analyzing malicious flash using flash develop

September 2, 2016 Leave a comment

Following are the quick steps:

  1. use jpex decompiler to extract all the data.
  2. copy all the scripts and binary data to same folder.
  3. create a new project and import all the files in flash develop.
  4. right click on main file and select always compile
  5. press f8 to build.

you need to make few changes in the function calls and folder hierarchy in case you face any compile problems.

 

Categories: Uncategorized

car maintanance checklist

June 27, 2016 Leave a comment

attached document have some good points to check while servicing your car: Car checklist

Categories: Uncategorized

Accessing local network while connected to vpn

April 14, 2016 Leave a comment

If you only have one network adapter and if you are connected to VPN then you can not access local network. this situation is problematic for if your internet connection required constant keep alive messages to be send to the gateway. if you are connected to VPN then keep alive message will not go and your internet connection will timeout which infact will disconnect you VPN too.

I faced similar problem when i decided to use local internet provider which were using “24online” or cyberraom client.

I found a dirty hack, you just need to install vmware or virtual box, create one image and then login to your internet provider using that vmimage while you can connect to VPN through your host machine.

from VM you can access local networks and it wont disconnect your internet connection, which is needed for constant VPN working.

So this solved a big issue for me 🙂

Categories: Uncategorized

locky malware

March 29, 2016 Leave a comment
Categories: Uncategorized

RC4 keyinside flash

March 28, 2016 Leave a comment

why you need to store RC4 key inside flash file :-p

rc4_trim.png

makes our job easy!

SWF Deflate Tool

March 21, 2016 Leave a comment

If you are doing exploit analysis you must have observed that many swf objects are compressed using deflate algoritham.

if you want to decompresss you can simply use swf investigator -> utilities ->binary editor and it gives you the option to deflate:

delflate.png

hope it helps.

Categories: Uncategorized

Analysing shellcode

March 14, 2016 Leave a comment

Very often i need to analyse malware samples, 0 day exploits for which i dont have any prior info. so i generally put breakpoint on following APIs for dynamic analysis:

Kernel32.CreateProcessA

Kernel32.CreateFileA

Kernel32.VirtualAlloc

Kernel32.VirtualProtect

Kernel32.CreateThread

most of the time either shellcode does following:

1.creates a file

2.allocate memeory using virtualalloc and mark it executable using virtualalloc/protect

3.create a new thread

4. Creates a new process

 

having a breakpoint on such common APIs will help to quickly locate the shellcode. another tool i use is procmon which give more details on the activities being performed and you can select the APIs to put breakpoints on.

once you got a breakpoint hit, you need to traceback and locate the actual vulnerable function which calls the shellcode. and after some stepin/stepout you will land in to the shellcode starting point.

 

i also sometimes use static analysis techniques in case i am able to extract shellcode from the file. once i extracted the shellcode i just need to run it with debugger/dissembler to see what its doing.

There are many techniques by which you can analyse shellcode in a exploit. i generally use following url to convert shellcode to executable so that i can run that in olly/IDA and then can step in to with ease:

http://sandsprite.com/shellcode_2_exe.php

Hope this helps.

 

%d bloggers like this: