Earlier this week , I have participated in Flare-On challenge which is hosted by Fire-Eye labs annually . The challenge was very comprehensive as its tasks targeted various platforms Windows(64-bit exe, Software Driver , .NET) , Android , etc ... . Unfortunatley , I started playing just 3 hours before the challenge was over , so I solved…
Research has proven that shellcode injection when DEP is enabled on (/NXCOMPAT flag ) a target process has always been a hurdle since it marks a memory page as non-executable region, thus preventing arbitrary code from being executed. To get around such a problem , we simply use SetProcessDEPPolicy() API to disable…
This tool , in its simplest form , hooks an API entry address (Function pointer) in an IAT , and overwrites it with a custom implementation . Technically , this code must be compiled in a DLL , then injected in address space of process (e.g with SetWindowsHookEx( ) ), which is employed to locate the RVA…
In the Interest of binary obfuscation , Programmers often embed a virtual machine in their programs due to its tedious analysis and highly obfuscated routines which make use of a custom instruction set , hence this leaves no clue for the analyst as to what the binary workflow intends to perform and…
I am releasing my new tool PEInject, It does inject some shellcodes into a desired process . Currently , it does only work with 32-bit executables , please don't expect it to work flawlessly on all targets. It may fail if the target is loaded with /DYNAMICBASE module or DEP is permanently active…
Well , I had to code my own backdoor from the scratch , which it has proven to be successful in evading almost all anti-virus products since it takes advantage of the process-replacement technique . Basically , process-replacement is the act of creating a system process (e.g : csrss.exe) in suspended state , and…
While I was checking binary-auditing.com's package , I found one interesting unpack_me challenge .\nSo I made up my mind to to give a try as it is recommended by many dudes.\n\nWell , apparently our mission is to unpack the binary and change the message it outputs ("UNREGISTERED&…
This task is really challenging as it contains some anti-reversing related stuff.\nI grabbed the binary and threw it in olly and .....Ooops ..it just quits immediatly .\n\n At first , I was stuck for minutes .because the binary is supposed to be landing on the entry point .\nThen after…
Today we are going to be talking about how to solve the reverse_me of Sharif CTF .Well , to begin with, I would like to give special thanks to whoever contributed to the CTF for their time devoted in creating such great tasks .\n\nSo, let's start with most common…
I am Mohamed Ali Mrabet , I'm graduated software engineer from Université du Québec à Montréal (UQAM) . In this blog , I put together my projects and technical stuff that I am passionate about in the security scene , and also as a major source of motivation to expand my knowledge on computer…
