Entry-Point Redirection used in a keylogger

Introduction As I mentioned in a previous post, to expand my knowledge, I am working through the labs in the book Practical Malware Analysis by Michael Sikorski. In this post, I will demonstrate my findings in Lab 11-03, which illustrate entry-point redirection. Why would malware even want to use entry point redirection in the first…


Several methods malware can hide itself on Windows

Introduction Back in the day of Windows 95, 98, and (ugh) ME, I vividly remember getting malware on my machine a handful of times. Each time usually involved the computer slowing down to a crawl, strange popup and error messages about files coming up which were usually DLLs, and just all around obvious and suspicious…


x86 Assembly Returns Confusion

When analyzing assembly code, be sure to pay attention to a routine’s arguments when the return is not apparent. For example, many times, returns are placed into eax and then eax is subsequently manipulated or read within a few instructions after a function call like this for example: Here we see that immediately after LoadLibraryA…


Status

Hi all, Just wanted to leave a quick update and let you know that I am currently working hard on some more training and research for malware and vulnerabilities. I am in the higher chapters of Practical Malware Analysis and am also studying fuzzing. I will be posting up some new content in the research…


WINAPI Ordinals

If you view a PE file’s function imports, you may sometimes come across a bunch of nondescript numbers like so: These are simply function ordinals, which are ID numbers to Windows API function calls… In this case, we’re looking at Ws2_32.dll which houses Winsock functions. So, in a nutshell, these are socket create/connect/send/receive calls which…


Benefits of Reverse Engineering for Programmers

In this post I will share some of the benefits that becoming a better reverse-engineer has had on my software development. Unfortunately, reverse-engineering, or so-called “reversing” seems to occasionally be associated with “cracking,” which is essentially criminal activity associated with violating a program’s license agreements and making it do things that it was not intended…


Tips for memorizing a new password

With all of these apps and devices everywhere, memorization isn’t quite as big of a thing as it used to be. That needs to change. In my previous Security Tips post, I mentioned that you should memorize all of the passwords you can, especially your most critical ones. However, I never gave any tips on…


The PortEx Optional Header – Setting Up Memory for Windows Programs

In this write-up, I’ll be presenting part of the Microsoft Windows Portable Executable’s (PE) Optional Header. Why? Because knowledge of the PE format is extremely important for a malware analyst and reverse engineer, plus they’re just plain fun to learn about. The PE headers are often corrupted and otherwise messed with by packers/compressors and other…


Public Wi-Fi

This should be a given, but in case it’s not, do not ever do any banking, purchasing, or other financial transactions on public wi-fi and/or large networks! Note that this is a security blog so when I tell you “do not ever,” I mean 99%+ of the time. If your child’s life depends on some…


Keeping you and your family safe from malware

Malware prevention can be a bit tricky because it can require knowledge which is not necessarily difficult to follow, but may not yet be widespread in scope. If you follow the below advice, you will greatly reduce your chances of contracting malware that leaks your data. Before listing the steps, we will have a brief…