Reverse Engineering and More(@re_and_more) 's Twitter Profileg
Reverse Engineering and More

@re_and_more

RE and More by Alexey Kleymenov (https://t.co/s1pWjL46AW). Private classes and group workshops in malware analysis and reverse engineering. #infosec #malware

ID:1273897211424911360

linkhttps://re-and-more.com calendar_today19-06-2020 08:36:57

539 Tweets

9,7K Followers

557 Following

Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: Unlike SafeSEH, which stores pointers to exception handlers in the executable, SEHOP works at runtime checking that the entire SEH chain is traceable to the end and this way doesn't require re-compilation.

account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: When the file is compiled with the SafeSEH option enabled, its Exception Table will contain a list of safe exception handlers to fight the exploitation of Structured Exception Handling (SEH) structures

RE tip of the day: When the file is compiled with the SafeSEH option enabled, its Exception Table will contain a list of safe exception handlers to fight the exploitation of Structured Exception Handling (SEH) structures #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: Even after signing the executable, some parts of it can be changed without breaking the signature (checksum, certificate table, the overlay for installers, etc). More details here: buff.ly/3EK1iZJ

account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: When malware is signed, a hash over part of the sample body is calculated and encrypted with a private key of the certificate owner. A hash and a public key (certificate) are stored in the Security Directory

RE tip of the day: When malware is signed, a hash over part of the sample body is calculated and encrypted with a private key of the certificate owner. A hash and a public key (certificate) are stored in the Security Directory #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: Attackers may sign their executables with valid certificates to reduce the chances of them being detected. The sigcheck command-line tool (part of Sysinternals Suite) can be used to explore signature details

RE tip of the day: Attackers may sign their executables with valid certificates to reduce the chances of them being detected. The sigcheck command-line tool (part of Sysinternals Suite) can be used to explore signature details #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: Even when malware doesn't store any payloads/configs in its resources, researchers may get some useful insights from the Resource Directory, for example, language IDs or timestamps (old Delphi compilers only)

RE tip of the day: Even when malware doesn't store any payloads/configs in its resources, researchers may get some useful insights from the Resource Directory, for example, language IDs or timestamps (old Delphi compilers only) #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: When malware stores additional payloads or configs in its resources (usually encrypted), the common way to access them is by using WinAPIs. LockResource API will return the pointer to the actual resource data

account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: After unpacking, the original Import Directory is often not available as it is the unpacking code that resolves the imports. Programs like Scylla or ImpRec can find the populated IAT and reconstruct the original Import Directory.

RE tip of the day: After unpacking, the original Import Directory is often not available as it is the unpacking code that resolves the imports. Programs like Scylla or ImpRec can find the populated IAT and reconstruct the original Import Directory. #infosec #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: Export Directory stores the list of all the executable's functions that can be used externally by other binaries, usually by referencing the corresponding function names or ordinals in their Import Directory.

RE tip of the day: Export Directory stores the list of all the executable's functions that can be used externally by other binaries, usually by referencing the corresponding function names or ordinals in their Import Directory. #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: On 64-bit versions of Windows, despite its name, the C:\Windows\System32 directory stores 64-bit versions of executables (mainly DLLs). In contrast, C:\Windows\SysWOW64 stores 32-bit versions of executables.

account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: The Subsystem field of the Optional Header can tell us if malware is a driver (Native=1) or a user-mode program, either expected to create windows (Windows GUI=2) or purely console-based (Windows Console=3).

RE tip of the day: The Subsystem field of the Optional Header can tell us if malware is a driver (Native=1) or a user-mode program, either expected to create windows (Windows GUI=2) or purely console-based (Windows Console=3). #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: If you want to perform dynamic analysis of the sample, make sure that your OS has a version higher or equal to the one found in the PE header, otherwise the debugging may fail due to WinAPI mismatches.

RE tip of the day: If you want to perform dynamic analysis of the sample, make sure that your OS has a version higher or equal to the one found in the PE header, otherwise the debugging may fail due to WinAPI mismatches. #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: When you dump executables from memory after unpacking, the relocation table may be restored using tools like ReloX or more modern alternatives by providing two dumps having two different base addresses.

account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: As some instructions contain hardcoded VAs, they need to be patched at runtime to match the new base address. It is possible thanks to the Relocation Directory that stores a list of all instructions that contain VAs

RE tip of the day: As some instructions contain hardcoded VAs, they need to be patched at runtime to match the new base address. It is possible thanks to the Relocation Directory that stores a list of all instructions that contain VAs #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: ImageBase field contains the proposed base address for the program, and some instructions may have hardcoded absolute VAs expecting it. The actual base address at runtime may be different because of ASLR.

RE tip of the day: ImageBase field contains the proposed base address for the program, and some instructions may have hardcoded absolute VAs expecting it. The actual base address at runtime may be different because of ASLR. #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: AddressOfEntryPoint field of the Optional Header stores the RVA of the first instruction to be executed once the process starts. However, if TLS callbacks are present, they will be executed first.

RE tip of the day: AddressOfEntryPoint field of the Optional Header stores the RVA of the first instruction to be executed once the process starts. However, if TLS callbacks are present, they will be executed first. #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: RVA (Relative Virtual Address) is an address relative to the base address of the program, an address at which the executable was loaded (where its MZ signature can be found). Any its VA = base address + RVA.

RE tip of the day: RVA (Relative Virtual Address) is an address relative to the base address of the program, an address at which the executable was loaded (where its MZ signature can be found). Any its VA = base address + RVA. #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: To understand if the provided Windows executable is a DLL or not, check this particular boolean flag of the Characteristics field in the File Header structure. Non-DLLs may also have Export Directory items.

RE tip of the day: To understand if the provided Windows executable is a DLL or not, check this particular boolean flag of the Characteristics field in the File Header structure. Non-DLLs may also have Export Directory items. #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: In the PE header, there are multiple places where the compilation timestamp can be found:
* TimeDateStamp in the File Header
* TimeDateStamp in the Export Directory
* TimeDateStamp in the Debug Directory

RE tip of the day: In the PE header, there are multiple places where the compilation timestamp can be found: * TimeDateStamp in the File Header * TimeDateStamp in the Export Directory * TimeDateStamp in the Debug Directory #infosec #cybersecurity #malware #reverseengineering
account_circle
Reverse Engineering and More(@re_and_more) 's Twitter Profile Photo

RE tip of the day: To understand if the executable is designed to be run on 32- or 64-bit Windows, you can either check the Machine field of its File Header defining its architecture or the Magic value of the Optional Header defining its format.

RE tip of the day: To understand if the executable is designed to be run on 32- or 64-bit Windows, you can either check the Machine field of its File Header defining its architecture or the Magic value of the Optional Header defining its format. #cybersecurity #reverseengineering
account_circle