Monthly Archives: December 2012

Reference Guide – Reversing & Malware Analysis Training

Leave a reply

reblogged from http://xcyb0rg.wordpress.com/2012/08/13/reference-guide-reversing-malware-analysis-training/

 

August 13, 2012 · by · in The Basics

Source: securityxploded.com/malware-analysis-training-reference

Here is the complete reference guide to all sessions of our Reverse Engineering & Malware Analysis Training program.

 
Part 1 – Lab Setup Guide
 
  1.  Virtualization:
    1. VmWare – http://www.vmware.com/
    2. VirtualBox – https://www.virtualbox.org/
  2.  Tools Development:
    1. Compilers/IDE:
      1. Dev C++ – http://www.bloodshed.net/devcpp.html
      2. Microsoft Visual C++ – http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-cpp-express
    2.  Assemblers:
      1. MASM – http://www.masm32.com/
      2. NASM – http://www.nasm.us/
      3. WinAsm (IDE) – http://www.winasm.net/
    3. Langugages:
      1. Python – http://python.org/
  3. Tools Reverse Engineering:
    1. Disassembler:
      1. IDA (5.0) – http://www.hex-rays.com/products/ida/support/download.shtml
      2. IDAPython – http://code.google.com/p/idapython/
    2. Debuggers:
      1. OllyDbg – http://www.ollydbg.de/
      2. Immunity Debugger – http://immunityinc.com/products-immdbg.shtml
      3. Windbg – http://msdn.microsoft.com/en-us/windows/hardware/gg463009
      4. Pydbg – http://code.google.com/p/paimei/
    3. PE file Format:
      1. PEView – http://www.magma.ca/~wjr/
      2. PEBrowse – http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
      3. LordPE – http://www.woodmann.com/collaborative/tools/index.php/LordPE
      4. ImpRec – http://www.woodmann.com/collaborative/tools/index.php/ImpREC
      5. PEid – http://www.peid.info/ vi. ExeScan – http://securityxploded.com/exe-scan.php
    4. Process:
      1. ProcMon – http://technet.microsoft.com/en-us/sysinternals/bb896645
      2. Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653
    5. Network:
      1. WireShark – http://www.wireshark.org/
      2. TcpView – http://technet.microsoft.com/en-us/sysinternals/bb897437
    6. File and Registry:
      1. Regshot: http://sourceforge.net/projects/regshot/
      2. Capturebat – http://www.honeynet.org/node/315
      3. InstallWatchPro. – http://www.brothersoft.com/downloads/installwatch-pro-2.5c.html
      4. FileMon – http://technet.microsoft.com/en-us/sysinternals/bb896642
    7. Misc:
      1. CFFexplorer – http://www.ntcore.com/exsuite.php
      2. Notepad++ – http://notepad-plus-plus.org/
      3. Dependency walker – http://www.dependencywalker.com/
      4. Sysinternal Tools – http://technet.microsoft.com/en-us/sysinternals/bb842062
 
 
Part 2 – Introduction to Windows Internals
 
  1. Book: Windows Internals 5th Edition – Chapter 1, 2, 3, 5, 9
  2. Windows Architecture – http://technet.microsoft.com/en-us/library/cc768129.aspx
  3. Book: RootKit Arsenal – Part 1 – Windows System Architecture
  4. System Service Dispatching – http://www.codeproject.com/KB/system/hide-driver/NtCallScheme_small.png
 
 
Part 3 – Windows PE File Format Basics
 
  1. Portable Executable File Format – A Reverse Engineer View – Goppit – http://ivanlef0u.fr/repo/windoz/pe/CBM_1_2_2006_Goppit_PE_Format_Reverse_Engineer_View.pdf
  2. An In-Depth Look into the Win32 Portable Executable File Format by Matt Pietrek http://msdn.microsoft.com/en-us/magazine/cc301805.aspx
  3. Lena 151 tutorials – http://tuts4you.com/download.php?list.17
  4. Icezelion’s PE tutorials – http://win32assembly.online.fr/tutorials.html
 
