sam. 22 février 2020

Ursnif: analyse du loader (partie 2)

Cet article fait suite à mon précédent article, et concernera l'analyse du dernier binaire extrait. Ce fichier se présente (encore) sous la forme d'une DLL. La DLL fait ses initialisations habituelles (création d'un objet Event pour notifier le bot lorsque la DLL est en train d'être déchargée, détection de la version de Windows et ouverture d'un handle sur son propre process).

Category: Reverse-engineering - Tags: Malware Ursnif
dim. 26 janvier 2020

Ursnif: analyse du loader

Après une période de hiatus encore plus longue que ceux de l'auteur de Hunter x Hunter, je me décide enfin à rescussiter mon blog (et mon dépôt). Cet article (ainsi que les suivants) redeviendront en français

Entrons directement dans le vif du sujet, c'est-à-dire l'analyse du bot Ursnif, en particulier du loader dans ce premier article. Le sample étudié est disponible sur, s'appelle "osdjhbfowjndbherfvo.bin" (et hash 1da2adf65ab9d928cf4996a4151b0de2a5649d7454556f2c3ab81322d14213a4).

Category: Reverse-engineering - Tags: Malware Ursnif
sam. 16 avril 2016

Breaking Cerber strings obfuscation with Python and radare2

Finally after almost two years of inactivity, I finally motivated myself and decided a new article on this blog ! In this article, I'll show how to use radare2 and especially its Python bindings to write a little tool able to decode a large part of Cerber ransomware encrypted strings, thanks …

Category: Reverse-engineering - Tags: Malware Ransomware Cerber
mer. 11 décembre 2013

Hiding code in ELF binary

Since I'm contributing to the radare2, I'm learning on how a disassembler works, and especially how ELF files are handled by disassemblers. I saw that almost (even every ?) disassemblers rely on ELF section headers (generally located at the end of the file), which has never used in reality (by Linux kernel or glibc) because ELF's mapping in memory is given by program header (another ELF structure, which I described in my article about ELF packer

So, we can easily hide code from disassemblers by manipulating virtual address fields of the ".text" section structure. I'll use an hexadecimal editor and the latest git revision of radare2 (which fixes a bug related to virtual address calculation in ELF binary), so I recommend you to have those tools installed of your computer to continue the reading of this article.

Category: Hacking - Tags: radare2 C ELF
ven. 17 mai 2013

Making ELF packer for fun and chocapicz (part 2)

As promised, here is the second article about my ELF packer.
Here, I'll talk about dynamically-linked ELF (i.e. which has dependencies to ".so" modules), which is more tricky than the "basic" packer I showed before. The code is still NASM, and still under 32bit (feel free to rewrite the code to support 64-bit architecture ;))

Category: Hacking - Tags: Packer ELF C assembler

« Page 2 / 6 »