You are here

manalyze

ivan's picture

Detecting anomalies in the RICH header

A few days ago, Kaspersky published a blog post regarding a likely false flag in the wiper component of OlympicDestroyer. The attempt is based on an undocumented, lesser-known PE header called the RICH header. I don’t want to go into too much details regarding its layout, as many other sources have done a great job documenting it.

ivan's picture

Process Hollowing with Manalyze's PE library

For some reason, articles about process injection techniques seem to be popular these days, and I thought it was the perfect opportunity to write something I have had in mind for a long time. As some of you may know, I maintain Manalyze, a static analyzer for PE executables. One key part of this program is obviously its parser, as writing PE parsers is notoriously hard. For this reason, I took great pains to make sure this part of Manalyze could be reused in other projects. A solid documentation exists but examples go a long way and they were sorely missing.

Subscribe to RSS - manalyze
Error | Borderline

Error

Error message

  • Warning: Cannot modify header information - headers already sent by (output started at /var/blog.kwiatkowski.fr/includes/common.inc:2821) in drupal_send_headers() (line 1551 of /var/blog.kwiatkowski.fr/includes/bootstrap.inc).
  • Error: Call to undefined function each() in SMTP->Data() (line 393 of /var/blog.kwiatkowski.fr/sites/all/modules/smtp/smtp.transport.inc).
The website encountered an unexpected error. Please try again later.