 
Part 4 – Assembly Programming Basics
 
  1. Assembly Programming: A Beginners Guide – http://securityxploded.com/assembly-programming-beginners-guide.php
  2. Icezelion’s Win32 Assembly Programming Tutorials  – http://win32assembly.online.fr/tutorials.html
  3. Function Calling Convention Demystified – http://www.codeproject.com/KB/cpp/calling_conventions_demystified.aspx
  4. Intel Manual – Volume 2 (Instruction set), Volume 3 (system programming 3A) –
    http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf
 
 
Part 5 – Reverse Engineering Tools Basics
 
  1. Video – Intro to OllyDbg and its Settings – http://www.youtube.com/watch?v=UqnQCVvYk3A
  2. Video – Intro to IDA Pro Disassembler – http://www.youtube.com/watch?v=zvWc-XsBKrA
  3. Automation of Reversing Through Scripting – http://securityxploded.com/automation-reversing-scripting.php
 
 
Part 6 – Practical Reversing (I)
 
  1. Video Demonstration – Reversing Sample Crackme using IDA Pro http://www.youtube.com/watch?v=6r5Q7YYnUSc
  2. Creating KEYGEN for Crackme Code http://securityxploded.com/creating-keygen-for-crackme.php
  3. Lena 151 tutorials – part1 to part 10 –http://tuts4you.com/download.php?list.17
  4. Book: ‘The IDA Pro Book’ – Unofficial Guide to IDA Pro http://www.amazon.com/The-IDA-Pro-Book-Disassembler/dp/1593272898
  5. Book: Practical Malware Analysis – chapter 1-7 http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901
  6. Book: Reversing – Secrets of Reverse Engineering – chapter 1,2,3,4,5,8 http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817
 
 
Part 7 – Practical Reversing II: Unpacking UPX
 
  1. Video Demonstration – Unpacking UPX using OllyDbg & ImpREC http://http://vimeo.com/42197903
  2. Manual Unpacking of UPX using OllyDbg http://securityxploded.com/unpackingupx.php
  3. UPX: Ultimate Packer for Executables http://upx.sourceforge.net/
  4. ImpREC: Import Table Reconstruction Tool http://securityxploded.net/download/Imprec.zip
  5. Best Unpacking Tutorials by ARTeam http://www.accessroot.com/
 
 
Part 8 – Practical Reversing III: Malware Memory Forensics
 
  1. Demo Video – http://www.youtube.com/watch?v=YcVusDjnBxw
  2. Malware Memory Forensics Article http://securityxploded.com/malware-memory-forensics.php
  3. Volatility – An advanced memory forensics framework http://code.google.com/p/volatility/
  4. Volatility – Volatile memory analysis research http://volatility.tumblr.com/
  5. MoonSols Windows Memory Toolkit http://www.moonsols.com/windows-memory-toolkit/
 
 
Part 9 – Practical Reversing IV: Advanced Malware Analysis
 
  1. Demo Video 1 – http://youtu.be/592uIELKUX8
  2. Demo Video 2 – http://youtu.be/3bxzvrGf5w8
  3. Volatility – An advanced memory forensics framework http://code.google.com/p/volatility/
  4. Volatility – Volatile memory analysis research http://volatility.tumblr.com/
  5. The Honeynet Project – http://www.honeynet.org/node/315
  6. Malware Analysis Tools & Training – http://zeltser.com/reverse-malware/
 
 
Part 10 – Practical Reversing V: Exploit Development Basics
 
  1. Demo Video 1 [EIP Overwrite]- http://www.youtube.com/watch?v=erl_Aee8oDg
  2. Demo Video 2 [SEH Exploitation]- http://www.youtube.com/watch?v=njQ47H7jO4s
  3. Remote Buffer Overflow Exploits – http://securityxploded.com/remote-buffer-overflow-exploits.php
  4. Exploit writing tutorials https://www.corelan.be/index.php/articles/
 
 
See Also
 

Dionaea Honeypot on EC2 in 20 Minutes

Leave a reply

reposted from here http://andrewmichaelsmith.com/2012/03/dionaea-honeypot-on-ec2-in-20-minutes/

This is a tutorial on setting up Dionaea on an EC2 instance. Amazon currently off a free EC2 Micro Instance so you should be able to do this too without any cost.

