Visual C++ RTTI Inspection

C++ is well-known to be tedious to analyze, the use of both inheritance and polymorphism (i.e. virtual method) makes the compiler generate indirect calls. Usually, this kind of assembly code forces the reverse engineer to execute the code in order to figure out the destination of a call. In fact, we are looking for the VFT (Virtual Function Table). This table contains all virtual methods for a specific instance of a class. This article shows how to retrieve this information to make the analysis of a C++ software easier.

more ...

qb-sync v2

Ok, here it is, the new version of qb-sync with lots of new features: new commands, sync multiple IDBs (and thus modules) with a debugger, Windbg remote control shortcuts in IDA, etc.

more ...

Bradley, hash-and-decrypt, Gauss ... a brief history of armored malware and malicious crypto

What was really stunning about Stuxnet and its cousins was it was "open source". Once the sample was captured, it was big to analyze, but none of its embedded secrets could escape a malware analyst. And it had many secrets! From an engineering point of view, the architecture and design are clean and efficient, which makes Stuxnet a good example to learn how to design malware. From an intelligence point of view, knowing what is targeted is valuable. For a money point of view, considering how governments are racing to buy 0 days, Stuxnet was above expensive. And all this was wasted because the payload was unprotected!

more ...

qb-sync

qb-sync is an open source tool to add some helpful glue between IDA Pro and Windbg. Its core feature is to dynamically synchronize IDA's graph windows with Windbg's position.

more ...

Quarks PwDump

Quarks PwDump is new open source tool to dump various types of Windows credentials: local account, domain accounts, cached domain credentials and bitlocker. The tool is currently dedicated to work live on operating systems limiting the risk of undermining their integrity or stability. It requires administrator's privileges and is still in beta test.

more ...

Runtime DLL name resolution: ApiSetSchema - Part II

In the previous blog post we have seen how the ApiSetSchema was set up during boot time by the system. In this post we’ll see what the structure of the ApiSetSchema is and finally in the next blog post we’ll see how it is used in user-land and kernel-land.

more ...

Runtime DLL name resolution: ApiSetSchema - Part I

This series of blog posts is about the new dynamic link libraries (DLLs) layout in Windows 6.x operating systems, where functions are now exported by new modules but the real implementation is located elsewhere. Static analysis tools might have problems dealing with this DLL restructuring. This blog post is aimed at presenting what is this new scheme, how it is implemented and how it is possible to leverage it so it can be used by static analysis tools.

more ...