Analysis of the Storm and Nugache Trojans: P2P Is Here
This is an article that I worked on with Sam stover which covers some of the high level concepts that were introduced by next generation peer-to-peer bot networks. In it we dissect the some of the...
View ArticleCommand and Control Structures in Malware: From Handler/Agent to P2P
Good article by David Dittrich and Sven Dietrich in ;login: magazine which I was able to contribute to by doing a lot of the reverse engineering of the Nugache trojan. The main focus of the article is...
View ArticlePowershell Grep
So, I spent a good couple of hours today trying to find a easy solution to the lack of Grep on windows. I've tried using findstr but the output gave me a headache trying to parse it. So I decidied to...
View ArticleMicrosoft CCI Framework for Deobfuscating .Net binaries.
We had an issue recently crop up with an obfuscated .Net binary. I’ve been meaning to spend more time reversing .Net protected binaries so I start looking in it. Unfortunately everything I was reading...
View ArticleMicrosoft CCI Framework for Deobfuscating .Net binaries. (Part 2)
So yesterday I talked a about using CCI to remove attributes from .Net binaries. Specifically the SupressIldasm attribute. I promised I’d put up some more code highlighting the framework’s benefits. So...
View ArticleMicrosoft CCI Framework for Deobfuscating .Net binaries. (Part 3)
Renaming parts of the assembly. So I promised this last week, but I’ve been busy on a new project. Below is some code that shows renaming of methods. This is a solution to renaming classes within...
View ArticleAsp .Net MVC Security Review Checklist
Here’s a little checklist I put together for ASP .Net MVC. It includes the high level stuff to look at when reviewing a MVC application. In order to fully understand/consume the info it requires at...
View ArticleX5S V2.0…. its coming!
So, It’s been awhile since we’ve done any public updates to X5S. Over the last year, I’ve improved the algorithm and process significantly. Be on the look out, it should be released within the next...
View ArticleMicrosoft “Roslyn” based REPL injection.
Microsoft recently released their new Compiler API codename “Roslyn”. If you haven’t checked it out yet you should. Here’s the link: http://msdn.microsoft.com/en-us/roslyn/. I wanted to get my hands a...
View ArticleClik here to view.
Hot patching WinINET to access HTTPOnly cookies via InternetGetCookie
Preface: by removing these checks for HTTPOnly you are making cookie management less secure within the process. This is for testing/tools only and I DO NOT recommend doing this unless you’re absolutely...
View Article