Category: Forensics

Forensics

Forensics – Collecting Volatile Data

Under the principle of “order of Volatility”, you must first collect information that is classified as Volatile Data (the list of network connections, the list of running processes, log on sessions, and so on), which will be irretrievably lost in case the computer is powered off. This category includes the following data: 1.System uptime and …

Malware, Reversing

Open source .NET deobfuscator and unpacker

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part …

Malware, Reversing

Automatically extract obfuscated strings from malware

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility …

Radare2, Reversing

Install latest radare2 on Kali

Uninstall installed radare2(if any) apt-get purge radare2apt-get purge radare2 Install prerequisites apt-get install valac libvala-0.xx-dev swigapt-get install valac libvala-0.xx-dev swig pip install r2pipepip install r2pipe pip install –upgrade xdotpip install –upgrade xdot Download https://github.com/radare/radare2 git clone https://github.com/radare/radare2git clone https://github.com/radare/radare2 radare2 Installation cd radare2cd radare2 sys/install.shsys/install.sh valabind Installation Remove the installed version first apt-get purge valabindapt-get …

Capstone, Edb-debugger, Reverse Engineering

Install latest edb-debugger on Kali

edb is a cross platform x86/x86-64 debugger. It was inspired by Ollydbg, but aims to function on x86 and x86-64 as well as multiple OS’s. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality. Uninstall installed edb-debugger(if any) apt-get purge …

Disassembling, Radare2, Reversing

Disassembling functions with Radare2

Analyze binary file and its symbols Method 1 radare2 -A c:\Windows\SysWOW64\ntdll.dllradare2 -A c:\Windows\SysWOW64\ntdll.dll Method 2 radare2 c:\Windows\SysWOW64\ntdll.dllradare2 c:\Windows\SysWOW64\ntdll.dll Inside radare2 terminal, type: aaaaaa and hit enter. Disassembling a function Inside radare2 terminal, type: pdf @ sym.ntdll.dll_RtlCreateRegistryKeypdf @ sym.ntdll.dll_RtlCreateRegistryKey You can use tab completion here. Try this instead: pdf @ sym.ntdll.dll_RtlCreateRpdf @ sym.ntdll.dll_RtlCreateR and hit Tab.

Debugging, Disassembler, Disassembling, Reverse Engineering

Radare – a portable reversing framework

Radare is a portable reversing framework that can… Disassemble (and assemble for) many different architectures Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbg, windbg) Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku Perform forensics on filesystems and data carving Be scripted in Python, Javascript, Go and more Support …

Debugging, Forensics

Debug processes using ptrace and python

python-ptrace is a debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python. Features * High level Python object API : PtraceDebugger and PtraceProcess * Able to control multiple processes: catch fork events on Linux * Read/write bytes to arbitrary address: take care of memory alignment and split bytes to …

Disassembler, Reverse Engineering

Fast Disassembler-Decomposer Library

diStorm is a lightweight, Easy-to-Use and Fast Disassembler/Decomposer Library for x86/AMD64. A Decomposer means that you get a binary structure that describes an instruction rather than textual representation. Features * Access to CPU flags that were affected by the instruction. * Basic Flow Control analysis support. * AVX and FMA instruction sets support. * Complete …