Informatio

This post describe about process memory internals which allow us to track process injections. Example used below is recent Brazil Malspam (hxxp://malware-traffic-analysis.net/2017/07/07/index.html) which inject DLL  fltLib.dll into process notepad.exe. Attach kernel debugger to infected machine and get information about notepad.exe  Process   object. Process object is represented by EPROCESS structure. VAD (Virtual Address Descriptors) is member of EPROCESS  structure and describes the layout of process memory segments. VADs contain the names of memory-mapped files, the total number of pages in the region, the initial protection (read, write, execute), and several other flags that can tell you a lot about what type of data the regions contain. VAD is a self balancing tree and each node in tree represent one range in process virtual memory.Each node has child in the form of left and right node.A node is represented using MMADDRESS_NODE struct...

The challenge compute flag using time received from NIST Internet Time Servers and then send computed flag to " labytime.com " server for verification. Before forming flag by using time received from  NIST Internet Time Servers the 2nd digit of seconds in received time is set to 0. We have 10 secs to send the computed flag to " labytime.com " server to get correct flag. Re-implemented the logic in python to calculate flag and sending it to " labytime.com " server and reading response to get flag.Below is the python implementation. from rotate import __ROR__ import hashlib import socket import requests c = [0x0C,0x74,0x0C,0x74,0x8D,0x39,0x39,0xED,0x35,0x5D,0x41,0x91,0x39,0x0D,0x15,0x45,0x8D,0x41,0x1D,0x81,0x1D,0x39,0x35,0x31,0x15,0xD9,0x35,0xDD,0x45,0x0C,0x74,0x0C,0x74,0x0C] ror_n = len(c) & 7 decode_str = '' for i in range(0,len(c)):     v = __ROR__((c[i]),2) & 0xFF     #print hex(v)     v = (v ^ len(c))& 0xF...

The challenge was consist of three parts. 1.Android application loading native library (ARM or x86) depending on platform. 2.Native library drops a dex file and dynamically loads it. 3.Native library modify bytes (in memory) of loaded dex file in step2. 1.Android application loading native library Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class. Looking at FoodActivity class it only loads the native library cook .The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so , while a Win32 system converts the same cook name to cook.dll . 2.Attaching to libcook.so . We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to nati...

This post will cover techniques that can be used to detect virtualized environment. Sample Analyzed - hxxps://virustotal.com/en/file/46686679e58fe4767e6796ddb27f31f3a46e4310abb6cf51b031a0181ba08ddf/analysis/ 1.VMWare Backdoor This techniques uses special I/O port to send command and get output. VMware Command Execution code In above image VMWare I/O port is 'VX' (5658h) . Command number 0x0A (get vmware version). VMware version is return in register EAX as shown below. More About VM Backdoor Port  https://sites.google.com/site/chitchatvmback/backdoor 2.VPCEXT VPCEXT instruction is used to detect presence of Virtual PC. If opcode 0F 3F b1 b2 is run outside Virtual PC, illegal instruction exception is thrown otherwise return value in ebx register is checked.If value in ebx register is 0 which means Virtual PC detected. 3.DMIDECODE Utility dmidecode is a tool for dumping a computer's DMI (some say SMBIOS ) table contents in a...