Update** 2020 blog continues here
For few years I have been interested in cybersecurity, but lately I decided to go more into the reverse engineering and malware analysis. I am trying to follow how to learn anything of Josh Kaufman. During my late night youtube zapping, I found this video from the DEFCON18 with the title My life as spyware developer.
The journal is based on the idea of gamification, the contenent is serious, but I am not. At the end of each day I have a treasure chest where I add all the links I do believe interesting like when you play MMORPG.(for the horde!!) The content of the chest is usually related to security, but not fit in the scope of this journal. But beware that this journal or any other of my journals should be considered as a guide of any sort (maybe spiritual if you really need it) .
- Guide to configure a simple VM LAB
- Introduction to malware analysis: basic analysis
- CYBRARY-malware_analysis-module
- Reversing and Cracking first simple Program
- MMORPG Bot Reverse Engineering and Tracking
- Reverse-Engineering — Crack / Patch Program 1
- Reverse-Engineering — Crack / Patch Program 2
- C++ Game Hacking Tutorial Ep.1 Reading/Writing Memory
- How to Reverse Engineer Software and Create Keygen
- Several problems encountered trying to export this VM to another computer.
- VirtualBox is having massive issue with the host-only on a specific machine I have.
- It is a very long and annoying process.
- To solve host-only issue of virtualbox I am converting my VM into an ova and using it on Vmware.
- Hex Editing - Introduction
- HEX editing to bypass AntiVirus
- Modifying Compiled C Programs in Hex Editors
- Disguising Payload EXE Files as JPG Picture Files (or any extension) using WinRAR 4.2 Exploit
Currently watching more videos about the foundamentals rather than straight into the malware analysis courses. I want to become pretty good with gdb.
- Malware Theory - Basic Structure of PE Files
- Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
- LiveOverflow Binary Hacking
The biggest problem now is the VM and the computer, I don't have a computer capable of running a VM in a smooth way and still having problem with virtualbox.
Today I focus more on programming in C after watching couple of videos that inspired me. I am currently working on a small crack.me program to give to my good friend to test him and test me.
-
Key validation with Algorithm and creating a Keygen - this video inspired me to write my crack.me program that I am currently developing in C.
-
DEFCON 18: Trolling Reverse Engineers with Math: Ness It hurts
-
HEAP EXPLOITATION - SAFE UNLINK EXPLANATION - Interesting video but very long.
Yesterday I finished the crackme program, with some finishing touch.
- HACKCONCTF STARTED FROM THE BOTTOM - need to see it tonight
- Pwnable.kr - not explored yet
- Malware Obfuscation
- Offensive Computer Security 2014 - Lecture 10 (Part 1 Advanced Fuzzing Topics) - interesting but a little bit too far from my personal objective of this month.
- Create a page about Tainted analysis
- Create a page about type of viruses
- Trying to solve level: Sydney in microcorruption
Start with the CYBRARY videos about malware analysis.
- autoconfig VM to automatize installing of softwares and config
Keep going with malware analysis course. And setting up the 2 VM.
- Thinking about to opening a hackLab on my boat, it is the most Dutch thing i can think of.
- Retrieve my old computer
- Find people to join it
The issue are not resolved yet, seems quite hard to find clear material how to do it. Even if it is pretty simple in theory seems not so much in practice, I assume the number of multiple configuration provide a certain degree of variability among all the possible solutions to this challenge. So, currently I did not have time to continue with the microcontroller CTF game or anything else. :(
- Getting Started Analyzing Malware Infections - too simple.
- Create Virtual Pen Test Lab with VMware Workstation
- Vulnhub provide materials that allows anyone to gain practical 'hands-on' experience in digital security, computer software & network administration.
- Ifconfig: 7 Examples To Configure Network Interface
- Linux ifconfig command
FOUND A SOLUTION: Enabling File and Printer sharing checkbox solved my issue.
- Wrote a small guide how to setup a VM
- NetworkConfigurationCommandLine
Now I need to simulate the internet services with Inetsim a current problem is inetsim does not render any page, so I am not sure it is working properly.
-
Set up your own malware analysis lab with VirtualBox, INetSim and Burp
-
Several inetsim tutorials like this one How to Create a Malware Analysis Lab - VirtualBox show that you need inetsim and fakeDNS, but it seems that the new version of inetsim do not need the extra fakeDNS script. And as suspected the problem was in the config file: This video does the trick at 2:15 I can finally go to rest!
Line added to the config file:
service_bind_address <ip linux machine>
dns_default_ip <ip linux machine>
- Real-world Decompilation with IDA Pro - Part 1: Introduction
- The Internet's Own Boy: The Story of Aaron Swartz
-
write a small guide how to virtualize entire OS (maybe I can analyze an entire OS?!?
