#Petya #notpetya quick analysis

July 1, 2017 Leave a comment

create a process from temp directory which takes a pipe parameter:


check drive and encrypts sectors:


creats a scheduled task to shutdown/reboot the system:


uses getextendedtcptable api:


drops psexec as dllhost.dat in windows directory which is embded in resource #3 of dll:


deletes system logs:


i did not had network access so couldnt generate the pcap for smb exploit.

Categories: Uncategorized

Debugging DLL with olly

June 28, 2017 Leave a comment

[beginners only]

If you want to debug any dll then dont use loaddll which comes with olly, instead go to ollymenu->open-> rundll32.exe and give parameter as the dll you want to debug,also give dll parameters if any.

Categories: Uncategorized

[vmware installation issue]unable to generate ssl keys

February 23, 2017 Leave a comment

When trying to install vmware, if you get an error like empty messagebox then check in your vmware isntall log file in %temp% directory. if you see a error message that “unable to generate ssl keys” then it means that you have another version of ssl install on your local system somwhere. you need to rename/remove it to have vmware install work correctly.

so simply rename the existing openssl file or remove it and then run vmware installation again.

Categories: Uncategorized

running vlc in debug mode

January 31, 2017 Leave a comment

vlc –extraintf=http:logger –verbose=2 –file-logging –logfile=vlc-log.txt

Categories: Uncategorized

Control Flow Guard – win10_64bit

January 16, 2017 Leave a comment

I downloaded sample programs from https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/ and decided to see using windbg. following are my observations with file cfg_guard_ignore.exe which you get on compilinh cfg_guard_ignore.cpp file.

  1. On load ntdll_address! LDRSystemDLLInitBlock has following strucutre:


LDRSystemDLLInitBlock+60 will have address of cfg bitmap and  LDRSystemDLLInitBlock+68 will have size of it.

2.following is the memory:


3. more on memory:


doing x cfg_guard_ignore!safe_calls gives the address of the function which is 0x013d2ac0 as shown in the above picture and then remove last 2 bytes will give 0x013d2a

on multiplying 0x013d2a by 4 and adding it to base address of cfg bitmap address will give 00000004 which is the entry in the bitmap. on calling this function or the address inside this function,a  value will be calculated and if it doesnot equal to 4 then call will be aborted otherwise execution will be continued as normal.


now if we run the exe, there are two arguments 0 or 1. if we pass 1 then cfg check will not be enforced but if call 0 then cfg will come in to the picture. following are some live debugging screenshots with argument 0:

  1. cfg_load_configcfg_guard_ignore!_load_config_used+48 will give details on the function pointer which is used to call validate function which calculates the above mentioned value and then it will be compared with the bitmap.
  2. cfg_guard_ignore!__guard_fids_table will be having all the valid address offset. as shown in above pic.
  3. below is where guard_check_icall_ptr is called, which has address of Ldrpvalidateusercalltarget api:
  4. call_validateusercalltarget

5.following is when we step in to the api:



following is how the value is calculated:



if bt result is 0 then control jumps and we get int 29h:


i will try to write detailed blog on the algorithm used to calculate the value and how it searches in the bitmap.


this is a quick post and so might have certain errors.

Categories: Uncategorized

compiling and testing openssl

December 25, 2016 Leave a comment

use -g switch to compile a debug build. also use –openssldir=/usr/local to install it in to a local dir. you need to create a symbolic link to libssl.so and libcrypto.so in /usr/lib in some cases.

run openssl server:

openssl s_server -cert cert.pem -key key.pem -www -tls1_2 -accept 4433


openssl s_client  -connect localhost:4433

Categories: Uncategorized

Get RVA for offset in exe

October 21, 2016 Leave a comment

if you want to know where a particular sequence of byte will be loaded at run time in memory and you only have there offset from 0 position in exe file then use following:

  1. open exe and check sections tables
  2. check which section this offset belong to.
  3. load exe and get base address.
  4. you can calculate offset as below:
    1. RVA = offset in exe – rawaddress from section + virtual address + base address of exe
Categories: Uncategorized
%d bloggers like this: