I am really interested in reverse engineering and I have read a very interesting paper which I decided to share with you. What is Firmware? Firmware is a specific kind of low-level software which controls the hardware and it can function as an operating system in embedded systems. Any malicious attacks on the firmware can […]
WinDBG-Usermode
Hi, In this post I’m going to explain how to use windbg debugger in user mode. Windbg is one of the potent debuggers in SDK debugger set which can be used in both kernel and user mode. SDK is a set of powerful debuggers in user(CDB) and kernel mode(KD). Although Windbg is very powerful in […]
Defeat Malware’s Dynamic Api Loading
There are thousands of ways which makes malwares resistant against static dissambling and static analysing. One of the known ways to circumvent against suspicious API blocking or analysing statically by AV’s, is using LoadLibrary API to dynamically load a library then use its functions and it makes a CPU Intensive task for AV’s to defeat […]
Introduction to PE file Format and a simple code example
Hey guys, today I’m going to explain a vital file format which is called PE file format. Understanding this format is very essential, because all debuggers and reverse engineering tools are based on this structure. There are lots of documents to introduce this structure, but I gather the essential information from some them in this […]
Defeating malware’s Anti-VM techniques (CPUID-Based Instructions)
Introduction You should by now be aware of everything, cause the topic’s title clearly describes the contents of this post. As you know, almost all of the modern malware programs use some bunch of packers or protectors and using such tools cause malware to be weaponized with Anti-VM techniques which makes it impossible for […]
Inside Windows Page Frame Number (PFN) – Part 1
Introduction (Page Frame Number) Windows and almost all the OSs use Page Frame Number Database in order to have a track of virtually allocated pages to know which page must be freed or evicted or if a page needs to be cached and etc. All of these kinds of stuff manages through a list, called […]
Inside Windows Page Frame Number (PFN) – Part 2
Converting Physical Address to Virtual Address and Virtual Address to Physical Address MmGetVirtualForPhysical (PA -> VA) One of the purposes of using PFN database is for converting physical address to virtual address but in Windows, you can simply call nt!MmGetVirtualForPhysical and convert your physical address to virtual address, you can see a complete list of Memory […]
Bochs Emulator – Debug & Instrument
Bochs is an amazing thing because it provides instrumentation in the lowest level of the Operating System. One of the advantages of the Boch is being able to instrument in kernel-mode, which is not available in other instrumenting tools like Intel’s pin tool. You can see how to interact with Bochs debugger here. It’s somehow […]
PyKD Tutorial – part 2
Breakpoints Breakpoints are such useful things and can give you the power of analyzing programs in a better and easier way by using PyKD. In the API Reference they introduce setBp function in the following way :
1 2 3 4 5 6 7 8 |
setBp( (long)offset [, (object)callback]) -> breakpoint : Set software breakpoint on executiont C++ signature : class pykd::Breakpoint * __ptr64 setBp(unsigned __int64 [,class boost::python::api::object {lvalue}]) setBp( (long)offset, (long)size, (int)accsessType [, (object)callback]) -> breakpoint : Set hardware breakpoint C++ signature : class pykd::Breakpoint * __ptr64 setBp(unsigned __int64,unsigned __int64,unsigned long [,class boost::python::api::object {lvalue}]) |
As you can see, setBp can give a pointer as its first argument and a python function as the […]
PyKD Tutorial – part 1
Using windbg script syntax is such annoying thing that almost all reverse engineers have problems dealing with it but automating debugging gives such a power that can’t be easily ignored. A good solution to solve this problem is using the power and simplicity of Python and Windbg together. If you aware, Windbg also supports c-like […]