Inline Hook of a System Call via AppInit_DLLs Part 1 – Decryption of XOR Cipher

  Introduction This will be a 2 part post. In part 1 I will demonstrate deciphering a simple XOR encryption used in Lab 11-02 of Practical Malware Analysis by Sikowski. This lab also demonstrates a technique called inline hooking, where malware installs itself onto the system as a code library file (DLL) and then redirects…


Entry-Point Redirection used in a keylogger

Introduction As I mentioned in a previous post, to expand my knowledge, I am working through the labs in the book Practical Malware Analysis by Michael Sikorski. In this post, I will demonstrate my findings in Lab 11-03, which illustrate entry-point redirection. Why would malware even want to use entry point redirection in the first…


Several methods malware can hide itself on Windows

Introduction Back in the day of Windows 95, 98, and (ugh) ME, I vividly remember getting malware on my machine a handful of times. Each time usually involved the computer slowing down to a crawl, strange popup and error messages about files coming up which were usually DLLs, and just all around obvious and suspicious…


x86 Assembly Returns Confusion

When analyzing assembly code, be sure to pay attention to a routine’s arguments when the return is not apparent. For example, many times, returns are placed into eax and then eax is subsequently manipulated or read within a few instructions after a function call like this for example: Here we see that immediately after LoadLibraryA…


WINAPI Ordinals

If you view a PE file’s function imports, you may sometimes come across a bunch of nondescript numbers like so: These are simply function ordinals, which are ID numbers to Windows API function calls… In this case, we’re looking at Ws2_32.dll which houses Winsock functions. So, in a nutshell, these are socket create/connect/send/receive calls which…


The PortEx Optional Header – Setting Up Memory for Windows Programs

In this write-up, I’ll be presenting part of the Microsoft Windows Portable Executable’s (PE) Optional Header. Why? Because knowledge of the PE format is extremely important for a malware analyst and reverse engineer, plus they’re just plain fun to learn about. The PE headers are often corrupted and otherwise messed with by packers/compressors and other…


Linked-List Demo via GetAdaptersInfo()

The linked-list is perhaps the most widely known and often-taught data structures to newbie coders. However, it, like many other newbie lessons in software, is often taught completely out of context… ie: struct LL_node{ int some_data; struct LL_node *next_node; }; or of course in a doubly-linked list, we have a previous_node pointer as well. But…


Init

Hello. My name is Todd and I’d like to welcome you to Todd Cullum Research. In this blog, I will be posting my software-related research and development. If you would like to learn more about who I am, feel free to visit the About section. I hope you enjoy your time here and find the…