)
-
Adding a router to my lab setup
- Sophos?
- ClearOS?
- Simplewall?
- pfsense?
- opnsense
fpsense is up and running in the VM, I used these videos:
- How to install pfsense on a virtual machine in vmware workstation
- Installing PFSense as a router for our lab
- pfsense Firewall Setup and Features in Depth Version 2.4
- How To Setup OpenVPN For Remote Access On pfsense
- wrote this fpsense Setup guide
Time for an IDS .... Setting up Snort On pfsense
Keyword of the day: OSINT.
After a small deviation in networking and VM, today I back on MWA, I am going to rewatch watch what I think so are the 2 most important series of videos I found in this journey so far:
- Reversing and Cracking first simple Program - bin 0x05
- Introduction to Malware Analysis or in general all his videos on the topic
In this week I wondered around the topic, setup the VM and got to know the tools now, It's time to take some serious notes about reversing engineering too. So, here my reverse engineering notes.
This video is in my x86_64 journal, but I do believe I really need to watch it again.
Today I have lootted so many links!!!
- GDB Command Reference
- Simple reversing challenge and gaming the system - BruCON CTF part 1
- Deobfuscating xor’ed strings
- Wiki-like CTF write-ups repository
- MatesCTF Final 2017
- Practice CTF List
- Reverse engineering the HITB binary 100 CTF challenge
- CTF Field Guide
- skullsecurity.org/Assembly
- skullsecurity.org/Category Archives: Reverse Engineering
- An Introduction To CTFs
- CTF-Workshop
- Smashing the Stack for Fun & Profit : Revived
- CTF Series : Binary Exploitation
- Getting Practice at Binary CTF Problems
- Archive for the ‘Binary Exploitation’ Category BLOG EUPHORIA
- trapkit.de/books/index.html
- https://www.hackthis.co.uk/
- Exploit writing tutorial part 1 : Stack Based Overflows CORELEAN TEAM
- CNIT 127: Exploit Development || Massive!
- Windows Exploit Development – Part 1: The Basics
- beginner to exploit a simple vulnerability on modern Windows
- Binary-Reading-List
- Jumping into exploit development
- University of Genova Introduction to reverse engineering and exploitation of binary programs
- manoharvanga.com/hackme
- Reversing ELF 64-bit LSB executable, x86-64 ,gdb
- fuzzysecurity Tutorials » Introduction to Exploit Development
- The best resources for learning exploit development || Soooooo .... many links!
Keep working on the basics reverse engineering notes.
- ObjDump Static Analysis
- Simple Tools and Techniques for Reversing a binary - bin 0x06 From yesterday i am reading https://hackmy.world/projects/tutorial.php#assembly, Assembly Language Tutorial
- gdb
- objdump
objdump -d -M intel <input file name> > dump.asm - file
file a.out - strings
strings | grep somethng
- Python Exploit Development Assistance for GDB
- Linux Interactive Exploit Development with GDB and PEDA
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
- STACK OVERFLOWS - PRIMER || the best interactive buffer overflow explanation ever period.
- Find a book titled "Reversing: Secrets of Reverse Engineering"
- twitch channel finding 0-day live
- chat #zerotozeroday
- Using IDAPython to Make Your Life Easier: Part 1
-
explore rexmux - not impressed
-
explore Flare VM -
-
finish episode 0x06 and 0x07
-
continuing to write the introduction to malware analysis: basic analysis
- R4ndom’s Beginning Reverse Engineering Tutorials - Ollydbg
- REcon
- REcon is a computer security conference held annually in Montreal, Canada. It offers a single track of presentations over the span of three days with a focus on reverse engineering and advanced exploitation techniques.
- A curated list of awesome reversing resources
It's 1:21 in the morning and my cup is filled with warm coffee. Let's start the day with Boxstarter, that it is actually something I was looking for and I randomly found it, because I checked the an address on the page of Flare VM. This is what is actually is:
Repeatable, reboot resilient windows environment installations made easy using Chocolatey packages. When its time to repave either bare metal or virtualized instances, locally or on a remote machine, Boxstarter can automate both trivial and highly complex installations. You can use Boxstarter to install a complete environment or install a small set of tools and windows settings with absolutely no software pre installed and configuration scripts stored in a gist.
Sometime later on tonight ... I found this book "PoC or GTFO By Manul Laphroaig", it is a strange book, it is technical, but feel different from the rest, I felt more like I found a dusty book forgotten in a corner of some library.
hackaday.com calls it a bible.
