Reverse Engineering

Reverse engineering related posts

DGAs – Generating domains dynamically

A domain generation algorithm is a routine/program that generates a domain dynamically. Think of the following example: An actor registers the domain evil.com. The corresponding backdoor has this domain hardcoded into its code. Once the attacker infects a target with this malware, it will start contacting its C2 server. As soon as a security company

DGAs – Generating domains dynamically Read More »

UpnP – Messing up Security since years

UpnP is a set of networking protocols to permit network devices to discover each other’s presence on a network and establish services for various functionalities.Too lazy to port forward yourself ? Just enable UpnP to automatically establish working configurations with devices! Dynamic device configuration like this makes our life more comfortable for sure. Sadly it

UpnP – Messing up Security since years Read More »

Taming Virtual Machine Based Code Protection – 1

Overcoming obfuscation in binaries has always been an interesting topic for me, especially in combination with malware. Over the last weeks I’ve been playing around with Virtualised Code Protection in order to see how well I could handle it. I decided to download a simple crack-me challenge which is obfuscated with this technique. It takes

Taming Virtual Machine Based Code Protection – 1 Read More »

Examining Smokeloader’s Anti Hooking technique

Hooking is a technique to intercept function calls/messages or events passed between software, or in this case malware. The technique can be used for malicious, as well as defensive cases. Rootkits for example can hook API calls to make themselves invisible from analysis tools, while we as defenders can use hooking to gain more knowledge

Examining Smokeloader’s Anti Hooking technique Read More »

Reversing PebbleDash’s FakeTLS Protocol

So I was looking through the CISA’s recent publications regarding three tools named PebbleDash[1], Copperhedge[2] and Taintedscribe[3] which are believed to be used by the state-sponsored North Korean hacking group HiddenCobra/APT 38/Lazarus Group. I started off with PebbleDash, because there was a functionality mentioned in the report that caught my eye: I wanted to know

Reversing PebbleDash’s FakeTLS Protocol Read More »

Nanomites on Linux

Vendors as well as developers try to protect their product from reverse engineers for multiple reasons. On the one hand they want to protect their intellectual property, on the other hand they might just want to fend off blackhats from finding vulnerabilities in their software. In some cases, they will use one of many commercial

Nanomites on Linux Read More »

Scroll to Top