Anti-instrumentation techniques: I know you’re there, Frida!

Some days ago, due to a task I’m still doing, I started using Frida. At first glance, it is a great option, specially the Python bindings, to develop quick scripts to instrument a program. It’s multi-platform, multi-arch, it has binding for Python, Node.js and .NET and many other benefits. After some days of usage, I… Continue reading Anti-instrumentation techniques: I know you’re there, Frida!

Unpacking Malware Series: Venis Ransomware

Introduction The samples of Venis ransomware I’ve been analyzing implement some anti-debugging and anti-sandboxing tricks. Those tricks are the starting point for us to find the code in charge of unpacking the ransomware core. In particular, it implements the ​GlobalMemoryStatusEx trick and checks the presence of a particular DLL in the memory of the current process. GlobalMemoryStatusEx… Continue reading Unpacking Malware Series: Venis Ransomware

Unpacking Malware Series: NanoLocker Ransomware

This ransomware uses two decryption loops before getting the real code executed. Both versions, v1.27 and v1.29, have the same entry point: By tracing with F7, we get the first decryption loop: After the decryption, code looks like this: Marked in red, we can see the second decryption loop. If we trace the code using… Continue reading Unpacking Malware Series: NanoLocker Ransomware

Unpacking Malware Series: HDDCryptor Ransomware

Most of the HDDCryptor samples I saw weren’t packed, but I found one sample that at first sight didn’t look suspicious, however, if we look carefully, there are clues of malicious code activity. The main function code looks like this: We can see that there are a lot of calls to functions like tan()/cos()/pow()/sin()/ceil() that… Continue reading Unpacking Malware Series: HDDCryptor Ransomware

Unpacking Malware Series: ATLAS Ransomware

This time, we are going to see how to unpack ATLAS ransomware. The first thing it does, as many other malware, is to allocate memory regions to hold the decryption routines for the real ransomware core. Then, there is a loop where it changes the permissions of every memory page, included the PE header section,… Continue reading Unpacking Malware Series: ATLAS Ransomware

H4CK1T CTF 2016 Quals – Mexico Pentest – 150 pts – Write-up

Those who know me are aware that I don’t like web challenges. However, this time I decided to try it out. We were provided with the following information: Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their… Continue reading H4CK1T CTF 2016 Quals – Mexico Pentest – 150 pts – Write-up

H4CK1T CTF 2016 Quals – Argentina – r34n1m4710n – 100 pts – Write-up

This was an easy challenge. This were the instructions: Recover the password. h4ck1t{} We were provided with a .pcap file named top_secret_39af3e3ce5a5d5bc915749267d92ba43.pcap As I said, the task was very simple. I opened the file with Wireshark and did a manual examination of the packets, till I found a very suspicious FTP packet 🙂 flag: h4ck1t{i_G07_ur_f1l3s}