Pre-requisites

EC2 Server Set up for Dionaea

  1. Sign in to your Amazon AWS console, choose the EC2 tab and choose a Region (I have chosen ‘Ascia Pacific (Singapore)’)

  2. Push Launch Instance and choose Classic Wizard and push Continue

  3. Click on the Community AMIs tab. Here you need a AMI for Ubuntu 10.04, these vary between AWS Regions. A list of AMIs is available here. Pick an AMI with root store ‘ebs’ and arch ‘32-bit’.

  4. For Asia Pacific use the AMI ami-7289cd20 (Pick an AMI with root store ‘ebs’ and arch 32-bit), then push Select**

  5. Make sure to change the Instance Type to Micro (from Small), otherwise you will be charged, and push Continue

  6. Continue until you are prompted to Create a Key Pair, choose a name and Create and Download Your Key Pair (save this file somewhere safe for later), push Continue
    .

  7. Choose to Create a New Security Group, for Create a new rule choose All TCP and Source choose 0.0.0.0/0. Enter whatever you like in Name/Description. Push Add Rule

  8. Push Continue and then Launch

Your server has now been set up and will shortly launch. Note that you have allowed TCP access to all services on this machine so do not install anything that could be compromised. It’s possible to tighten up that security but it’s a little more complicated – perhaps a subject for a later blog post.

Setting up Dionaea on your EC2 Server

  1. Find the address of your server by selecting it and choosing Instance Actions > Connect. Follow the instruction to connect to your server using the key you generated and downloaded earlier. Putty users may need to use puttygen to convert their key.

  2. Once you’re connected you can have Dionaea up and running in minutes by following this tutorial: /2012/02/quick-install-of-dionaea-on-ubuntu/

Posted by Andy Smith Mar 5th, 2012 Dionaea, Ubuntu

The Social-Engineer Toolkit (SET) v4.3

Leave a reply

The Social-Engineer Toolkit (SET) v4.3 “Turbulence” from David Kennedy on Vimeo.

This is the latest version of the Social-Engineer Toolkit (SET) v4.3 codename "Turbulence". This version has a number of changes including the new Multi-PyInjector which allows you to utilize as many payloads as you want to.

“It was Just a Virus” – Full Data Breaches through Malicious Attachments

Leave a reply

Process Monitor screenshot 3

If a malware file is allowed to execute, and it collects all of the personal files off of a system and sends them to a remote hacker, was your company hacked or did you “just have a virus?”

I love all parts of security and I’ve been trying my hand at some basic malware analysis. I’ve only analyzed a few so far, but the results have been pretty eye opening. A couple of files inspected were new data miners, part of a phishing or social engineering attack.

Look for details here http://cyberarms.wordpress.com/2012/12/19/it-was-just-a-virus-full-data-breaches-through-malicious-attachments

Analyzing E-mail .Msg files and Attachments without Outlook

Leave a reply

CYBER ARMS - Computer Security

I had a copy of an e-mail that had a virus in it that I wanted to analyze. The problem was that the Outlook e-mail message was in .msg format. My virtual machine that I was using to analyze malware was Windows XP based. The problem was that the included Outlook Express would not open the Outlook saved .msg file. And I did not want to install Outlook on the system.

So is there a way to read the file and recover the attachment without using Outlook?

Of course, like other Office file formats (like .docx) the .msg file is just zipped!

I tried several techniques to open the Outlook .msg file, even downloading an open source program that reads them. I could read the message but could not get to the attachment. And I needed the attachment so I could analyze it for malware. On a whim, I tried…

View original post 622 more words

Christmas with Hakin9!

Leave a reply

How to Hack Santa’s Bag? Christmas with Hakin9!

 

Dear Readers,

Black Friday is gone and Christmas shopping spree has just begun. We are certain that most of You have been thinking about the best gift for Your families and friends but what about yourselves? Have You found your gift already? If not, we have something just for You!

If you purchase Your individual annual Hakin9 subscription till the 21st of December You get:

PenTest AND eForensic
individual annual subscription

for FREE

In order to take advantage of the offer, please send us your messages to en@hakin9.org with HACK SANTA WITH YURY in message’s topic.