We all know that the IA-32 processors have two modes of operation: real mode and protected mode. But why would we want to talk about real mode? The first thing is that the IA-32 processors are still used while the IA-32 computer is booting, which is also the reason […]
We know about user mode and kernel mode, and how programs in user-mode can only use the memory from 0×00000000 to 0x7FFFFFFF, while the system uses the memory from 0×80000000 to 0xFFFFFFFF.
Let’s talk about physical memory for a bit. Each computer must have a memory chip in which each […]
Before trying to debug the kernel, we must first understand a few things. We must know what the Rings in computer security are. Let’s take a look at the picture taken from :
On the picture above, we can see four protection rings, which are mechanisms to protect data and […]
Summary: In this article, we’ll present a simple program that uses ‘if’ statements and then we’ll try to reverse engineer the compiled version of the program to figure out how we can determine the usage of an if statements in the assembly code. This will be done purely as […]
In this article we’ll take a look at all the optimizations the compilers use to assembly the high-level switch statements into their assembly representations.
The first example that we’ll look like uses the code shownbelow:
We have saved the number 1 into the variable x and then used the switch […]
It’s often the case that we need to debug a kernel application, like device driverS, system calls, interrupt routines, or some other kernel application. In this article we’ll talk about SoftICE kernel debugger.
Installing and Configuring the SoftICE Debugger
We need to download the SoftICE, presumably the trial version from the […]
So far we’ve taken a look at the obfuscation routine and how it deobfuscates the instructions in the loc_4033D1. At the beginning point, the overview navigator will look like it shown on the picture below:
Upon executing the program, new functions will be discovered because the code is deobfuscated. The […]
Every program nowdays contains branch statements where the decision making happens and loops where we’re repeating some piece of code. Obviously, we could write a program that wouldn’t use any branching or looping, but such a program wouldn’t be very good or optimized. This is why it’s safe to […]
It’s not a rare occurrence when we want to load a binary executable in a debugger, change some bytes and then save the changed binary to a hard drive, making a new, patched executable. Actually, this is fairly frequent if we’re trying to make a patch for a simple […]
In the last installment, we examined the PEB Loader Data Structure. We take up the discussion here.
Locate and Isolate the Embedded Decrypted Executable
Once the VAs of the necessary APIs are stored, we are back to the next instruction after the CALL at address 004085CD that we mentioned earlier.
The piece […]
In the last article, I discussed in quite some detail how exactly the dropper for Bundestrojaner worked. In my next article what I’d been planning to do was to reverse the DLL and then the driver. There’s a slight change to those plans though. I was looking through the […]
In this paper we are going to talk about the Anticloud Trojan, also know as the TrojanDropper:Win32/Bohu.A and B variant. This malware originated in China and was designed to target the Cloud-Based Technology of major Chinese AntiVirus Vendors. For this reason, Bohu has also been called AntiCloud Trojan.
This is the first […]
Part Two in a multi-part series on holistic, multi-disciplinary analysis and reversing.
You can read part one of this series here.
The last post, “Mutex Analysis: The Canary in the Coal Mine,” started off showing how you can use mutexes to discover malware that is difficult to locate using more traditional […]
(quick plug – to all current & future reverse engineers – check out our Reverse Engineering Training Course. We’d love to publish your work next!)
Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper
Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit
Part 3: Reverse Engineering the Kernel-Mode Device […]