-
Recent Posts
Archives
- November 2025 (2)
- March 2025 (1)
- January 2025 (1)
- December 2024 (2)
- October 2024 (2)
- March 2023 (1)
- November 2022 (1)
- October 2022 (2)
- February 2022 (1)
- January 2022 (1)
- October 2021 (3)
- January 2021 (1)
- December 2020 (1)
- September 2019 (1)
- June 2019 (1)
- January 2019 (1)
- July 2018 (1)
- April 2018 (1)
- February 2018 (1)
- January 2018 (2)
- December 2017 (2)
- November 2017 (1)
- June 2017 (4)
- May 2017 (2)
- December 2016 (1)
- November 2016 (1)
- July 2016 (3)
- June 2016 (1)
- April 2016 (1)
- March 2016 (2)
- February 2016 (1)
- October 2014 (1)
- March 2014 (1)
- February 2014 (2)
- January 2014 (1)
- November 2013 (1)
- October 2013 (1)
- September 2013 (1)
- August 2013 (1)
- July 2013 (3)
- July 2012 (1)
- May 2012 (1)
- April 2012 (1)
Categories
- CONfidence (3)
- CrackMe (24)
- cryptography (1)
- CTF (8)
- FlareOn (6)
- KernelMode (4)
- Malware (16)
- Malware Decryptor (5)
- PE-bear (12)
- Programming (6)
- Techniques (5)
- Tools (10)
- Tutorial (17)
- Uncategorized (3)
- WKE (3)
Blog Stats
- 2,003,122 hits
All my works included here are licensed under:
Category Archives: Malware
Tutorial: unpacking executables with TinyTracer + PE-sieve
Covers: automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims In this short blog I would like to demonstrate you how to unpack an executable with PE-sieve and Tiny Tracer. As an example, let’s use the … Continue reading
Posted in Malware, Tools, Tutorial
Tagged HollowsHunter, PE-bear, PE-sieve, TinyTracer
Leave a comment
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is used in variety of PE loaders, PoCs, and offensive … Continue reading
Posted in Malware, Programming, Techniques
Tagged processhollowing, processinjection, Programming, runpe
4 Comments
Magniber ransomware analysis: Tiny Tracer in action
Intro Magniber is a ransomware that was initially targeting South Korea. My first report on this malware was written for Malwarebytes in 2017 (here). Since then, the ransomware was completely rewritten, and turned into a much more complex beast. The … Continue reading
Unpacking a malware with libPeConv (Pykspa case study)
In one of the recent episodes of “Open Analysis Live!” Sergei demonstrated how to statically unpack the Pykspa Malware using a Python script. If you haven’t seen this video yet, I recommend you to watch, it is available here – … Continue reading
Process Doppelgänging – a new way to impersonate a process
Recently at Black Hat Europe conference, Tal Liberman and Eugene Kogan form enSilo lab presented a new technique called Process Doppelgänging. The video from the talk is available here. (Also, it is worth mentioning that Tal Liberman is an author … Continue reading
Hijacking extensions handlers as a malware persistence method
Recently I gave a presentation titled “Wicked malware persistence methods” (read more here). After releasing the slides I got questions about some of the demonstrated methods – especially about the details of extension handler hijacking – so, I decided to … Continue reading
Posted in Malware, Techniques, Tutorial
4 Comments
Introducing PE_unmapper
Recently I wrote a small tool, that can be used as a helper in malware analysis. Various malware types unpack their core modules in memory, load them and run. In order to unpack them fast, we can let the malware … Continue reading
Princess Locker decryptor
[UPDATE: 19th March 2018] – I keep getting e-mails from people asking me why my decryptor doesn’t work. Please understand, this is an obsolete tool, it was written in 2016 for the FIRST VERSION of Princess Locker. The current version … Continue reading
How to turn a DLL into a standalone EXE
During malware analysis we can often encounter payloads in form of DLLs. Analyzing them dynamically may not be very handy, because they need some external loaders to run. Different researchers have different tricks to deal with them. In this post … Continue reading
Posted in Malware, Techniques, Tutorial
11 Comments
Unpacking NSIS-based Crypter – part 2
After publishing my short tutorial about unpacking NSIS-based crypter I got one more sample from a reader who complained that my method doesn’t work – so I decided to take a look inside. Of course cybercriminals continuously work on improving … Continue reading
Posted in Malware, Tutorial
2 Comments
hasherezade's 1001 nights