Malware-analysis-and-Reverse-engineering
Some of my publicly available Malware analysis and Reverse engineering. (Reports, tips, tricks...)
[Reverse engineering KPOT v2.0 Stealer]
[Debugging MBR - IDA + Bochs Emulator (CTF example)]
[TLS decryption in Wireshark]
[Ryuk Ransomware - API Resolving and Imports reconstruction]
[Formbook Reversing]
[Reversing encoded shellcode]
[WINDBG Kernel&User Mode Debugging (EPROCESS, ETHREAD, TEB, PEB...)]
[Cutter 2.0 - Introduction of new features (Reverse Debugging...)]
[Tracing C function fopen]
Tracing C function fopen [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel Executive Subsytem
[Visible vs Hidden vs VeryHidden Sheet - Excel Binary File Format (.xls)]
[Exploiting CVE-2019-0708 (BlueKeep) using Metasploit (Manual settings GROOMBASE + GROOMSIZE)]
[Abusing External Resource References MSOffice]
Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION
Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION
[Real-Time Solving CyberDefenders "DumpMe" MemoryForensics Challenge in 1 hour]
[Volatility3 Output Formatting Trick in PS]
[Advanced Memory Forensics (Windows) - Threat_Hunting and Initial Malware_Analysis]
[LokiBot Analyzing]
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
[3] Lokibot analyzing - Reversing, API Hashing, decoding
[Fast API resolving of REvil Ransomware related to Kaseya attack]
[Dancing with COM - Deep dive into understanding Component Object Model]
What is COM and its Functionality, COM in Registry (Tools - COM viewers), COM Client-Server (Using Powershell/.NET COM Client), Reversing COM instances and methods in IDA (Structures, Types, ComIDA plugin), Interesting way of using COM Method in LokiBot malware sample
[HiveNightmare - Bug in ACLs of Registry Hives]
[Finding Vulnerability in PE parsing tool - NEVER trust tool you didn´t write by your own]
[Reversing binary (Malware sample) which using statically imported OpenSource library]
Some notes, tips and tricks when you are dealing with reversing Malware sample which using statically imported OpenSource library
[Reversing CryptoCrazy Ransomware - PoC Decryptor and some Tricks]
This video covers guide during reversing and making PoC decryptor in Python. In the last part of the video I will be covering another Trick how you can dynamically invoke only the decryption routine of this Ransomware directly from Powershell and get all files decrypted.
[Powershell and DnSpy tricks in .NET reversing – AgentTesla]
[So you Really think you Know What Powershell Is ???]
Managed code vs UnManaged code. Difficulties during reversing and debugging.
One nice example is Powershell ItSefl.
[Full malware analysis Work-Flow of AgentTesla Malware]
[Deobfuscation SmartAssembly 8+ and recreating Original Module SAE+DnSpy]
Video covers Deobfuscation of latest SmartAssembly 8+ (commercial obfuscator for .NET) using SAE (Simple-Assembly-Explorer)
and Recreating original module using DnSpy. [Samples Download]
[Advanced DnSpy tricks in .NET reversing - Tracing, Breaking, dealing with VMProtect]
[NightSky Ransomware – just a Rook RW fork in VMProtect suit]
[IDAPro Reversing Delphi MBR Wiper and Infected Bootstrap Code]
Sample, my prepared annotated IDA IDB, Bochs image: [Download-Pass:infected]