Archive

Archive for March, 2016

locky malware

March 29, 2016 Leave a comment
Categories: Uncategorized

RC4 keyinside flash

March 28, 2016 Leave a comment

why you need to store RC4 key inside flash file :-p

rc4_trim.png

makes our job easy!

SWF Deflate Tool

March 21, 2016 Leave a comment

If you are doing exploit analysis you must have observed that many swf objects are compressed using deflate algoritham.

if you want to decompresss you can simply use swf investigator -> utilities ->binary editor and it gives you the option to deflate:

delflate.png

hope it helps.

Categories: Uncategorized

Analysing shellcode

March 14, 2016 Leave a comment

Very often i need to analyse malware samples, 0 day exploits for which i dont have any prior info. so i generally put breakpoint on following APIs for dynamic analysis:

Kernel32.CreateProcessA

Kernel32.CreateFileA

Kernel32.VirtualAlloc

Kernel32.VirtualProtect

Kernel32.CreateThread

most of the time either shellcode does following:

1.creates a file

2.allocate memeory using virtualalloc and mark it executable using virtualalloc/protect

3.create a new thread

4. Creates a new process

 

having a breakpoint on such common APIs will help to quickly locate the shellcode. another tool i use is procmon which give more details on the activities being performed and you can select the APIs to put breakpoints on.

once you got a breakpoint hit, you need to traceback and locate the actual vulnerable function which calls the shellcode. and after some stepin/stepout you will land in to the shellcode starting point.

 

i also sometimes use static analysis techniques in case i am able to extract shellcode from the file. once i extracted the shellcode i just need to run it with debugger/dissembler to see what its doing.

There are many techniques by which you can analyse shellcode in a exploit. i generally use following url to convert shellcode to executable so that i can run that in olly/IDA and then can step in to with ease:

http://sandsprite.com/shellcode_2_exe.php

Hope this helps.

 

Extracting flash from memory.

March 13, 2016 Leave a comment

I got one flash sample which belonged to a exploit kit. i found that this flash contained multiple exploit and was packed using swfpack. so was thinking of a way so that i can extract all the exploits from it. its pretty simple, just run the flash exploit file in IE using a webserver and use process scan option of swfscan. you can get all the swf files from the memory 🙂

frommemory

 

i will try to post a detailed analysis of exploits if time permits.

%d bloggers like this: