Author: <span class="vcard">todd</span>

Privacy – The problem and the solution

Introduction You may or may not know that privacy as we’ve known it is currently under an attack bigger than any the human race has ever seen before, other than perhaps the great flood. Companies like Facebook, Google, Microsoft, and most modern tech companies are recording as much about you as possible. Why? Because it…


The Ultimate List of Services which Respect your Privacy

Herein is a list of services which make an effort to respect privacy and do not sell your data. This list is starting out small and will continue to grow as I receive suggestions and find time to locate more services as well. I will not be posting services that I have not personally checked…


Hiding from disassembly analysis

There are several patterns that I’ve picked up on in which malware authors try to hide function calls, a large one being by using other function calls. To analysts who are experienced with the operating system’s API and system calls, this is not a big deal, but to those who are not, they are effective…


PortEx Analyzer

I wanted to mention a tool that I’ve found very helpful in analyzing Portable Executable (PE) files: PortEx Analyzer by Karsten Hahn. Actually, the first very noticeable difference between this program and so many others is the level of documentation. PortEx Analyzer is fully documented by Hahn and has a thorough readme and wiki as…


Inline Hook of a System Call via AppInit_DLLs Part 2– The Hook

For an introduction, please refer to Part 1 of this analysis. The Installer Still inside the same Lab11-02.dll as before, we can return back to DllMain and locate one more subroutine call, which takes us to the hook code, but this is incomplete knowledge since we haven’t yet seen how the hook even gets installed…


Inline Hook of a System Call via AppInit_DLLs Part 1 – Decryption of XOR Cipher

  Introduction This will be a 2 part post. In part 1 I will demonstrate deciphering a simple XOR encryption used in Lab 11-02 of Practical Malware Analysis by Sikowski. This lab also demonstrates a technique called inline hooking, where malware installs itself onto the system as a code library file (DLL) and then redirects…


Entry-Point Redirection used in a keylogger

Introduction As I mentioned in a previous post, to expand my knowledge, I am working through the labs in the book Practical Malware Analysis by Michael Sikorski. In this post, I will demonstrate my findings in Lab 11-03, which illustrate entry-point redirection. Why would malware even want to use entry point redirection in the first…


Several methods malware can hide itself on Windows

Introduction Back in the day of Windows 95, 98, and (ugh) ME, I vividly remember getting malware on my machine a handful of times. Each time usually involved the computer slowing down to a crawl, strange popup and error messages about files coming up which were usually DLLs, and just all around obvious and suspicious…


x86 Assembly Returns Confusion

When analyzing assembly code, be sure to pay attention to a routine’s arguments when the return is not apparent. For example, many times, returns are placed into eax and then eax is subsequently manipulated or read within a few instructions after a function call like this for example: Here we see that immediately after LoadLibraryA…


Status

Hi all, Just wanted to leave a quick update and let you know that I am currently working hard on some more training and research for malware and vulnerabilities. I am in the higher chapters of Practical Malware Analysis and am also studying fuzzing. I will be posting up some new content in the research…