"For the last few years, Pastor Manul Laphroaig and friends have been publishing the International Journal of PoC || GTFO. This is a collection of papers and exploits, submitted to the Tract Association of PoC || GTFO, each of which demonstrates an interesting exploit, technique, or software toy in the field of electronics. Imagine, if 2600 or Dr. Dobb’s Journal were a professional academic publication. Add some whiskey and you have PoC || GTFO."
But if you do not want to spend 30$ the journal entries are publically available to be read online here: International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO or PoC or GTFO)
or buy the bible
But let's rollback a second,before I found that book because I was watching Finding a Parser Differential in loading ELF.
Basically the idea is flipping a bit you might confuse the debugger/disassembler to not recognize the file,but it does not always work.
- find more material on Parser Differential (Me the next morning: check for fuzzing old me)
After few (interstellar) jumps I came to the conclusion that I need to understand better what is fuzzing.
What is fuzzing? Acrroding to Urban dictionary ... I am confused ...
Fuzzing verb. Fuzzing is caused by the lack of blood flow in a particular area thereby producing a vibrating sensation. Fuzzing is most common on the face and hands and may cause light-headiness. Common causes of Fuzzing may be alcohol, a weed-induced high or a rush of adrenaline.
mmm, Urban dictionary might be not a techinical source of information ... , noted.
So, I searched a little bit more, and I found this explanation
Fuzzing is a powerful strategy to find bugs in software. The idea is quite simple: Generate a large number of randomly malformed inputs for a software to parse and see what happens. If the program crashes then something is likely wrong. While fuzzing is a well-known strategy, it is surprisingly easy to find bugs, often with security implications, in widely used software. Memory access errors are the errors most likely to be exposed when fuzzing software that is written in C/C++. While they differ in the details (stack overflow, heap overflow, use after free, ...), the core problem is often the same: A software reads or writes to wrong memory locations.
Then, I found this tutorial Tutorial - Beginner's Guide to Fuzzing and of course could not miss the awesome fuzzy list, there is an awesome list for anything. The material is really a lot online, even a nice coursera video. But, because I do prefer short guide here a 15 minute guide to fuzzing
But the best part of tonight was here to come, while I was searching fuzzing a totally random journal came to my attention.
So, I digged a little bit and here is what I found out:
The Gentleman's Magazine was founded in London, England, by Edward Cave in January 1731. It ran uninterrupted for almost 200 years, until 1922.
And the piece of that journal that came to my attention date Dec 31, 1737 Publisher F. Jefferies. This is what I call net-treasure hunting.
Almost 3:00 AM, time almost to go to bed after reading the 15 min guide to fuzzing. ( I hope it takes less)
4:30 in the afternoon, my brain is still tired from last night, today I am going to focus on reading the first article
Who said: Two vast and handwritten parsers
Live in the wild. Near them, in the dark
Half sunk, a shattering exploit lies, whose frown,
And wrinkled lip, and sneer of cold command,
Tell that its sculptor well those papers read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the student that fed:
And on the terminal these words appear:
"My name is Turing, wrecker of proofs:
Parse this unambigously, ye machine, and despair!"
Nothing besides is possible. Round the decay
Of that colossal wreck, boundless and bare
The lone and level root shells fork away.
-- Inspired by Edward Shelley
- https://www.nuget.org/
- Once Upon an Algorithm: How Stories Explain Computing
In these two days I focused on fuzzing and the theory of differential debugging. Few points that I want to focus on is static analysis and to do that I want to read the assembly64 book.
- need to find some project to play with the syscall in python and in C
TODO: - start to read this[this book ](http://www.egr.unlv.edu/~ed/assembly64.pdf) this evening - read [this tutorial about fuzzing](https://fuzzing-project.org/tutorial1.html) this afternoon - watch the next video of the serie of liveoverflow
Extra material:
- http://crypto.stanford.edu/~dabo/cs255/syllabus.html
- https://crypto.stanford.edu/cs155/syllabus.html
- VIM shortcuts
Because my license of Vmware pro is about to end, I need to migrate to virtualBox, so today I had to watch [this video](https://www.youtube.com/watch?v=D2wjR3pCwrU) to configure virtualBox with pfsense and windows. Another important point is that I want to have a solid configuration, and know how to move around installing and reinstalling at will without problems. So, I am focusing on what I is the basics of having a malwarelab and it is to have an enviroment that you can mess up millions times and in few click start again.
I just realized I wrote three differen guides on pfsense:
- This is the most schematic
- This is with a lot of pictures
- This contains a the solution for an error-network on kali
Unfortunately I had a minor accident and I could standup from the bed, but today I am back.
