1 ELFsh
5.2 Shiva
5.3 Burneye
5.4 Conclusion
6 References
7 Credits
A Appendix: source code
A.1 crypt_exec.S
A.2 cryptfile.c
A.3 test2.c

"What is binary encryption and why encrypt at all? For the answer to
this question the reader is referred to the Phrack#58 [1] and article
therein titled "Runtime binary encryption". This article describes a
method to control the target program that doesn't does not rely on
any assistance from the OS kernel or processor hardware. The method
is implemented in x86-32 GNU AS (AT&T syntax). Once the controlling
method is devised, it is relatively trivial to include on-the-fly
code decryption."
Also listed in: Linux Anti Reversing Articles, Linux ELF Articles, Linux Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: DEX EDUCATION 201 ANTI-EMULATION
Rating: 0.0 (0 votes)
Author: Tim Strazzere                        
Home URL: N/A
Last updated:
Version (if appl.):
Direct D/L link: http://hitcon.org/2013/download/Tim%20Strazzere%20-%20DexEducation.pdf
Description: This is actually in continuance to http://www.woodmann.com/collaborative/knowledge/index.php/Dex_Education:_Practicing_Safe_Dex
The previous article is about Anti-Reversing against some of the Android Malware Analysis tools.
This paper is about Anti-Emulation for Android.
Also listed in: Android Anti Reversing Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Dex Education: Practicing Safe Dex
Rating: 0.0 (0 votes)
Author: Tim Strazzere                        
Home URL: N/A
Last updated:
Version (if appl.):
Direct D/L link: http://www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf
Description: This is probably the first public publication on how Tim deconstruct some of the intricacies of the dex file format and analyze how some of the Android tools parse and manage the dex format. Along the way he observed a number of easily exploitable functionality, documenting specifically why they fail and how to fix them. A proof of concept tool - APKfuscator - that shows how to exploit these flaws.
It introduces some of the basic Anti-Reversing against some of the Android tools that Malware Analyst use to analyse Android Malware.

You can find his POC here.
https://github.com/strazzere/APKfuscator

Also listed in: Android Anti Reversing Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Embedded ELF Debugging : the middle head of Cerberus
Rating: 0.0 (0 votes)
Author: The ELF shell crew                        
Home URL: http://www.eresi-project.org/
Last updated: January 8, 2005
Version (if appl.):
Direct D/L link: http://www.phrack.com/issues.html?issue=63&id=9&mode=txt
Description: I. Hardened software debugging introduction
a. Previous work & limits
b. Beyond PaX and ptrace()
c. Interface improvements
II. The embedded debugging playground
a. In-process injection
b. Alternate ondisk and memory ELF scripting (feat. linkmap)
c. Real debugging : dumping, backtrace, breakpoints
d. A note on dynamic analyzers generation
III. Better multiarchitecture ELF redirections
a. CFLOW: PaX-safe static functions redirection
b. ALTPLT technique revised
c. ALTGOT technique : the RISC complement
d. EXTPLT technique : unknown function postlinking
e. IA32, SPARC32/64, ALPHA64, MIPS32 compliant algorithms
V. Constrained Debugging
a. ET_REL relocation in memory
b. ET_REL injection for Hardened Gentoo (ET_DYN + pie + ssp)
c. Extending static executables
d. Architecture independant algorithms
VI. Past and present
VII. Greetings
VIII. References
Also listed in: Linux Internals Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: firmware reversing : Netgear DG834PN
Rating: 0.0 (0 votes)
Author: Nicolas Krassas                        
Home URL: http://0entropy.blogspot.com
Last updated: August 17, 2011
Version (if appl.):
Direct D/L link: http://0entropy.blogspot.com/2011/08/firmware-reversing-netgear-dg834pn.html
Description: This short blogpost describes a technique used to identify the structure of a firmware image (an aDSL router in this case) and how to extract and mount its filesystem.
Also listed in: Linux Reversing Technique Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Forensic discovery - Malware analysis basics
Rating: 0.0 (0 votes)
Author: Wietse Venema, Dan Farmer                        
Home URL: http://www.porcupine.org
Last updated: January 9, 2005
Version (if appl.):
Direct D/L link: http://www.porcupine.org/forensics/forensic-discovery/chapter6.html
Description: This chapter about malware analysis basics comes from a larger book about forensic discovery, (a must read) all about UNIX !
Also listed in: Linux Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Having fun with Apples IOKit
Rating: 0.0 (0 votes)
Author: Ilja van Sprundel                        
Home URL: http://www.ioactive.com
Last updated: July 4, 2010
Version (if appl.):
Direct D/L link: http://conference.hitb.org/hitbsecconf2010ams/materials/D1T2%20-%20Ilja%20van%20Sprundel%20-%20Having%20Fun%20with%20Apples%20IOKit.pdf
Description: IOKit is the main interface to write drivers in Mac OSX. it’s unlike most other driver interfaces for other operating systems. the data parsing code where the trust boundary is passed is not a simple ioctl() call away, and it’s not written in c (they’re written in c++). A complex system that goes through mach messages and uses rpc is used to communicate with drivers, oh, and it’s virtually undocumented (and the documentation that is there is poorly written at best).

This talk will describe what I’ve found out in my journey as I try to figure out how the IOKit works, and what exactly an attacker has control over (e.g. what pointers are userland pointers, whats the length limitation placed on them, is the buffer already captured by the time it reaches input handling code, …). The IOKit also has several entrypoints, 2 different ways of using 1 entrypoints and offers the possibility to expose 1 system call specifically for your driver.
Also listed in: Mac OS Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Infecting the Mach-O object format
Rating: 0.0 (0 votes)
Author: Neil Archibald                        
Home URL: http://www.suresec.com
Last updated: April 8, 2007
Version (if appl.):
Direct D/L link: http://felinemenace.org/~nemo/slides/mach-o_infection.ppt
Description: Disclaimer: This document is NOT intended to be a HOW-TO guide for Apple virus writers, but rather explore the Mach-o format and illustrate some ways in which infection can occur.

Through these slides Neil Archibald (felinemenace.org) invites you in the Mach-o file format, covers native OS anti debugging techniques and universal binaries.
Also listed in: Mac OS Anti Reversing Articles, Mac OS Internals Articles, Mac OS Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
Rating: 0.0 (0 votes)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: July 15, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/IntermediateX86.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--

Building upon the Introductory Intel x86 class, this class goes into more depth on topics already learned, and introduces more advanced topics that dive deeper into how Intel-based systems work.

Topics include, but are not limited to:

•Physical and virtual memory and how a limited amount of physical memory is represented as much more virtual memory through a multilevel paging system. We will also talk about memory segmentation.
•The hardware basis for kernel versus userspace separation and how software transitions between the two. This portion answers the question of why does x86 have 4 “rings”, with ring 0 being the most privileged, and ring 3 being the least.
•Hardware and software interrupts, and how they are the basis for debugging.
•Input/Output instructions and how these allow the CPU to talk to peripherals.

Example applications include showing how hardware and memory mechanisms are used for software exploits, anti-debug techniques, rootkit hiding, and direct hardware access for keystroke logging.

This material includes labs on:
•Using WinDbg to perform kernel debugging on a virtual machine (which is equally applicable for debugging a real machine.)
•Using a custom WinDbg plugin to examine the Local (memory segment) Descriptor Table (LDT), and Global (memory segment) Descriptor Table (GDT) in order to understand how Windows sets memory segment ranges and permissions for userspace and kernel space.
•Using WinDbg and the !pte command to understand how Windows organizes its paging structures which map physical memory to virtual memory.
•Investigating where exactly the XD/NX bit is set in order to make memory as non-executable (which Microsoft calls Data Execution Prevention (DEP)), to prevent some types of exploits from succeeding.
•Using the Read Timestamp Counter (RDTSC) instruction to profile code execution time. Also, using a profile of code execution time to change a program’s behavior in the presence of a debugger (e.g. executing different code if the code appears to have been stopped at a breakpoint.)
•Printing information about task state segments, which hold information that is used to find the kernel stack when an interrupt occurs.
•Watching what does and doesn’t change when a software interrupt is used to transfer control from userspace to kernel.
•Reading the Interrupt Descriptor Table (IDT) and understanding the security implications of changes to it.
•Understanding how RedPill uses the IDT in order to detect that a system is virtualized.
•Having a process read its own memory when a software breakpoint is set, in order to see how a debugger will change memory to set the breakpoint but hide the change from the user.
•Watch how hardware-based breakpoints manipulate dedicated debug registers.
•Using port input/output to access the backdoor communications channel that VMWare uses in order to send copy/paste, mouse movement, and other events in and out of a VM.
•Using port I/O in order to talk directly to the PS2 keyboard controller in order to sniff keystrokes or flash keyboard LEDs.

Knowledge of this material is strongly encouraged for future classes such as Rootkits. (offered at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Tutorials, Generic Reversing Technique Tutorials, Windows Internals Tutorials, Windows Malware Analysis Tutorials, X86 Internals Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Intro to OS X Reversing
Rating: 0.0 (0 votes)
Author: KellogS                        
Home URL: http://www.macshadows.com/kb/index.php?title=Main_Page
Last updated: May 2007
Version (if appl.):
Direct D/L link: http://www.macshadows.com/kb/index.php?title=Intro_to_OS_X_Reversing
Description: This knowlegde base article introduces to OS X reversing.

1 0.0 Intro
2 0.1 Tools of the trade
3 0.2 Mac Applications (or what the hell is a ".app" ?)
4 0.3 Dashcode
5 0.4 A few things about x86 assembly language
6 0.5 Locating code in the dead listing
7 0.6 Altering the program flow
8 0.7 Assembling new opcode
9 0.8 modifying our target in a hexadecimal editor
10 0.9 Writing a small patcher in C
11 0.A Conclusion
12 0.B Greetings
13 0.C Appendix
Also listed in: Mac OS Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Introduction To Reverse Engineering Software
Rating: 0.0 (0 votes)
Author: Matt Briggs                        
Home URL: http://opensecuritytraining.info/
Last updated: June 16, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/IntroductionToReverseEngineering.html
Description: This is a 2 days worth of class materials that you can use to teach your own classes.

--

Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software.

In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it.

Topics include, but are not limited to:
•Uses for RE
•The tricks and pitfalls of analyzing compiled code
•Identifying calling conventions
•How to navigate x86 assembly using IDA Pro
•Identifying Control Flows
•Identifying the Win32 API
•Using a debugger to aid RE
•Dynamic Analysis tools and techniques for RE

During the course students will complete many hands on exercises.

Introduction to x86 and Life of Binaries (both available at http://opensecuritytraining.info/Training.html) are prerequisites for this class.

This class will serve as a prerequisite for a later class specifically on malware analysis.
Also listed in: Generic Malware Analysis Tutorials, Generic Reversing Technique Tutorials, Generic Tool Tutorials, Windows Malware Analysis Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Introduction to assembly on the PowerPC
Rating: 0.0 (0 votes)
Author: Hollis Blanchard                        
Home URL: http://www.ibm.com
Last updated: January 7, 2002
Version (if appl.):
Direct D/L link: http://www.ibm.com/developerworks/linux/library/l-ppc/?t=egrL24,p=PowerPC
Description: This official guide from IBM introduce PowerPC assembly with a lot of pointers.
Also listed in: Mac OS Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux Improvised Userland Scheduler Virus
Rating: 0.0 (0 votes)
Author: Izik                        
Home URL: http://uninformed.org
Last updated: December 29, 2005
Version (if appl.):
Direct D/L link: http://uninformed.org/?v=3&a=6&t=txt
Description: "This paper discusses the combination of a userland scheduler and
runtime process infection for a virus. These two concepts complete
each other. The runtime process infection opens the door to invading
into other processes, and the userland scheduler provides a way to
make the injected code coexist with the original process code. This
allows the virus to remain stealthy and active inside an infected
process."
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux anti-debugging techniques (fooling the debugger)
Rating: 0.0 (0 votes)
Author: Silvio Cesare                        
Home URL: http://virus.beergrave.net
Last updated: January 1999
Version (if appl.):
Direct D/L link: http://www.phiral.net/other/linux-anti-debugging.txt
Description: TABLE OF CONTENTS
-----------------

