You are browsing the archive for Reversing.

← Previous Entries

My first encounter with Frida

May 29, 2020 in Malware Analysis, Reversing, Sandboxing

My first real job was a web programmer. Yes, I know. I have no idea either.

This is how I learned HTML, CSS, JavaScript, perl, and php. Today all of it is obsolete, but still brings me a lot of fruits, because at least I am able to compare how many things have changed… well… since back then. Yup, this is what old people do – the fruits are totally rotten.

Today’s JavaScript is not what it used to be, and it’s funny that it became ‘the’ language of the future unlike Java. Speaking of the latter, the Java situation is so dire that it bleeds my heart to describe an observation that I made recently. Once upon a time the wet dream of futurologists is now so obscene and obsolete that infosec found a hipster-driven pleasure in taking it over as a de facto lingua franca of their beloved software creation. There are two separate phrases of French origin in my previous sentence – I encourage you to re-visit it and take pleasure in re-reading them without understanding. Back to Java. One can’t be a red teamer if one doesn’t use at least one Java-based product e.g. Burp. So is the blue teamer that is now using Ghidra – NSA had to be super pissed of with Ilfak’s pricing model to get us here … But I digress.

Seeing JavaScript penetrating every single corner of the virtual world, starting with good ol’ web 1.0, going via JQuery, node.js, React, and tones of other libraries, and then empowering the bloatware emperor aka Elektron applications, anyone who loves machine code, purity of Windows API, direct access to registers, memory, and fundamentally loves full control over the box… shivers when they hear of JavaScript.

These long paragraphs above serve as a personal journey through a catharsis process that this post is about.

I spent many months writing my assembly-based sandbox (the adventure I described in my sandboxing series), so I couldn’t bear the idea that I would be using JavaScript to do API monitoring. This was not the first time – Pedram Amini’s PaiMei python-based framework was and still is a brilliant insult to the purity of raw assembly-based API monitoring. Took me long time to get used to it, I hated it, no… I loathed it… but used it, eventually… and now, in a hindsight I see how revolutionary concept it really was. Because JavaScript-based API monitoring frameworks borrow a lot from that concept… they use python.

Okay, but what am I actually talking about?

I recently posted about limitations of API Monitoring on Windows 10. Around 20,000 people came back to me after that post – many of whom turned out to be just a bunch of infosec Kardashians looking for a virtual selfie with me – and only a few individuals less annoying than me provided actual suggestion. One of them was Frida. I put it on my todo list.

My first time with Frida was… picturesque.

I am not kidding you. I went to the site, ran ‘pip’ to install the thing as they said…:

… and this darn thing installed w/o any issue. w…t… h… I am so used to whine about open source projects requiring a lot of troubleshooting that I am still looking for my jaws somewhere in my basement.

That was just the beginning.

I tried some sample code I bookmarked earlier and hell.. it worked the very first time (only change I had to do was a mod to the address of the function that sample code was hooking, which was different due to ASLR).

I then tried frida-trace:

c:\python\Scripts\frida-trace.exe c:\windows\notepad.exe -i *CreateFile*

Are you kidding me?

Out of the box this thing builds a repo of prototypes for all API functions that it hooked:

All you have to do is .. mod it to your needs:

Seriously… After 20 years I am finally sold on JavaScript…

Comments Off on My first encounter with Frida

Windows 10 is ‘mine’…, Part 1

May 5, 2020 in Malware Analysis, Reversing, Tips & Tricks, Uncategorized

I don’t like Windows 10, but it likes… the progress…

So… now that win7 is ded, and winxp doesn’t work that well for malware analysis (and it’s 32-bit only), I finally (a few months back really) put myself together to build my perfect test guest 64-bit Windows 10 OS… and while doing so I came across a lot of quirks, took some screenshots, and I thought I will jot down some notes here in case you face similar issues…

Note, I am a big fan of VMWare, so the info below is primarily focused on VMWare Workstation… VirtualBox experience should not be too far off though… I hope….

Here are the steps I took to make my Windows 10 Guest OS perfect (to be clear, I followed many of these steps on my host Windows 10 as well):

  • Install to SSD
    • I bought my first SSD circa 2011 and never looked back; this an incredible performance booster and you need it for your frequently used VM guests!!!
    • Assume your SSD will go kaput on you at any time around 3-5 years down the line, so make regular backups
  • Install the Windows 10 OS; whether you go from a clean ISO, or upgrade your old Win7/Win8 it doesn’t matter
  • Go through the wizard…
  • Choose your OS version and continue until you install the whole thing
  • Note: do not use Microsoft accounts if asked, only the local one!!!
  • Decline all the privacy/spying Options:
  • Go on…
  • After 1-2 restarts you should have a clean OS installed
  • It’s time to install VM Tools:
  • You may need to run the VMTools setup64.exe manually from a mounted DVD:
  • Restart

At this stage you have the OS installed and VM Tools are running – SAVE THE VM SNAPSHOT NOW. If anything goes wrong, you can revert to it.

The VM tools allows you to change screen resolution and copy & paste between the host and the guest system, as well as access the network shares.

Hooray!

But it’s just the beginning…

  • Download and run O&O ShutUp10. Choose all options aka ‘Apply all settings’. Yup, make it all green:
  • You will need to restart the system after applying the changes
  • Now…
  • OS is installed, the basic nuisance is gone, but it’s not over yet.
  • Download Total Commander 64-bit version (TC) from https://www.ghisler.com/
    • Run TC as Admin
    • Now you can do anything you like on the system and have a better Program/File Manager than Explorer will ever be
    • Hope you have a Total Commander license, it’s worth it!
  • Now download psexec
    • Run psexec -s -i cmd.exe from your elevated cmd.exe (admin)
    • Now you have a terminal under SYSTEM account
    • Launch Regedit.exe
    • Go to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Yeaah…
    • Time to kill annoying services:
      • You have two options: be a good boy, or a bad boy; choose the latter….
      • aka….
        • Walk through all of them; I know it’s painful, but…
        • If you don’t like the particular service, just mod its ‘Start’ entry to become ‘4’ which is an equivalent of ‘Disabled’
        • I know for some options you can run gpedit.msc and select ‘disable service’ options under admin templates, but well… these will in the end run services. Since you just want to kill the nuisance, kill it at source i.e. this is right under Services key… Be brutal… Windows 10 is a telemetry and nuisance virus and you need to make it work like kinda enhanced Windows 7.
        • In particular, disable Windows Update, Windows Defender, MS Store, Security Health services and Search indexing
        • Be aware that disabling all this you will lose updating capability –> snapshots are your friends !!!
  • Time to customize your UI
    • I personally prefer good ALT-TAB with icons, so I add
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AltTabSettings=1
    • I kill Cortana bar (remove from view), manually
  • I lock the Taskbar
  • I make all notification icons to be always visible
  • I choose ‘Never Combine taskbar tools’
  • And then install tools…

Part 2 to follow…

Comments Off on Windows 10 is ‘mine’…, Part 1

← Previous Entries