attached document have some good points to check while servicing your car: Car checklist
If you only have one network adapter and if you are connected to VPN then you can not access local network. this situation is problematic for if your internet connection required constant keep alive messages to be send to the gateway. if you are connected to VPN then keep alive message will not go and your internet connection will timeout which infact will disconnect you VPN too.
I faced similar problem when i decided to use local internet provider which were using “24online” or cyberraom client.
I found a dirty hack, you just need to install vmware or virtual box, create one image and then login to your internet provider using that vmimage while you can connect to VPN through your host machine.
from VM you can access local networks and it wont disconnect your internet connection, which is needed for constant VPN working.
So this solved a big issue for me
why you need to store RC4 key inside flash file :-p
makes our job easy!
If you are doing exploit analysis you must have observed that many swf objects are compressed using deflate algoritham.
if you want to decompresss you can simply use swf investigator -> utilities ->binary editor and it gives you the option to deflate:
hope it helps.
Very often i need to analyse malware samples, 0 day exploits for which i dont have any prior info. so i generally put breakpoint on following APIs for dynamic analysis:
most of the time either shellcode does following:
1.creates a file
2.allocate memeory using virtualalloc and mark it executable using virtualalloc/protect
3.create a new thread
4. Creates a new process
having a breakpoint on such common APIs will help to quickly locate the shellcode. another tool i use is procmon which give more details on the activities being performed and you can select the APIs to put breakpoints on.
once you got a breakpoint hit, you need to traceback and locate the actual vulnerable function which calls the shellcode. and after some stepin/stepout you will land in to the shellcode starting point.
i also sometimes use static analysis techniques in case i am able to extract shellcode from the file. once i extracted the shellcode i just need to run it with debugger/dissembler to see what its doing.
There are many techniques by which you can analyse shellcode in a exploit. i generally use following url to convert shellcode to executable so that i can run that in olly/IDA and then can step in to with ease:
Hope this helps.
I got one flash sample which belonged to a exploit kit. i found that this flash contained multiple exploit and was packed using swfpack. so was thinking of a way so that i can extract all the exploits from it. its pretty simple, just run the flash exploit file in IE using a webserver and use process scan option of swfscan. you can get all the swf files from the memory
i will try to post a detailed analysis of exploits if time permits.