INTRODUCTION
FALSE DISASSEMBLY
DETECTING BREAKPOINTS
SETTING UP FALSE BREAKPOINTS
DETECTING DEBUGGING


"This article describes anti debugger techniques for x86/Linux (though some of
these techniques are not x86 specific). That is techniques to either fool,
stop, or modify the process of debugging the target program. This can be
useful to the development of viruses and also to those implementing software
protection."
Also listed in: Linux Anti Reversing Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux on the Half-ELF
Rating: 0.0 (0 votes)
Author: Mammon_                        
Home URL: http://www.eccentrix.com/members/mammon/
Last updated:
Version (if appl.):
Direct D/L link: http://www.eccentrix.com/members/mammon/tales/linux_re.txt
Description: Long time ago, Mammon_ wrote a tale about Linux reversing...


"This paper is concerned with reverse engineering in the Linux environment: a
topic which is still sparsely covered despite years of attention from security
consultants, software crackers, and programmers writing device drivers or
Windows interoperability software. The question will naturally arise: why
would anyone be interested in reverse engineering on Linux, an operating system
in which the applications which are not open-source are usually available for
no charge?"
Also listed in: Linux ELF Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: MacOS X Assembler Reference
Rating: 0.0 (0 votes)
Author: Apple Inc.                        
Home URL: http://www.apple.com/
Last updated: July 1, 2009
Version (if appl.): 1.10
Direct D/L link: http://developer.apple.com/mac/library/documentation/DeveloperTools/Reference/Assembler/000-Introduction/introduction.html
Description: The Mac OS X assembler serves a dual purpose. It assembles the output of gcc, Xcode’s default compiler, for use by the Mac OS X linker. It also provides the means to assemble custom assembly language code written for its supported platforms.

This document provides a reference for the use of the assembler, including basic syntax and statement layout. It also contains a list of the specific directives recognized by the assembler and complete instruction sets for the PowerPC and i386 processor architectures.
Also listed in: Mac OS Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Malware Analysis: Environment Design and Architecture
Rating: 0.0 (0 votes)
Author: Adrian Sanabria                        
Home URL: http://www.sans.org/
Last updated: January 18, 2007
Version (if appl.):
Direct D/L link: http://www.sans.org/reading_room/whitepapers/threats/malware_analysis_environment_design_and_artitecture_1841
Description: This academic article precisely describes the possible ways of setting up a malware analysis environment (both physical and virtualized).
Also listed in: Linux Malware Analysis Articles, Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Mass Malware Analysis: A Do-It-Yourself Kit
Rating: 0.0 (0 votes)
Author: Christian Wojner                        
Home URL: http://cert.at/
Last updated: October 14, 2009
Version (if appl.): 1.0
Direct D/L link: http://cert.at/static/downloads/papers/cert.at-mass_malware_analysis_1.0.pdf
Description: This paper outlines the relevant steps to build up a customizable automated malware analysis station by using only freely available components with the exception of the target OS (Windows XP) itself. Further a special focus lies in handling a huge amount of malware samples and the actual implementation at CERT.at. As primary goal the reader of this paper should be able to build up her own specific installation and configuration while being free in her decision which components to use.

The first part of this document will cover all the theoretical, strategic and methodological aspects. The second part is focusing on the practical aspects by diving into CERT.at's automated malware analysis station closing with an easy to follow step-by-step tutorial, how to build up CERT.at's implementation for your own use. So feel free to skip parts.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Next generation debuggers for reverse engineering
Rating: 0.0 (0 votes)
Author: The ELFsh Crew                        
Home URL: http://www.eresi-project.org
Last updated: 2007
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/bheu-eresi-article-2007.pdf
Description: "Classical debuggers make use of an interface provided by the operating system in order to access the memory of programs while they execute. As this model is dominating in the industry and the community, we show that our novel embedded architecture is more adapted when debuggee systems are hostile and protected at the operating system level. This alternative modelization is also more performant as the debugger executes from inside the debuggee program and can read the memory of the host process directly. We give detailed information about how to keep memory unintrusiveness using a new technique called allocation proxying. We reveal how we developed the organization of our multiarchitecture framework and its multiple modules so that they allow for graph-based binary code analysis, ad-hoc typing, compositional fingerprinting, program instrumentation, real-time tracing, multithread debugging and general hooking of systems. We reveal the reflective essence of our framework by embedding its internal structures in our own reverse engineering language, thus recalling concepts of aspect oriented programming."
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Tool Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: PDF - Vulnerabilities, Exploits and Malwares
Rating: 0.0 (0 votes)
Author: Dhanesh                        
Home URL: http://securityxploded.com/pdf_vuln_exploits.php
Last updated: November 24, 2010
Version (if appl.):
Direct D/L link: Locally archived copy
Description: In this startup tutorial, Dhanesh explains how to use basic PDF analysis tools such as PDFAnalyzer in dissecting the exploit code from malicious PDF files in simple steps with illustrative screenshots.

Highlights of the Article:

