Reverse Engineering and More
@re_and_more
RE and More by Alexey Kleymenov (https://t.co/s1pWjL46AW). Private classes and group workshops in malware analysis and reverse engineering. #infosec #malware
ID:1273897211424911360
https://re-and-more.com 19-06-2020 08:36:57
539 Tweets
9,7K Followers
557 Following
RE tip of the day: Unlike SafeSEH, which stores pointers to exception handlers in the executable, SEHOP works at runtime checking that the entire SEH chain is traceable to the end and this way doesn't require re-compilation.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: When the file is compiled with the SafeSEH option enabled, its Exception Table will contain a list of safe exception handlers to fight the exploitation of Structured Exception Handling (SEH) structures
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Even after signing the executable, some parts of it can be changed without breaking the signature (checksum, certificate table, the overlay for installers, etc). More details here: buff.ly/3EK1iZJ
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: When malware is signed, a hash over part of the sample body is calculated and encrypted with a private key of the certificate owner. A hash and a public key (certificate) are stored in the Security Directory
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Attackers may sign their executables with valid certificates to reduce the chances of them being detected. The sigcheck command-line tool (part of Sysinternals Suite) can be used to explore signature details
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Even when malware doesn't store any payloads/configs in its resources, researchers may get some useful insights from the Resource Directory, for example, language IDs or timestamps (old Delphi compilers only)
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: When malware stores additional payloads or configs in its resources (usually encrypted), the common way to access them is by using WinAPIs. LockResource API will return the pointer to the actual resource data
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: Export Directory stores the list of all the executable's functions that can be used externally by other binaries, usually by referencing the corresponding function names or ordinals in their Import Directory.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: On 64-bit versions of Windows, despite its name, the C:\Windows\System32 directory stores 64-bit versions of executables (mainly DLLs). In contrast, C:\Windows\SysWOW64 stores 32-bit versions of executables.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: The Subsystem field of the Optional Header can tell us if malware is a driver (Native=1) or a user-mode program, either expected to create windows (Windows GUI=2) or purely console-based (Windows Console=3).
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: If you want to perform dynamic analysis of the sample, make sure that your OS has a version higher or equal to the one found in the PE header, otherwise the debugging may fail due to WinAPI mismatches.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: When you dump executables from memory after unpacking, the relocation table may be restored using tools like ReloX or more modern alternatives by providing two dumps having two different base addresses.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: As some instructions contain hardcoded VAs, they need to be patched at runtime to match the new base address. It is possible thanks to the Relocation Directory that stores a list of all instructions that contain VAs
#cybersecurity #malware #reverseengineering
RE tip of the day: ImageBase field contains the proposed base address for the program, and some instructions may have hardcoded absolute VAs expecting it. The actual base address at runtime may be different because of ASLR.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: AddressOfEntryPoint field of the Optional Header stores the RVA of the first instruction to be executed once the process starts. However, if TLS callbacks are present, they will be executed first.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: RVA (Relative Virtual Address) is an address relative to the base address of the program, an address at which the executable was loaded (where its MZ signature can be found). Any its VA = base address + RVA.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: To understand if the provided Windows executable is a DLL or not, check this particular boolean flag of the Characteristics field in the File Header structure. Non-DLLs may also have Export Directory items.
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: In the PE header, there are multiple places where the compilation timestamp can be found:
* TimeDateStamp in the File Header
* TimeDateStamp in the Export Directory
* TimeDateStamp in the Debug Directory
#infosec #cybersecurity #malware #reverseengineering
RE tip of the day: To understand if the executable is designed to be run on 32- or 64-bit Windows, you can either check the Machine field of its File Header defining its architecture or the Magic value of the Optional Header defining its format.
#cybersecurity #reverseengineering