-
Analysing a Multi Stager : A case study of QBOT
motivation This is not going to be about QBOT analysis rather a quick \”how-to\” for analysing malwares that employ multiple stages in the infection chain. Recently, in my work, I got a sample (a mal pdf) for analysis, at the time I had no prior information and task was identification. Interestingly initial vector used to…
-
The Stack Series: Return Address Spoofing on x64
introduction The stack of a process has the potential to give away the true nature of the running program in the memory. Hence it is one of the monitored entities by the security solutions. When a program executes any interesting functions like InternetConnectA, security systems may initiate a stack check to find out if there…
-
Memory Hiding Technique Series: Ekko – The basics
Introduction In previous Austin Hudson\’s CONTEXT structure to keep track of all the values in processor specific registers and segments, as mentioned before it can store additional data like debug control, exception handling etc. Using CONTEXT structure it is very easy to manipulate the values in the processor registers thereby controlling the flow of execution.…
-
Memory Hiding Technique Series: Gargoyle
introduction As reflective loading has become the staple vector for staging malware, adversaries rely on in-memory payloads for ensuring both operational security and evasion in the post exploitation phase and to counter such effort we have quite a few robust tools like Moneta and PE-sieve for scanning memories to catch active beacons/agents hidden inside running…
-
Tale of Hosting .NET in unmanaged code Part 0x3: HavocFramework
recap We are wrapping up the \”Tale of Hosting .Net\” series by covering the implementation details of InlineAssembly-Execute feature in C5pider. Here in this post we are reiterating everything we saw in the earlier posts part-2, so make sure you read it because going forward we do not go in depth rather we are going…
-
Tale of Hosting .NET in unmanaged code- PART/0x2 | InMemory Execution.
background In the previous post, we implemented a basic host program that could load up the CLR and execute an assembly. The issue with that approach is loading of the .NET assembly, we loaded the assembly from the disk and required passing of additional information like type and method name. In this post we will…
-
Tale of Hosting .NET in unmanaged code- PART/0x1
offensive .NET Amazing folks in the community especially those who are inclined towards adversary simulation and other advanced attack vectors started tooling in C#. Why? you might ask. The reason is the .NET is at the heart of Windows and it is heavily integrated with the architecture itself, one could simply harness the power of…
-
PE Relocation Table
Introduction One interesting section in a PE file is \”.reloc\” section that houses a special table called Relocation Table which is an important piece of information needed for Windows loader to load the program into the memory for running the program. When developing advanced malware artifacts, we need to implement functionalities found in Windows loader…
-
Assembly Byte Embedding & Reflection
This is a follow up writing to my previous online tool! Paste the entire contents of the \”bytes.txt\” on to \”Text to edit:\” area, select custom radio button and insert comma in the field. Now you are ready to generate comma separated data. C# Loader Now we are good to code the same loader as…
-
Reflection in C# 101
Background As someone who is engaged in cyber threat intelligence, one needs to keep track of novel techniques employed by the adversaries to deliver their payload on to the target systems without having to touch the filesystem at all, completely fileless deployment, thus bypassing baseline detection mechanisms. As a means to achieve fileless delivery, malware…