* Throws light on usage of PDF analysis tools such as PDFAnalyzer
* Demonstrates malware analysis of real PDF samples
* Describes in detail dissecting of the exploit code from PDF structures.
Also listed in: Generic Reversing Technique Articles, Generic Reversing Technique Tutorials, Generic Tool Articles, Generic Tool Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Peacomm.C: Cracking the nutshell
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Home URL: http://www.reconstructer.org
Last updated: September 21, 2007
Version (if appl.): 1.0
Direct D/L link: http://www.antirootkit.com/articles/eye-of-the-storm-worm/Peacomm-C-Cracking-the-nutshell.html
Description: The first variant "Peacomm.A" was detected in the mid of January 2007 and since then it has grown to one of the most successful botnets ever seen in the wild. It uses an adjusted Overnet protocol for spreading and communication. Its main intense is spamming and DDoS attacking. Also the fast-flux service
network which is being used by the criminals behind the attacks is really amazing and frightening at the same time. As its botnet activities are not the focus of this essay, I've included interesting other papers covering these topics.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Pinczakko's guide to Award BIOS reverse engineering
Rating: 0.0 (0 votes)
Author: Pinczakko                        
Home URL: http://sites.google.com/site/pinczakko/
Last updated: 2010
Version (if appl.):
Direct D/L link: http://sites.google.com/site/pinczakko/pinczakko-s-guide-to-award-bios-reverse-engineering
Description: 1. Foreword
2. Prerequisite
2.1. PCI BUS
2.2. ISA BUS
3. Some Hardware Peculiarities
3.1. BIOS Chip Addressing
3.2. Obscure Hardware Port
3.3. "Relocatable" Hardware Port
3.4. Expansion ROM Handling
4. Some Software Peculiarities
4.1. Call Instruction Peculiarity
4.2. Retn Instruction Peculiarity
5. Our Tools of Trade
5.1. What do we need anyway?
5.2. Intro to IDA Pro Techniques
5.2.1. Introducing IDA Pro
5.2.2. IDA Pro Scripting and Key Bindings
6. Award BIOS File Structure
6.1. The Compressed Components
6.2. The Pure Binary Components
6.3. The Memory Map In The Real System (Mainboard)
7. Disassembling the BIOS
7.1. Bootblock
7.1.1. "Virtual Shutdown" routine
7.1.2. Chipset_Reg_Early_Init routine
7.1.3. Init_Interrupt_n_PwrMgmt routine
7.1.4. Call To "Early Silicon Support" Routine
7.1.5. Bootblock Is Copied And Executed In RAM
7.1.6. Call to bios decompression routine and the jump into decompressed system bios
7.1.6.1. Enable FFF80000h-FFFDFFFFh decoding
7.1.6.2. Copy lower 128KB of BIOS code from ROM chip into RAM
7.1.6.3. Disable FFF8_0000h-FFFD_FFFFh decoding
7.1.6.4. Verify checksum of the whole compressed BIOS image
7.1.6.5. Look for the decompression engine
7.1.6.6. Decompress the compressed BIOS components
7.1.6.6.a. The format of the LZH level-1 compressed bios components
7.1.6.6.b. The location of various checksums
7.1.6.6.c. The key parts of the decompression routine
7.1.6.7. Shadow the BIOS code
7.1.6.8. Enable the microprocessor cache then jump into the decompressed system BIOS
7.2. System BIOS a.k.a Original.tmp
7.2.1. Entry point from "Bootblock in RAM"
7.2.2. The awardext.rom and Extension BIOS Components (lower 128KB bios-code) Relocation Routine
7.2.3. Call to the POST routine a.k.a "POST jump table execution"
7.2.4. The "segment vector" Routines
7.2.5. "chksum_ROM" Procedure
7.2.6. Original.tmp Decompression Routine for The "Extension_BIOS Components"
7.2.7. Microcode Update Routine
8. Rants and Raves
9. Closing
Also listed in: X86 Internals Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Portable Executable File Format – A Reverse Engineer View
Rating: 0.0 (0 votes)
Author: Goppit                        
Home URL: N/A
Last updated: January 2006
Version (if appl.):
Direct D/L link: Locally archived copy
Description: This tutorial aims to collate information from a variety of sources and present it in a way which is accessible to beginners. Although detailed in parts, it is oriented towards reverse code engineering and superfluous information has been omitted.
Also listed in: Windows Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Primer on Android OS Reversing
Rating: 0.0 (0 votes)
Author: Nieylana                        
Home URL: http://www.accessroot.com
Last updated: May 21, 2010
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/request.php?322
Description: This a tutorial which explains how to reverse Android OS applications. While most apps available are free, there are a few which are interesting to reverse. The video tutorial includes also the required reversing tools and instructions to setup your reversing lab.
Also listed in: Android Reversing Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Reverse Engineering the newest Facebook invite virus
Rating: 0.0 (0 votes)
Author: Dave Paola                        
Home URL: http://davezor.posterous.com
Last updated: May 17, 2010
Version (if appl.):
Direct D/L link: http://davezor.posterous.com/reverse-engineering-the-newest-facebook-invit
Description: A friend "recommended" a page to me this morning on facebook. It's this page (DONT FOLLOW THE INSTRUCTIONS): hxxp://www.facebook.com/MindIllusion

The instructions basically have you copy and paste some javascript into your address bar. Dumb. But the javascript is fairly obfuscated and encoded with some escape sequences and hex code. Having never reverse engineered javascript like this, I decided to give it at try. Using Mozilla's Spider Monkey and some vim-foo, here are my results.
Also listed in: Javascript Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Reverse Engineering/Mac OS X
Rating: 0.0 (0 votes)
Author: Wikimedia contributors                        
Home URL: http://en.wikibooks.org/wiki/Main_Page
Last updated: January 1, 2010
Version (if appl.): 1690989
Direct D/L link: http://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_X
Description: This wiki book is the fruit of collaborative work from the Mac OS reversing community.

1 Hardware Architecture
2 Software Architecture
2.1 Kernel Sections
3 Commonly Used Tools
3.1 Developer Tools Used
4 Reversing Basics
4.1 Architecture
4.2 Symbols
4.2.1 Symbol Types
4.2.1.1 Internal Symbols
4.2.1.1.1 Example
4.2.1.2 External Symbols
4.3 PowerPC
4.3.1 The Stack
4.4 Intel
5 Reversing for security
6 Reversing for 'cracking'
7 Further Reading
8 Special Notes
Also listed in: Mac OS Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Reverse-Engineering Malware
Rating: 0.0 (0 votes)
Author: Lenny Zeltser                        
Home URL: http://zeltser.com
Last updated: 2001
Version (if appl.):
Direct D/L link: http://zeltser.com/reverse-malware-paper/
Description: This article describes each step in the analysis of IRC.SRVCP_Trojan (Symantec).
It can be completed with the following related URL.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Reversing Malware: Analysis of the worm "Tibick.D"
Rating: 0.0 (0 votes)
Author: Daniel Schoepe                        
Home URL: http://lesco.le.funpic.de
Last updated: November 6, 2006
Version (if appl.):
Direct D/L link: http://lesco.le.funpic.de/files/articles/rev_malware1/tibick.d.html
Description: This article describes the steps and tools used in Tibick.D worm analysis:infection routine, backdoor and replication routine code explanation.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Rootkits: What they are, and how to find them
Rating: 0.0 (0 votes)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: September 21, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/Rootkits.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--

Introductory Intel x86, Intermediate Intel x86, and Life of Binaries (all available at http://opensecuritytraining.info/Training.html) are strongly recommended to be taken before of this class.

