Accessing local network while connected to vpn

April 14, 2016 Leave a comment

If you only have one network adapter and if you are connected to VPN then you can not access local network. this situation is problematic for if your internet connection required constant keep alive messages to be send to the gateway. if you are connected to VPN then keep alive message will not go and your internet connection will timeout which infact will disconnect you VPN too.

I faced similar problem when i decided to use local internet provider which were using “24online” or cyberraom client.

I found a dirty hack, you just need to install vmware or virtual box, create one image and then login to your internet provider using that vmimage while you can connect to VPN through your host machine.

from VM you can access local networks and it wont disconnect your internet connection, which is needed for constant VPN working.

So this solved a big issue for me:)

Categories: Uncategorized

locky malware

March 29, 2016 Leave a comment
Categories: Uncategorized

RC4 keyinside flash

March 28, 2016 Leave a comment

why you need to store RC4 key inside flash file :-p

rc4_trim.png

makes our job easy!

SWF Deflate Tool

March 21, 2016 Leave a comment

If you are doing exploit analysis you must have observed that many swf objects are compressed using deflate algoritham.

if you want to decompresss you can simply use swf investigator -> utilities ->binary editor and it gives you the option to deflate:

delflate.png

hope it helps.

Categories: Uncategorized

Analysing shellcode

March 14, 2016 Leave a comment

Very often i need to analyse malware samples, 0 day exploits for which i dont have any prior info. so i generally put breakpoint on following APIs for dynamic analysis:

Kernel32.CreateProcessA

Kernel32.CreateFileA

Kernel32.VirtualAlloc

Kernel32.VirtualProtect

Kernel32.CreateThread

most of the time either shellcode does following:

1.creates a file

2.allocate memeory using virtualalloc and mark it executable using virtualalloc/protect

3.create a new thread

4. Creates a new process

 

having a breakpoint on such common APIs will help to quickly locate the shellcode. another tool i use is procmon which give more details on the activities being performed and you can select the APIs to put breakpoints on.

once you got a breakpoint hit, you need to traceback and locate the actual vulnerable function which calls the shellcode. and after some stepin/stepout you will land in to the shellcode starting point.

 

i also sometimes use static analysis techniques in case i am able to extract shellcode from the file. once i extracted the shellcode i just need to run it with debugger/dissembler to see what its doing.

There are many techniques by which you can analyse shellcode in a exploit. i generally use following url to convert shellcode to executable so that i can run that in olly/IDA and then can step in to with ease:

http://sandsprite.com/shellcode_2_exe.php

Hope this helps.

 

Extracting flash from memory.

March 13, 2016 Leave a comment

I got one flash sample which belonged to a exploit kit. i found that this flash contained multiple exploit and was packed using swfpack. so was thinking of a way so that i can extract all the exploits from it. its pretty simple, just run the flash exploit file in IE using a webserver and use process scan option of swfscan. you can get all the swf files from the memory:)

frommemory

 

i will try to post a detailed analysis of exploits if time permits.

How to open car bonnet if hood release cable is broken?

January 2, 2016 Leave a comment

It happened to me today, was trying to check oil levels so decided to open the bonnet but then i noticed that the cable is broken. so went to a local mechanic and he did same thing as mentioned in below video:

 

Categories: Uncategorized
Follow

Get every new post delivered to your Inbox.

Join 751 other followers

%d bloggers like this: