Borderline − Don't hate the player, hate the game.

Hey everyone. I haven’t posted here in a while. The world made no sense the last time I did, and it makes even less sense now. That translates (among other things) to people being crazier on the internet, constantly challenging my personal illusions about what I imagined to be rock bottom. Maybe in five years, I will come back to this post, read it again, and go “oh, man, those were the chill days, I miss those”.

The craziness that’s rattling me these days is related to Russia. Maybe before we dive in, I should clarify a few things. The most important one being: I unambiguously stand behind the Ukrainian people who are currently facing an armed invasion. Next, and you probably know this about me already if you landed on this page: I am a French national currently employed by Kaspersky, the world’s number one lightning rod for Russia-related hatred (and otherwise antivirus maker). I joined the company in 2018, not long after the very public accusations leveraged against it by the US government. My rationale was that nobody could piss off so many important people without doing a few things extremely right – and I was correct in that assessment.

These are troubled times indeed. If you’ve been using the Internet for a while, you must have noticed that the general climate has been steadily declining. In fact, it feels like we have grown quite used to our weekly offense-fest. It is speculated that social media platforms are engineered in a way that encourages them: nothing generates more “engagements” than an inflammatory post that the audience will retweet in feverish, self-righteous anger. The mainstream media certainly doesn’t seem to mind, as this provides a constant stream of highly clickable opinion pieces. As for the participants of those heated debates, they get to go to bed feeling vindicated, feeling like they’ve done their part fighting whatever hateful ideology they helped repeal that day. So, what’s the harm?

A few days ago, Kaspersky published a blog post regarding a likely false flag in the wiper component of OlympicDestroyer. The attempt is based on an undocumented, lesser-known PE header called the RICH header. I don’t want to go into too much details regarding its layout, as many other sources have done a great job documenting it.

Today's article is going to be a short one. Many of you may have read @ropnop's great post on upgrading plain shells to interactive TTYs. While the commands given in the article can solve usability problems, they provide no help on the transport level where several things can go wrong:

For some reason, articles about process injection techniques seem to be popular these days, and I thought it was the perfect opportunity to write something I have had in mind for a long time. As some of you may know, I maintain Manalyze, a static analyzer for PE executables. One key part of this program is obviously its parser, as writing PE parsers is notoriously hard. For this reason, I took great pains to make sure this part of Manalyze could be reused in other projects. A solid documentation exists but examples go a long way and they were sorely missing.