Grey Panthers Savannah

Category: reverse engeneering

  • Two new challenges

    Well, new for me at least… The first one is 0x41414141.com. Just go to the site and you can start directly. As far as I know, this is not time-bound. The second one is spargecoduasta.com (“break this code”). It is put up by BitDefender and I don’t know if it has a time limit. The…

  • Advanced Windows Debugging review

    Until recently I didn’t do kernel debugging, but recently I’ve toyed around with some code which executes before the the process is in a state which is agreeable for user-mode debuggers. So I borrowed this book from one of my friends (thanks D!) and read trough it. To get the bad stuff straight out of…

  • Windows 7 OOP overdrive

    Credit goes to a good friend of mine for this (who doesn’t have a website or twitter account, so I can’t link to him :-p). Here is a (partial) list of DLL’s imported by the Windows 7 version of kernel32: API-MS-Win-Core-RtlSupport-L1-1-0.dll API-MS-Win-Core-ProcessThreads-L1-1-0.dll API-MS-Win-Core-Heap-L1-1-0.dll API-MS-Win-Core-Memory-L1-1-0.dll API-MS-Win-Core-Handle-L1-1-0.dll API-MS-Win-Core-Synch-L1-1-0.dll API-MS-Win-Core-File-L1-1-0.dll API-MS-Win-Core-IO-L1-1-0.dll API-MS-Win-Core-ThreadPool-L1-1-0.dll API-MS-Win-Core-LibraryLoader-L1-1-0.dll API-MS-Win-Core-NamedPipe-L1-1-0.dll API-MS-Win-Core-Misc-L1-1-0.dll API-MS-Win-Core-SysInfo-L1-1-0.dll API-MS-Win-Core-Localization-L1-1-0.dll API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll…

  • Detecting the Metasploit encryptors in one hour and 49 lines of Python

    I’ve seen a lot of blogpostings lately which proclaim that Metasploit payloads encrypted with one of the available encryptors and written into an executable file are somewhat “magically” capable of bypassing AV software (these posts usually contain a couple of VirusTotal links to demonstrate the point). The main scenario considered (from what I gather) is…

  • Book review: The IDA PRO Book

    Recently I’ve had the pleasure of reading trough “The IDA PRO Book: The Unofficial Guide to the World’s Most Popular Disassembler”. It is a well written book and definitely a “should read” for anyone working with IDA. The book is structured into 26 chapters which cover every aspect of IDA, no matter how exotic :-).…

  • Panda Challenge

    I know that it is kind of short notice, but I too have only found about it recently: the Panda Challenge (from Panda Security). It begins tomorrow (on the 7th of July) at 10 AM GMT+1 and consists of three rounds. Picture taken from Joachim’s photostream with permission.

  • Breaking into a process before the TLS gets executed

    I found out about this from the SANS blog: you can make Olly break before the TLS get executed. Just Debugging Options –> Events and set “Make first pause at” to “System breakpoint” instead of “WinMain”. Cool! (until now I was patching executables with TLS to avoid them being executed).

  • Possible PE file trick

    I was reading this: pefile and LOAD_CONFIG and took a look at the structure: IMAGE_LOAD_CONFIG_DIRECTORY Structure. Some things which I found interesting: GlobalFlagsClear – The global flags that control system behavior. For more information, see Gflags.exe. GlobalFlagsSet – The global flags that control system behavior. For more information, see Gflags.exe. LockPrefixTable – The VA of…

  • To pack or not to pack?

    After listening to an other great CyberSpeak podcast, I decided to line up the pros and cons of executable packing for programmers. First of all, what is executable packing? In short it is similar to self-extracting archives, where as a result of the process an executable is generated which contains some unpacking code and the…