Rootkits are a class of malware which are dedicated to hiding the attacker’s presence on a compromised system. This class will focus on understanding how rootkits work, and what tools can be used to help find them.

This will be a very hands-on class where we talk about specific techniques which rootkits use, and then do labs where we show how a proof of concept rootkit is able to hide things from a defender. Example techniques include
•Trojaned binaries
•Inline hooks
•Import Address Table (IAT) hooking
•System Call Table/System Service Descriptor Table (SSDT) hooking
•Interrupt Descriptor Table (IDT) hooking
•Direct Kernel Object Manipulation (DKOM)
•Kernel Object Hooking (KOH)
•IO Request Packet (IRP) filtering
•Hiding files/processes/open ports
•Compromising the Master Boot Record (MBR) to install a “bootkit”

The class will help the student learn which tools to use to look for rootkits on Windows systems, how to evaluate the breadth of a tool’s detection capabilities, and how to interpret tool results.

This class is structured so that students are given a homework to detect rootkits *before* they have taken the class. This homework is given in the context of the following scenario:

“You, being the only ‘security person’ in the area, have been called in to
examine a running Windows server because "it's acting funny." They don't
care that you like Mac/Linux/BSD/Plan9 better, you need to look at it! You
are solemnly informed that this is system is mission critical and can only
be rebooted if absolutely necessary. You must investigate whether any sort
of compromise has taken place on the system, with minimal impact to the
mission. What do you do? What DO you DO?”

The homework is then for the student to use any means at their disposal to write up answers to the following questions: “What malicious changes were made to the system?”, “What tools did you use to detect the changes?”, “How can you remove the changes?”. The students’ answers are then anonymized and shared with the rest of the class afterwards, so that they can see how others approached the problem, and learn from their techniques. The anonymization of the homework before distribution is important so that students know that even though they don’t know, and aren’t expected to know, anything about the area yet, their entry will not be judged by other students.
Also listed in: Generic Malware Analysis Tutorials, Generic Protection Technique Tutorials, Generic Reversing Technique Tutorials, Windows Internals Tutorials, Windows Malware Analysis Tutorials, Windows Tool Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stealth MBR Rootkit
Rating: 0.0 (0 votes)
Author: GMER                        
Home URL: http://www.gmer.net
Last updated: January 2, 2008
Version (if appl.):
Direct D/L link: http://www2.gmer.net/mbr/
Description: At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.

"Good points" of being MBR rootkit:
full control of machine boot process-code is executed before the OS starts
rootkit does not need a file - code could exists in some sectors of the disk and it cannot be deleted as a usual file
rootkit does not need any registry entry because it is loaded by MBR code
to hide itself, rootkit needs to control only a few sectors of the disk

How MBR rootkit works :
Installer
MBR loader
Kernel patcher
Kernel driver loader
Sectors hider/protector
Kernel driver
Detection
Rootkit removal
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stepping with GDB during PLT uses and .GOT fixup
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated:
Version (if appl.):
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-runtime-fixup.txt
Description: "This text is a GDB tutorial about runtime process fixup using the Procedure
Linkage Table section (.plt) and the Global Offset Table section (.got) .
If you dont know what is ELF, you should read the ELF ultimate documentation
you can find easily on google .

Some basic ASM knowledge may be requested .

This text has not been written for ELF specialists . This tutorial is an
alternative , interactive way to understand the PLT mechanisms. "
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Tool Articles, Linux Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stuxnet's Rootkit (MRxNet) into C++
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Home URL: http://www.amrthabet.co.cc
Last updated: January 28, 2011
Version (if appl.): 1.00
Direct D/L link: Locally archived copy
Description: This project is to convert mrxnet.sys into readable C++ source code very similar to the equivalent native code in mrxnet.sys sample .

Copyrights:
-----------
These Files (except mrxnet.sys) were created by Amr Thabet and coyrighted (c) by him

Files:
------
1.mrxnet.sys : The rootkit sample
2.mrxnet.idb : The IDA Pro database for Version 5.1
3.main.c  : The main source code of mrxnet.sys rootkit sample (created by reversing manually of mrxnet.sys with only IDA Pro)
4.FastIo.c  : The FastIoDispatch (you could ignore this part

The others are used for compiling the source code

Notes:
------
The source code is 95% similar to the real rootkit but that doesn't mean it should work exactly like mrxnet.sys as it still contain bugs and need to be fixed
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Subverting Windows7 x64 kernel with DMA attacks
Rating: 0.0 (0 votes)
Author: Christophe Devine, Damien Aumaitre                        
Home URL: https://bob.cat/
Last updated: July 4, 2010
Version (if appl.):
Direct D/L link: http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Devine%20&%20Aumaitre%20-%20Subverting%20Windows%207%20x64%20Kernel%20with%20DMA%20Attacks.pdf
Description: This presentation will focus on concrete examples of compromising the Windows 7 x64 operating system, in effect bypassing two major security mecanisms: code signing and integrity verification (PatchGuard).

First, we’ll explain the internal structures of the operating system, and how they differ from previous versions. Then we describe how to alter these structures in order to gain control over the execution flow. The implementation of this attack is then presented, using an embedded soft-core MIPS CPU implemented on an FPGA PCMCIA/CardBus card.

