Skip navigation.
Home

blogs

Tactical Exploitation Materials

H D Moore and I's Blackhat/Defcon talk materials including slides, paper and videos are up and available on the Metasploit Site

Enjoy, and if you have any questions or ideas, let one of us know.

V.

Covert Debugging: Circumventing Software Armoring

These are the presentation materials we presented at Blackhat USA 2007 and Defcon 15. Thanks to everyone who came to the talks.

Abstract

Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this paper we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.

Full Paper
Presentation
SAFFRON ACTUALLY EXECUTES THE MALWARE -- BEWARE
Saffron for Intel PIN

Read more for the release notes for Saffron DI.

Blue Pill published

The Blue Pill PoC published finally.
http://www.bluepillproject.org/

a little question.

i was wondering if it was bad to create viruses if you have never and or have no intention to set it off/distrube to other computers? but just out of plain curisosity.

if anyone has any replies to this plz send.

(and i have not created any viruses...)

Automatic Unpacking and The Summer Conferences

We are finishing putting the final touches on our presentations for next week. Saffron, which will be demoed at Blackhat and Defcon, is in good working order. The results are amazing and we hope you'll be able to make our talk. If you can't feel free to catch us around the conference.

Covert Debugging: Circumventing Software Armoring Techniques is on Thursday at 10am in the Augustus 1+2 Ballroom. We'll be giving the same talk, although somewhat shorter at Defcon on Friday at 2pm in the Track 1 speaking area.

Valsmith and HD Moore will also be giving their Tactical Exploitation talk at 1:45pm on Wednesday in the Tiberius Ballroom 3+4+7+8 and again at Defcon on Friday at 4pm in the Track 1 speaking area.

Valsmith and Delchi will speak on Malware Secrets at Defcon, 11am on Saturday in the Track 2 speaking area.

We hope to see you there!

Malware Analysis

Hey all, here's a link to my primary blog (http://iamhalsten.thecoderblogs.com) where it contains an extensive analysis for a malware I have reversed lately. Hope you enjoy reading it.

Worm.IRC.Lamirc Analysis & Pseudocode using IDA

Simple backdoor source code. OC hash: 12c4938b3375227416af892494884bb5

Hello, since I have used this site as a great resource of malware, I would like to post my analysis and pseudocode / code of "Worm.IRC.Lamirc" which I picked up right here on the OC website. This is a simple IRC-controlled backdoor. It was not hard to RE, and it might not be anything new to the users of this website. Still, this source code is good for learning purposes. The code does not compile and I was not interested in compiling it (I didn't try). Where the functions look redundant/weird is because IDA analyzed them this was or because the original writer/compiler of the code made it this way.

ANALYZED: 05/29/2007

OVERALL DESCRIPTION:
-----------------------------------------------
Once executed, malware.exe (which Im guessing was originally called "GOLD.exe"), copies itself into "c:\iaatbp.exe" to mask its presence as supposedly system-looking file. Then it fills a few mIRC ini files with script event triggers. When mIRC is started by a user, these get executed, below is more description of what each does. These files are read & their content is executed on MIRC startup (remote.ini, scripts.ini)
-----------------------------------------------

An Evening of Polite Conversation and Technical Discourse

OC Party at Krave 8/3/2007 on the strip across from the Harley Davidson cafe

Thanks to Delchi for organizing this.

SecurityFocus Interviews the MPack Author

Rob Lemos contacted the MPack author and interviewed them. He writes, "In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites."

Read the article here.

Practical COM code reconstruction with IDA PRO (Movie tutorial)

Since more and more malware are using the COM interface I thought it was time to write some reconstruction helpers and creating a video tutorial how to use it on a real life malware. You'll see how a complete function which uses the COM interface will be translated into far more readable code than before. The code itself dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. The IDAPython scripts are indeed also available on my site.

Practical COM Code Reconstruction at Reconstructer.org

Enjoy,
Frank Boldewin

Syndicate content