ivan's picture

Detecting anomalies in the RICH header

Tue, 03/13/2018 - 19:48 — ivan

A few days ago, Kaspersky published a blog post regarding a likely false flag in the wiper component of OlympicDestroyer. The attempt is based on an undocumented, lesser-known PE header called the RICH header. I don’t want to go into too much details regarding its layout, as many other sources have done a great job documenting it.

Tags: 
malware
manalyze
ivan's picture

ersh.py: a pure Python encrypted reverse shell

Sun, 07/16/2017 - 03:15 — ivan

Today's article is going to be a short one. Many of you may have read @ropnop's great post on upgrading plain shells to interactive TTYs. While the commands given in the article can solve usability problems, they provide no help on the transport level where several things can go wrong:

Tags: 
infosec
freedom fighting
ivan's picture

Process Hollowing with Manalyze's PE library

Thu, 07/06/2017 - 15:08 — ivan

For some reason, articles about process injection techniques seem to be popular these days, and I thought it was the perfect opportunity to write something I have had in mind for a long time. As some of you may know, I maintain Manalyze, a static analyzer for PE executables. One key part of this program is obviously its parser, as writing PE parsers is notoriously hard. For this reason, I took great pains to make sure this part of Manalyze could be reused in other projects. A solid documentation exists but examples go a long way and they were sorely missing.

Tags: 
infosec
manalyze
ivan's picture

How I got tech support scammers infected with Locky

Fri, 08/05/2016 - 23:01 — ivan
tech support scam webpage
A few days ago, I received a panicked call from my parents who had somehow managed to land on a (now defunct) web page (snapshot here) claiming they had been infected by Zeus. This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows' BSoD days, and yet somehow it displayed a random IP address instead of the visitor's one.
After everyone had a good laugh on Twitter, I decided to call them to know more about what they hoped to accomplish.
Tags: 
infosec
scam
ivan's picture

Broken Synapse: writing a DSO decompiler

Fri, 03/04/2016 - 16:53 — ivan
I've been a huge fan of Frozen Synapse ever since it was released back in 2011. It's a strategy game which looks like chess, only players move their pieces at the same time and discover the outcome at the end of the turn.
Here's what I figured: like a poorly written piece of poker software, I thought it was likely that the game client received information about the position of enemy units that would give a tactical edge to anyone reading them.
Tags: 
reverse engineering
infosec
ivan's picture

Bypassing the "testcookie" anti-webscraping protection

Fri, 01/08/2016 - 14:48 — ivan
A few days ago, I noticed that ApkTrack (an Android app I maintain) could no longer query one of the websites it usually obtains data from.
The app works mostly through web scraping and once in a while, the target websites set up new countermeasures to prevent bots from accessing their contents (even innocuous bots such as this app). In this post, we'll see how the protection I encountered this week-end was bypassed.
Tags: 
infosec
web scraping
ApkTrack
Subscribe to Borderline RSS