Finally, we will conclude on the importance of new protection features included in recent CPUs, in particular the IOMMU and TXT.
Also listed in: Windows Internals Articles, Windows Reversing Technique Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Super-secret debug capabilities of AMD processors !
Rating: 0.0 (0 votes)
Author: Czernobyl aka Czerno                        
Home URL: http://www.czerno.tk/
Last updated: June 12, 2014
Version (if appl.): 1.0
Direct D/L link: N/A
Description: Secret debugging extensions in AMD K7 processors
************************************************
Here unveiled by Czerno - Mail : <me AT czerno.tk>
Original article : December, 2010. This revision : June, 2014.
Reason for revision : contents made more accurate, shorter and hopefully, clearer.

Copyleft (c) Czerno. Please keep attribution where it belongs.

The author shall not be held responsible for any errors or inaccuracies, blah-blah...

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Click the "more details" button or link downpage to view additional notes!
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°


°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Very important : you can help! Yes, YOU!

- By doing your own trial of the features and contacting us over any errors/inaccuracies/complements you find!
We want to assert, in particular, whether the features we found in Athlon-XP are present, possibly modified, in the newer generations of AMD CPUs.
- By updating debuggers, plugins and toolz so they can make full use of the new features.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

_Summary_  :

AMD K7 (Athlon-XP, etc.) processors have included some firmware-based debugging features that expand beyond standard, architecturally defined capabilities of X86. For some reason though, AMD has been tightly secretive about these features; their existence was first inferred by us after considering a list of undocumented MSRs found on CBID's page (URL, cf. notes below).

Herein we uncover the outcome of our experiments, in the hope it may be useful to software developers, & possibly included in future debuggers, debugger plug-ins or other tools.

I call the new capabilities "expanded", since the term "debug extensions" is already used to refer to other features in Pentium and later processors.

Author can be contacted by email, or PM, or on the reversing forum.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

_New MSRs_ :

Four undocumented machine specific registers (MSR) are involved in the expanded
debug facilities. These MSRs are "password" protected against casual access :
read/write access (RDMSR/WRMSR) to the registers is granted only if EDI holds
the correct password value, viz. EDI=9C5A203A. Otherwise, GPF exception occurs.

_Control_ @ C001_1024 , useful width: 8 bits
_Data_Match_ @ C001_1025 , width: 32
_Data_Mask_ @ C001_1026 , width: 32
_Address_Mask_ @ C001_1027 , width: 12 bits.

All four registers are zeroed upon processor reset.

Security considerations : As the features are controlled by MSRs whose access is restricted to code executed in "ring zero", their existence is generally not considered a security risk. However a malicious BIOS or OS driver could certainly make creative use of the features with some disturbing consequences against nsuspecting users.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Let's examine the _Control Register_ first :

According to the "BIOS and Kernel developer's guide" for AMD NPT Family Fh, bit 7
of this register enables an external "hardware debug tool" connected to our processor using the JTAG bus. Such (expensive, professional) tool is not considered herein.

The BIOS guide further says bits 6-0 are "reserved, should be zero".
We found that on the K7 (Athlon XP), we can put bits 1-0 to good use, as explained
below ; we have not found any effect for bits 6-2, consequently we left them aside.

We shall henceforth be discussing the use of undocumented bits 1-0 of the Control register, leaving all other bits null.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

_Operational details_

The operation of breakpoint *BP0* (using DR0) is enhanced as will be described.
Breakpoints BP1 to BP3 are _not_ affected.

Breakpoint *BP0* _is_ modified, being further conditionned by the contents of the new MSRs in addition to legacy DR7. The features *cannot be switched off* : as soon as the address in DR0 is validated by setting DR7 bits 0 and/or 1, it behaves as will be explained, there is no further enabling bit.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

1) The Mask MSRs :

The "Address_Mask" qualifies the Address in DR0, while "Data_Mask" qualifies the "Data_Match" MSR.

In both masks, bits which are _set_ (=1) mean "don't care", don't look at the
corresponding bit when doing compares.

A mask value of all zeroes thus is asking for exact match.
Conversely, with a data mask of all ones, comparisons will always succeed.

The Address_Mask _should_ be a string of zeroes terminated by (zero or more) ones,
in other words a power of two minus one.

Address_Mask is only twelve bits wide, hence the largest allowable address mask : 00000FFF, matches 4096 page-aligned, consecutive memory (or I/O port) addresses.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

2) The Address_Mask:

It is used *unconditionally* for all three types of BP : instruction execution,
memory or IO data access.

A null mask, which is the default, in effect switches address expansion off, mimicking legacy breakpoint behavior.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

3) Instruction breakpoints (DR7 type =0):

Are triggered by instruction execution at _any_ address matching DR0 under Address_Mask.

Control_ MSR has no effect (should be zero).
Data_Match and Data_Mask are not used for this type of breakpoints.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

4) Memory & I/O Data breakpoint (DR7 types 1,3 and 2):

The Addres_mask is applied to DR0 address, for monitoring 1 up to 4096 consecutive bytes.

- Case: *Control = 0* (legacy), no additional check is performed. For memory access, Break occurs either on Write only, or on All_Access, selected by the legacy breakpoint "type" bits in DR7 (bite 17-16).
Data_Match and data_mask not used (should be zero).


- For the next three cases, Data compare is always done : to in effect disable it, one must use a Data_Mask of all ones (meaning : don't care).

- Case: *Control = 2* : Breaks occur on WRITE/OUT only. Even if the DR7 type is RW,
breaks never happen on Read. Traps on Data_Match.

- Case *control = 3* : same as Control = 2 , except the data condition is reversed,
i.e. Traps on Data_NON_Match.

- Case: *Control = 1* : break on Data_Match, on WRITE/OUT only, at ANY address!
Thus Address (DR0) and Address_Mask are ignored in this case (should be zero).

Reminder: I/O breakpoints require CR4 bit 3 (DE) set.

