As a reverse engineer, every now and then you encounter a situation where you dive deeper into the internal structures of an operating system as usual. Be it out of simple curiosity, or because you need to understand how a binary uses specific parts of the operating system in certain ways . One of the […]
PEB: Where Magic Is Stored Read More »
You probably already guessed it from the title’s name, API Hashing is used to obfuscate a binary in order to hide API names from static analysis tools, hindering a reverse engineer to understand the malware’s functionality. A first approach to get an idea of an executable’s functionalities is to more or less dive through the
Deobfuscating DanaBot’s API Hashing Read More »
Overcoming obfuscation in binaries has always been an interesting topic for me, especially in combination with malware. Over the last weeks I’ve been playing around with Virtualised Code Protection in order to see how well I could handle it. I decided to download a simple crack-me challenge which is obfuscated with this technique. It takes
Taming Virtual Machine Based Code Protection – 1 Read More »
So I was looking through the CISA’s recent publications regarding three tools named PebbleDash[1], Copperhedge[2] and Taintedscribe[3] which are believed to be used by the state-sponsored North Korean hacking group HiddenCobra/APT 38/Lazarus Group. I started off with PebbleDash, because there was a functionality mentioned in the report that caught my eye: I wanted to know
Reversing PebbleDash’s FakeTLS Protocol Read More »
Intro I hope everyone is healthy :-). I finally managed to find some time to continue my analysis of QBot. If you did not read my previous articles, I’ve already covered the packer[1] as well as the string decryption algorithm[2]. I’ve linked them both here. In this blog post I will cover the process execution
An old enemy – Diving into QBot part 2 Read More »
In the last part of this blog article series I took an in-depth look at the packer of a QBot sample and unpacked it. This blog post is mostly about cracking the string encryption of the mentioned sample. I am also using the Triton DBA Framework[0] for assisting my analysis, because I really wanted to
Diving into Qbot part 1.5 – Cracking string encryption Read More »