I am currently exploring new technologies and opensource projects: I am very excited about XIA, because it was something I was thinking about the importance of developing a new network protocol to replace TCP/IP. And then at 3AM in a total random search on google I found this:
Finding the successor of TCP/IP is the ultimate goal of our project. To do so, we have developed a new protocol stack, XIA. To reach this destination, we are both refining our codebase and working to meet unfulfilled demands of real-world networks. For example, our current short-term goal is to develop a DDoS protection system.
I am really want to try to cooperate or to play with XIA and see what is it, what can be done, and what I can help with.
- https://github.com/mengxiang0811/gatekeeper
- http://cs-people.bu.edu/qiaobinf/
- Randomized Heavy Hitter Hierarchy Management
- Implementing blackholing in Gatekeeper
- Finding frequent items in data streams Presenter: Qiaobin Fu
- XIA for Linux
Because I was already there I checked other opensource projects and I was super excited to find this projects too, very close to my interests as well.
- DRAKVUF: Support for Dynamic Malware Analysis on ARM
- drakvuf-dynamic-malware-analysis
- Sergej Proskurin, Tamás K. Lengyel – Stealthy, Hypervisor-based Malware Analysis
- CONFidence 2017: Escaping the (sand)box (Robert Swiecki)
Other interesting projects found there to follow up.
- RTEMS is a real-time operating system kernel used around the world and in space.
- Open Source Robotics Foundation, Inc.
- The Strange Disappearance of D.B. Cooper
- Yet another universal Android root!
- Writing, Running, and Fixing Code in C
- Embedded-C-Coding-Standard
- Own your Android! Yet Another Universal Root
- Read the next POCORGTFO
- The Basics and Pitfalls of Pointers in C
- When 4 + 1 Equals 8: An Advanced Take On Pointers In C
- Working on protostar challenge
- How to Protect Your Privacy on The Web
- Current issue : #49 | Release date : 1996-11-08 | Editor : daemon9
- HighOn.Coffee
- rot.fi
Today I will be busy almost all day long due to an online training.
Few new links, Complete Ethical Hacking Course on youtube and Metasploit For Beginners and How to Create Your First Exploi
There is this awesome guide about Poweliks is an evasive click-fraud trojan that uses several interesting evasion techniques. It contains both multiple stages and programming languages, and heavily influenced other evasive malware families, such as kovter
Amazing video Malware Analysis VM Setup Tutorial and amazing channel OALabs.
- https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
- https://gist.github.com/OALabs/cad8d9489245f3f96d9669f56d2877f3
- Malware Lab Setup - Network Configuration
- SANS DFIR Webcast - Memory Forensics for Incident Response
To see the memory layout of a process in linux:
ps -aux | grep <name of program>
cat /proc/<pid>/maps
From Napier university few courses of the professor Bill Buchanan
- Security,Metasploit,Crypto ...
- Intro to Sec. and Net. Forensics
- CEH
- Network Forensic
- Introduction to Cryptography
- Vsrious LAB tutorial
- Code Auditing by Dr. Jared DeMott
- Fuzzing Dr. Jared DeMott
- Reverse Engineering Dr. Jared DeMott
- Exploit Development Dr. Jared DeMott
- Combating Exploit Kits Dr. Jared DeMott
- Analyzing Malware for .NET and Java Binaries by Josh Stroschein
- Ethical Hacking: Malware Threats by Dale Meredith
- Getting Started Analyzing Malware Infections by Cristian Pascariu
- https://github.com/xpn
- https://github.com/RPISEC/Malware
- Awesome Malware Analysis
- This site contains a number of material related to security, digital forensics, networking, and many other things.
- SANS Malware Course
- On the Effectiveness of Source Code Transformations for Binary Obfuscation
- A Binary Rewriting Defense against Stack based Buffer Overflow Attacks
- Binary Obfuscation Using Signals
- On the Effectiveness of Source Code Transformations for Binary Obfuscation
- A Binary Rewriting Defense against Stack based Buffer Overflow Attacks
- Binary Obfuscation Using Signals
- Unleashing MAYHEM on Binary Code
- Dynamic Taint Analysis and Forward Symbolic Execution
- Adversarial Malware Binaries: Evading Deep
- Learning for Malware Detection in Executables](https://arxiv.org/pdf/1803.04173.pdf)
- Yet another universal android root!
- why-you-need-you-a-malware-analysis-lab-and-how-to-build-it
- the-road-to-reverse-engineering-malware
- How Do I Become A Malware Analyst?
- Fake DNS Responses for Malware Analysis
- Malicious PowerShell Detection via Machine Learning
- ssdeep is a program for computing context triggered piecewise hashes