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Knowledge wants to be free !
Also listed in: X86 Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Swimming into hostile code: Gamethief.Win32.Magania
Rating: 0.0 (0 votes)
Author: Giuseppe Bonfa                        
Home URL: http://evilcodecave.blogspot.com
Last updated: August 2009
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.313
Description: Trojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: TDL3 - Why so serious? Let's put a smile on that face ..
Rating: 0.0 (0 votes)
Author: Nguyễn Phố Sơn                        
Home URL: http://www.rootkit.com
Last updated: November 9, 2009
Version (if appl.):
Direct D/L link: http://www.rootkit.com/vault/thug4lif3/tdl3_analysis_paper_ed.rar
Description: TLD3/TDSS malware analysis, a good paper from rootkit.com

BEWARE - password of the archive: tdl3_analysis

TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains couple compoments: a kernel-mode rootkit and user-mode DLLs which performs the trojan operation such as downloaders, blocking Avs, etc,. Since the rootkit acts as an “injector” and protector for the usermode bot binaries, almost all technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners. .
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: TIEP Solution
Rating: 0.0 (0 votes)
Author: NullPointerException (aka AttonRand)                        
Home URL: N/A
Last updated: March 23, 2010
Version (if appl.): N/A
Direct D/L link: Locally archived copy
Description: This tutorial describes how to solve TIEP by CoDe_InSiDe.
Document format.
Also listed in: Windows Reversing Technique Crackmes
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The "Ultimate" anti debugging reference
Rating: 0.0 (0 votes)
Author: Peter Ferrie                        
Home URL: http://pferrie.host22.com
Last updated: 2004
Version (if appl.):
Direct D/L link: http://pferrie.host22.com/papers/antidebug.pdf
Description: A debugger is probably the most commonly-used tool when reverse-engineering (a disassembler tool such as the Interactive DisAssembler (IDA) being the next most common). As a result, anti-debugging tricks are probably the most common feature of code intended to interfere with reverse-engineering (and anti- disassembly constructs being the next most common). These tricks can simply detect the presence of the debugger, disable the debugger, escape from the control of the debugger, or even exploit a vulnerability in the debugger. The presence of a debugger can be inferred indirectly, or a specific debugger can be detected. Disabling or escaping from the control of the debugger can be achieved in both generic and specific ways.

What follows is a selection of the known techniques used to detect the presence of a debugger, and in some cases, the defences against them.
Also listed in: Windows Anti Reversing Articles, Windows Protection Technique Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Life of Binaries
Rating: 0.0 (0 votes)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: September 6, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/LifeOfBinaries.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--


Topics include but are not limited to:
• Scanning and tokenizing source code.
• Parsing a grammar.
• Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code).
• Linking object files together to create a well-formed binary.
• Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• How an OS loads a binary into memory and links it on the fly before executing it.

Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).

Lab work includes:
• Manipulating compiler options to change the type of assembly which is output
• Manipulating linker options to change the structure of binary formats
• Reading and understanding PE files with PEView
• Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides)
• Using WinDbg and/or GDB to watch the loader dynamically link an executable
• Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism
• Creating a simple example virus for PE
• Analyze the changes made to the binary format when a file is packed with UPX
• Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden.

Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering. (Both also at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Tutorials, Generic Protection Technique Tutorials, Generic Reversing Technique Tutorials, Linux ELF Articles, Windows Internals Tutorials, Windows Malware Analysis Tutorials, Windows Reversing Technique Tutorials, Windows Tool Tutorials, Windows Unpacking Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Molecular Virology of Lexotan32: Metamorphism Illustrated
Rating: 0.0 (0 votes)
Author: Orr                        
Home URL: http://www.antilife.org/
Last updated: August 16, 2007
Version (if appl.):
Direct D/L link: https://www.openrce.org/articles/full_view/29
Description: Orr strikes again, here is an interesting article about (another) metamorphic malware released by Vecna, on VX Heavens in 2002.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Viral Darwinism of W32.Evol
Rating: 0.0 (0 votes)
Author: Orr                        
Home URL: http://www.antilife.org/
Last updated: February 6, 2007
Version (if appl.):
Direct D/L link: https://www.openrce.org/articles/full_view/27
Description: This article posted on OpenRCE, deals with Win32.Evol, a true metamoprhic engine-powered malware.
Do not miss the reversed and commented engine code (follows in related urls).
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: trusted platforms module (TPM), openssl and ecryptfs tutorial
Rating: 0.0 (0 votes)
Author: t0ka7a                        
Home URL: http://infond.blogspot.com
Last updated: April 6, 2010
Version (if appl.):
Direct D/L link: http://infond.blogspot.com/2010/03/trusted-platforms-module-tpm-openssl.html
Description: Trusted Platform modules (TPM) are cryptographic processors mounted on computers. Their goal is to provide an encryption and authentification service package by keeping secret keys in hardware. It makes then difficult for an attacker to retrieve these keys. With an educational purpose, when a computer is not equipped with the chip, it is possible to emulate its behavior. This tutorial extends (french security computer researcher) Noemie Floissac article [3]. It describes the use of TPM with Linux OS and its application for openssl and ecryptfs.
English and french versions available on http://infond.blogspot.com
Also listed in: Linux Protection Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: tutorial mutual authentication - trusted platform module (TPM) - apache2 - openssl
Rating: 0.0 (0 votes)
Author: t0ka7a                        
Home URL: http://infond.blogspot.com
Last updated: April 9, 2010
Version (if appl.):
Direct D/L link: http://infond.blogspot.com/2010/04/tutorial-mutual-authentication-trusted.html
Description: The administrator of an Apache2 Server can restrict the access to a part of his website to authenticated users. This article is dealing with mutual authentication (strong authentication) with X509 certificates, between an Apache2 server and a client. In addition, the client's certificate is protected in the trusted platform module (TPM) of his computer.
With this solution, only granted computers gain access to the site. Also, it becomes more complicated for a hacker to access to the private key of a compromised computer. Indeed, this key is difficult to copy or extract, as it is kept in hardware TPM.
English and french version available on http://infond.blogspot.com
Also listed in: Linux Protection Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Underhood on Armadillo License Removal
Rating: 0.0 (0 votes)
Author: Ghandi                        
Home URL: http://www.accessroot.com/arteam/site/download.php?view.321
Last updated: March 29, 2010
Version (if appl.):
Direct D/L link: Locally archived copy
Description: A complete videotutorial showing how to remove license expiration information from armadillo targets (versions 3.48 to 7). An argument that's widely exploited by existing tools, but not explained with such details. The tutorial comes with a complete set of tool, source and all you need to deeply understand this argument.
You'll learn the locations which Armadillo currently uses to store license information and learn a method for recovering the information which was generic from 3.78 through to version 7.xx
Included the source code for this license removal tool, as well as compiled binaries
Also listed in: Windows Protection Technique Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Understanding Linux ELF RTLD internals
Rating: 0.0 (0 votes)
Author: mayhem                        
Home URL: http://www.eresi-project.org
Last updated: 2002
Version (if appl.): 0.2
Direct D/L link: http://s.eresi-project.org/inc/articles/elf-rtld.txt
Description: "Actually there's many ELF documentation at this time, most of them
are virii coding or backdooring related . To be honest, I never found
any documentation on the dynamic linking sources, and thats why I wrote
this one . Sometimes it looks more like an internal ld.so reference or
a comments review on the ELF dynamic linking implementation in ld-linux.so .

