Still Hsu

Still Hsu

Developer, photographer, infosec researcher.

Reverse Engineering

Use multiple tools for comparison when decompiling! Every tool creates different results. Always use multiple decompilers if you encounter weird results.

Generic Binaries

  • Ghidra
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Made by NSA
  • Binary Ninja
    • ⚠ Pricing: Paid ($149 USD/$4,500 NTD)
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Cheap alternative to IDA Pro
      • Supports plugin development
      • Support native psuedo-code decompiler on the latest dev branch
  • IDA Pro
    • ⚠ Pricing: Paid ($1,879 USD/$57,000 NTD)
      • For base application; this does not include any necessary decompilers
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Industry standard
      • Supports 50+ CPU instruction types

.NET Binaries

  • dnSpy
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Cross-platform
      • Has a built-in debugger and anti-anti-debug features
        • By default spoofs IsDebuggerPresent, CheckRemoteDebuggerPresent, and System.Diagnostics.Debugger
  • dotPeek
    • βœ… Pricing: Free
    • ⚠ Codebase: Proprietary
  • .NET Reflector
    • ⚠ Pricing: Paid ($205 USD/$6,200 NTD)
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Can decompile to async state machine level
      • Students can apply for the .NET Developer Bundle for free

Dynamic Analysis

Sandbox

  • Cape Sandbox
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Useful for a quick dynamic/static analysis
      • Provides the following
        • PCAP
        • Memory dump
        • Handles used
        • W32API called
        • DNS requests
        • Files dropped
        • Sandbox screenshots
      • Highly configurable
      • Hosts
  • any.run
    • ⚠ Pricing: Freemium
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Multiple tiers
      • Free tier
        • ⚠ 16 MB Maximum
        • ⚠ 32-bit Windows 7 only
        • List important/suspicious processes only
        • List DNS requests
        • Highlight MITRE ATT&CKβ„’ matrix
        • Sandbox screenshots
        • Files dropped
        • The following features are registered members only
          • Sample download
          • PCAP download
          • Export process graph (SVG)
      • β€œSearcher” tier ($89 USD/mo)
        • 32 MB Maximum
        • 64-bit Windows 7
        • Video record
        • MITM Proxy for HTTPs requests
        • Show all processes
        • Advanced threat analysis
      • Russia-based service
        • Privacy Policy states that any information will only be used by ANY.RUN unless required by law
        Registrar: Regional Network Information Center, JSC dba RU-CENTER
Registrar IANA ID: 463
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +7.4957370601
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: df98cdacb0e74fbd8a6ad39efd7cf1b8-DONUTS
Registrant Name: Privacy protection service - whoisproxy.ru
Registrant Organization: Privacy protection service - whoisproxy.ru
Registrant Street: PO box 99, whoisproxy.ru
Registrant City: Moscow
Registrant State/Province: Moscow

Network

  • Fiddler
    • βœ… Pricing: Free
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • HTTP(s) debugger
  • Burp Suite
    • ⚠ Pricing: Free limited shareware; paid ($399 USD/$12,000 TWD)
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Cross-platform
      • HTTP(s) debugger
      • Popular among web pentesters
  • FakeNet-NG
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Cross-platform
      • ⚠ Based on Python 2.x
      • Listens for DNS/HTTP(s)/SSL requests
      • Attempts to serve legitimate files
        • e.g. if the malware requests an JPG file, it will return the user-specific JPG file
      • Ability to create capture file (*.pcap)

Binary

  • Process Hacker
    • βœ… Pricing: Free
    • βœ… Codebase: Open-source
    • πŸ“ Notes:
      • Based on Process Explorer
      • View process tree, network ports, disk activity
      • Manage services
      • Flag malicious executable
      • Inject DLL
      • Manage per-app thread(s)
      • Show if the process is…
        • Packed by a packer
        • Digitally signed
        • A .NET process
      • Too many to list
  • Process Explorer
    • βœ… Pricing: Free
    • ⚠ Codebase: Proprietary
    • πŸ“ Notes:
      • Created by Microsoft

Static Analysis

  • strings
    • scoop install strings
  • trid
    • scoop install trid
  • pestudio
    • Performs strings and VirusTotal analysis
    • Shows referenced API calls
    • Checks for signature validity

PowerShell

Red Team

Blue Team

Useful Notes

  • Starting from Windows 10 v1803, curl is included with the OS.
    • PowerShell users may need to invoke curl.exe instead of curl to avoid the Invoke-WebRequest alias.
    • Alternatively, remove the alias by using Remove-Alias curl.
  • Winbindex
    • An index of Windows binaries, including download links for executables such as *.exe, *.DLL and *.sys files.
    • Useful for testing or analyzing specific binaries from various Windows versions

Leave a comment

You may also enjoy