Malware-analysis-and-Reverse-engineering

Some of my publicly available Malware analysis and Reverse engineering. (Reports, tips, tricks...)

Tracing C function fopen [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel Executive Subsytem

[Visible vs Hidden vs VeryHidden Sheet - Excel Binary File Format (.xls)]

[Exploiting CVE-2019-0708 (BlueKeep) using Metasploit (Manual settings GROOMBASE + GROOMSIZE)]

[Abusing External Resource References MSOffice]

Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION
Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION

[Real-Time Solving CyberDefenders "DumpMe" MemoryForensics Challenge in 1 hour]

[Volatility3 Output Formatting Trick in PS]

[Advanced Memory Forensics (Windows) - Threat_Hunting and Initial Malware_Analysis]

[LokiBot Analyzing]

[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
[3] Lokibot analyzing - Reversing, API Hashing, decoding

[Fast API resolving of REvil Ransomware related to Kaseya attack]

[Dancing with COM - Deep dive into understanding Component Object Model]

What is COM and its Functionality, COM in Registry (Tools - COM viewers), COM Client-Server (Using Powershell/.NET COM Client), Reversing COM instances and methods in IDA (Structures, Types, ComIDA plugin), Interesting way of using COM Method in LokiBot malware sample

[HiveNightmare - Bug in ACLs of Registry Hives]

[Finding Vulnerability in PE parsing tool - NEVER trust tool you didn´t write by your own]

[Reversing binary (Malware sample) which using statically imported OpenSource library]

Some notes, tips and tricks when you are dealing with reversing Malware sample which using statically imported OpenSource library

[Reversing CryptoCrazy Ransomware - PoC Decryptor and some Tricks]

This video covers guide during reversing and making PoC decryptor in Python. In the last part of the video I will be covering another Trick how you can dynamically invoke only the decryption routine of this Ransomware directly from Powershell and get all files decrypted.

[Powershell and DnSpy tricks in .NET reversing – AgentTesla]

[So you Really think you Know What Powershell Is ???]

Managed code vs UnManaged code. Difficulties during reversing and debugging.
One nice example is Powershell ItSefl.

[Full malware analysis Work-Flow of AgentTesla Malware]

[Deobfuscation SmartAssembly 8+ and recreating Original Module SAE+DnSpy]

Video covers Deobfuscation of latest SmartAssembly 8+ (commercial obfuscator for .NET) using SAE (Simple-Assembly-Explorer) and Recreating original module using DnSpy. [Samples Download]

[Advanced DnSpy tricks in .NET reversing - Tracing, Breaking, dealing with VMProtect]

[NightSky Ransomware – just a Rook RW fork in VMProtect suit]

[IDAPro Reversing Delphi MBR Wiper and Infected Bootstrap Code]

Sample, my prepared annotated IDA IDB, Bochs image: [Download-Pass:infected]

[.NET Reversing Get-PDInvokeImports - Dealing with P/Invoke, D/Invoke and Dynamic P/Invoke]

Video about .NET reversing of P/Invoke, D/Invoke and Dynamic P/Invoke implementation which serve for calling unmanaged code from managed. Covering tool Get-PDInvokeImports [Get-PDInvokeImports]

[Malware Analysis Report – APT29 C2-Client Dropbox Loader]

Deep dive into reverse engineering APT29 C2-Client Dropbox Loader.

darwindeveloper901/Malware-analysis-and-Reverse-engineering