It's not that unuseful since the dynamic linking is one of the worse
documented part of the Linux operating system . I also decided to write
a (tiny) chapter on ELF kernel handling code, because it is
really necessary to know some kernel level stuffs (like the stack
initialisation) to understand the whole interpreting. "

O] Prologue
A) Kernel handling code
B) Introducting glibc macros
1] Dynamic linker implementation
A) Sources graphics
B) The link_map structure explained
C) Relocating the interpretor
D) Runtime GOT relocation
E) Symbol resolution
2] FAQ, thanks and references


TODO :
X) Stack information gathering
X) SHT_DYNAMIC information gathering
X) PHT interpreting
X) Loading shared libraries
X) Shared libraries relocation
Also listed in: Linux ELF Articles, Linux Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Undocumented trick : Direct access to Physical Memory on AMD K7
Rating: 0.0 (0 votes)
Author: Czernobyl aka Czerno                        
Home URL: http://www.czerno.tk
Last updated:
Version (if appl.):
Direct D/L link: N/A
Description: GenericIA32 Intel architecture does not provide for direct access to *physical* memory addresses in paged, protected mode. On Athlon XP and similar AMD K7 processors, however, the undocumented MSR _C0010115_ opens a read/write window into physical memory, available in all modes at CPL zero.

For more details, please see my blog (URL below).

The Forum has a discussion of whether this trick is a theoretical vulnerability.
Also listed in: X86 Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: usb_driver.com (hhbcddropper) analysis
Rating: 0.0 (0 votes)
Author: Mike Ciavarella & Nathan Martini                        
Home URL: http://www.blackfortressindustries.com
Last updated: May 21, 2010
Version (if appl.):
Direct D/L link: http://www.blackfortressindustries.com/malware-analysis/usb-removable-media/HuJuYinFuexianning-1925CE96DB51A0CF18AA6489FA2471C3089D6E8B-8F83E88ECD1466E7482D69ABAAC9935E/hhbcddropper.pdf
Description: A very detailed analysis of this USB infector malware

1 Attachments:
2 Back Story:
3 Related To:
4 Summary of Activity:
5 Detailed Operation of Code Analysis:
5.1 autorun.inf
5.2 usb_driver.com (–¼‡‘Š•†‘Í€ŒŽ)
5.2.1 Executable Configuration
5.2.2 Embedded file/URL
5.2.3 Embedded File/URL Configuration
5.2.4 Encryption
5.2.5 Strings
5.2.6 Virtual Environment Detection
5.2.7 Fake Message Box
5.2.8 Kill Process
5.2.9 Melt Stub
5.2.10 Firewall Exception
5.2.11 Dropping Files
6 Forensic Details:
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Using Memory Breakpoints with your Loaders
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Home URL: http://www.accessroot.com
Last updated:
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/files/video/Using_Memory_Breakpoints_by_Shub-Nigurrath_preview.pdf
Description: "This tutorial will discuss how memory breakpoints work and how to use them for you own loaders. It's an ideal prosecution of the already published Beginner's Tutorial #8 [1], where I already covered hardware and software breakpoints quite extensively (at beginner's level of course)."
Also listed in: Windows Internals Articles, Windows Tool Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Using OllyDbg as an API logger
Rating: 0.0 (0 votes)
Author: arebc                        
Home URL: http://www.woodmann.com/forum/showthread.php?13706-How-can-I-learn-to-make-an-auto-unpacking-script-for-programs-I-have-unpacked&p=86997&viewfull=1#post86997
Last updated: June 25, 2010
Version (if appl.):
Direct D/L link: N/A
Description: To use Ollydbg as an api logger right click > search for > All Intermodular Calls > right click on the calls > Set Log Breakpoint on every command > Select option to Log Value of expression on Condition.
Also listed in: Windows Reversing Technique Tidbits, Windows Tool Tidbits
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Virut.A Malware Analysis Paper
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Home URL: http://amrthabet.blogspot.com/
Last updated: September 3, 2010
Version (if appl.):
Direct D/L link: Locally archived copy
Description: Virut.A Malware Analysis Paper with commented sources,the detection and disinfection of virut using Pokas x86 Emulator at:

http://sourceforge.net/projects/x86emu/files/
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Writing a loader for an application packed with an unknown packer:
Rating: 0.0 (0 votes)
Author: Shub-Nigurrath                        
Home URL: http://www.accessroot.com
Last updated: September 2005
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.180
Description: "The question this tutorial tries to address is how to write a loader for an application which is packed with an unknown packer, what events to trace and how to proceed in order to faster get a working loader, able to patch the target."
Also listed in: Windows Internals Articles, Windows Unpacking Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: X86/Win32 Reverse Engineering Cheat Sheet
Rating: 0.0 (0 votes)
Author: Nick Harbour                        
Home URL: http://www.rnicrosoft.com
Last updated: 2009
Version (if appl.):
Direct D/L link: http://www.rnicrosoft.net/docs/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf
Description: This cheat sheet actually covers some PE vocabulary, X86 registers and common ASM instructions as well as a stack description or assembler directives.

Nice to print and pinpoint on your office wall.
Also listed in: Windows Internals Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)


...

There were too many (recursive) child objects of this category to display them all, please use the sub categories below to increase the detail of your search criteria!



RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 7 subcategories to this category.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views