My Stuff

My Stuff

Made this site to display my learning. Check my blog for the Pratical Malware Analysis Reads

Practical Malware Analysis #2

1 minute read

Published:

pe file important header .text - instructions taht cpu executes all other sections store data generlly only section which can execute only section which has code .rdata - contains import and export information covers different types of sections ina pe file

Pages 20-30

The first five or so pages go over the PE header and some key information to be aware of, such as the different sections and certain values which can help with malware analysis. A good tool for view .rsrc section info is mentioned resource hacker.

  • Time Date Stamp IMAGE_FILE_HEADER - tells when the executable was compiled (can be easily manipulated)
  • Subsystem IMAGE_OPTIONAL_HEADER - will essentially tell us if the program is gui or console based
  • Section headers describe info about a pe files sections - the rarely change - easily identifiable if the program has been packed as these values can be different

Quick rundown of PE sections

  • .text - contains executable code (usually only executable section)
  • .rdata - read only data
  • .data - global data not just read only
  • .idata - sometimes present stores import info - if not present import info stored in .rdata
  • .edata - sometimes present and stores export info - if not present export info stored in .rdata
  • .pdata - x64 only stores exception handling info
  • .rsrc - resource info e.g. icon files
  • .reloc stores information needed for relocations

I will update this blog further soon once I've completed the first lab

You May Also Enjoy

Pratical Malware Analysis #1 Pages 1-20

4 minute read

Published:

What is covered

  • Pages 1-10 a brief into into different malware types (not covered too much here)
  • Pages 10-20 begining to understand malware and how to reverse it what tools to use etc

Red Teamers Dream Syswhispers

1 minute read

Published:

What are syscalls and what is syswhyspers

Syscalls are the userlands communication to the kernel to perform a specific task, it's a request from userland to the kernel api to perform the given action. In Windows syscalls use the native library (features stored inside ntdll.dll) to send a specific request code to the kernel, dependant on the action to perform. The issue with syscalls (not just limited to the windows os) is that they change between versions and updates, this makes them unreliable and a pain to use if you want scalability, which most programs (especially malware) do.

What is syswhispers

Syswhyspers2 aims to streamline this process via making the required syscall codes for different os versions available automatically, whereas syswhyspers og did not. Even better it utilises something they've called as random syscall jumps, which essentially bypasses hooks placed via AV / EDRs to grab the syscall stub before they are hooked. Usually, this can be achieved by loading a fresh copy of ntdll.dll from disk. This whole process can be ignoed if using hardcoded syscall values, but this defeats the point of using syswhyspers denying yourself the scalability of your malware, it will be limited to the versions specified.

First Blog

less than 1 minute read

Published:

First Test Post. Enjoy.