-
Recent Posts
Archives
- November 2022 (1)
- October 2022 (2)
- February 2022 (1)
- January 2022 (1)
- October 2021 (3)
- January 2021 (1)
- December 2020 (1)
- September 2019 (1)
- June 2019 (1)
- January 2019 (1)
- July 2018 (1)
- April 2018 (1)
- February 2018 (1)
- January 2018 (2)
- December 2017 (2)
- November 2017 (1)
- June 2017 (4)
- May 2017 (2)
- December 2016 (1)
- November 2016 (1)
- July 2016 (3)
- June 2016 (1)
- April 2016 (1)
- March 2016 (2)
- February 2016 (1)
- October 2014 (1)
- March 2014 (1)
- February 2014 (2)
- January 2014 (1)
- November 2013 (1)
- October 2013 (1)
- September 2013 (1)
- August 2013 (1)
- July 2013 (3)
- July 2012 (1)
- May 2012 (1)
- April 2012 (1)
Categories
- CONfidence (3)
- CrackMe (18)
- KernelMode (4)
- Malware (13)
- Malware Decryptor (5)
- PE-bear (12)
- Programming (5)
- Techniques (4)
- Tools (9)
- Tutorial (14)
- Uncategorized (3)
- WKE (3)
Blog Stats
- 863,269 hits
All my works included here are licensed under:
Author Archives: hasherezade
Flare-On 6 (tasks 10-12)
Flare-On 6 Flare-On Challenge is an annual competition organized by FireEye (the FLARE team). It is like a marathon of reverse engineering. Each year we get 12 crackmes of increasing difficulty to solve. You can download the tasks here. This … Continue reading
Application shimming vs Import Table recovery
In this post I am sharing a case that I investigated recently, during the tests of my application, PE-sieve. It demonstrates how the shims applied by the operating system can disrupt Imports recovery. Continue reading
Posted in Programming, Uncategorized
Tagged Import, Import Table, Import Table rebuilding, Import Table recovery, PE, PE-sieve, shim
1 Comment
PE-bear – version 0.3.9 available
[UPDATE] This release introduced some stability issues, fixed in 0.3.9.5 Hello! Several months have passed since I released PE-bear 0.3.8. Since it was my old, abandoned project, I did not plan to start developing it again. Initially, I got convinced … Continue reading
Posted in PE-bear, Tools
6 Comments
How to compile a PIN tool using Visual Studio 2017
UPDATE: the described problems in compiling the default PIN projects seems to be fixed in the new PIN release: 3.10. PIN (of Intel) is a great platform for dynamic binary instrumentation. I use it on daily for tracing and deobfuscating … Continue reading
Posted in Tutorial
6 Comments
PE-bear – version 0.3.8 available
It has been a long time since I abandoned PE-bear project (version 0.3.7 was released in 2014!). But due to the fact that it still has new downloads, and I keep getting messages from its users, I understood it would … Continue reading
Posted in PE-bear
4 Comments
White Rabbit crackme!
UPDATE: We already got the three winners. Good job guys! However, we are waiting for the writeups to select the reward for the best one – so if you are still in between of doing the crackme, don’t give up! … Continue reading
Unpacking a malware with libPeConv (Pykspa case study)
In one of the recent episodes of “Open Analysis Live!” Sergei demonstrated how to statically unpack the Pykspa Malware using a Python script. If you haven’t seen this video yet, I recommend you to watch, it is available here – … Continue reading
Process Doppelgänging – a new way to impersonate a process
Recently at Black Hat Europe conference, Tal Liberman and Eugene Kogan form enSilo lab presented a new technique called Process Doppelgänging. The video from the talk is available here. (Also, it is worth mentioning that Tal Liberman is an author … Continue reading
Hook the planet! Solving FlareOn4 Challenge6 with libPeConv
Recently I started making a small library for loading and manipulating PE files (libpeconv – it’s open source, available on my GitHub). In my previous post, I demonstrated how the Challenge 3 from FlareOn4 could be solved with it’s help: … Continue reading
hasherezade's 1001 nights 