Discover and read the best of Twitter Threads about #Ghidra
Most recents (8)
🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.
By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.
Thread
[1/11] 👇
#Malware #AgentTesla #Ghidra #Debugging
By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.
Thread
[1/11] 👇
#Malware #AgentTesla #Ghidra #Debugging
[1.1/11]
Link to original sample: bazaar.abuse.ch/sample/7512be2…
Link to Full Blog: embee-research.ghost.io/agenttesla-ful…
Link to original sample: bazaar.abuse.ch/sample/7512be2…
Link to Full Blog: embee-research.ghost.io/agenttesla-ful…
[2/11] You first need to locate a function that resolves api hashes.
An example can be seen here - A giveaway is the same function is repeatedly called with hash-like values. An extra telltale sign is that each return value is cast as code (code *).
An example can be seen here - A giveaway is the same function is repeatedly called with hash-like values. An extra telltale sign is that each return value is cast as code (code *).
Have you been interested in #reverseengineering but don't know where to begin or what tools to use? Are you still stuck in OllyDBG? Our researcher @pastaCLS recommends the coolest tools you'll see out there. Plus, our team uses them to defeat protection💙
#Ghidra is useful for static analysis of binaries; it disassembles and decompiles to "C pseudo code." It supports a lot of architecture, has hundreds of plugins from the community and, last but not least, an active community.💪
ghidra-sre.org
ghidra-sre.org
@x64dbg is a debugger for Windows x86 and x64, perfect for analyzing the behavior of the program while running and freezing it in specific points to examine a feature.
x64dbg.com
x64dbg.com
🧵 Everyone’s chatting about 🤖#ChatGPT. Here are 11 things it can do for #malware analysts, #security researchers, and #reverse engineers. A thread >>👇 🧵
1/13
1/13
🙋🏻♀️ Learn how to use reverse engineering tools more effectively. Use #openAI chat bot to get rapid interactive help on your reversing tools.
2/13
2/13
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.
Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)
[1/20]
#Malware #RE
Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)
[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.
These characteristics make for good Yara rules 😁
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.
These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...
You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
🐲 Ghidra Tips🐲For Beginner/Intermediate analysts interested in RE.
These tips are aimed at making Ghidra more approachable and usable for beginners and intermediate analysts 😄
[1/9] 🧵
#Malware #RE #Ghidra
These tips are aimed at making Ghidra more approachable and usable for beginners and intermediate analysts 😄
[1/9] 🧵
#Malware #RE #Ghidra
2/ The sample I'm using can be found here if you'd like to follow along. It is a cobalt strike DLL often found in Gootloader campaigns.
bazaar.abuse.ch/sample/a2513cc…
bazaar.abuse.ch/sample/a2513cc…
3/ Enable "Cursor Text Highlighting". 🖱️
This will automatically highlight areas of interest when using the Ghidra decompiler.
This is useful for quickly identifying where a value has or will be used.
This will automatically highlight areas of interest when using the Ghidra decompiler.
This is useful for quickly identifying where a value has or will be used.
A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.
I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.
A moderate sized thread😃
[1/13]
I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.
A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.
First, download the .zip in the screenshot.👇
Then unzip and locate the "rarest.db" file in the "scabs" folder.
(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
First, download the .zip in the screenshot.👇
Then unzip and locate the "rarest.db" file in the "scabs" folder.
(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.
There are 11 exported functions here. 🧐
Most of them have junk names to throw off analysis.
One of them is "real", the rest are "decoys" which don't do anything if executed.
There are 11 exported functions here. 🧐
Most of them have junk names to throw off analysis.
One of them is "real", the rest are "decoys" which don't do anything if executed.
Happy Friday! Looking to learn a little more about #ghidra or software RE? Here is a quick thread with some resources that I've put together over the years (1/6) 🐉
First, here is a free four-session that I put together with @hackaday, there are lectures on YouTube, and all of the materials are available on GitHub.
Blog Post: wrongbaud.github.io/posts/ghidra-t…
(2/6)
Blog Post: wrongbaud.github.io/posts/ghidra-t…
(2/6)
Setting up a Development Environment:
In this post, we review how to set up Ghidra for development, including eclipse integration and building Ghidra from scratch:
voidstarsec.com/blog//2021/12/…
(3/6)
In this post, we review how to set up Ghidra for development, including eclipse integration and building Ghidra from scratch:
voidstarsec.com/blog//2021/12/…
(3/6)
When I was working in the MSRC and SDL teams, I ran a series of contests. The goals were to encourage learning, foster a team culture around technical excellence, and have some fun. I wanted them to be accessible across program managers, vuln researchers, and engineers.
The first one was to calculate a Fibonacci number in assembly. I chose this because it’s a simple problem to learn more about assembly, which was relevant to vulnerability and exploit analysis. The contest part was to do it in the fewest number of clock cycles.
I wish I had known @BruceDawson0xB then because the most challenging aspect was measuring the winner! It seemed so simple at first. Call RDTSC (Read Timestamp Counter) before and after. Do it a few times in a loop to ensure consistency and done. Hardly.
