Malware News
12.8K subscribers
1.63K photos
7 videos
130 files
7.78K links
The latest NEWS about malwares, DFIR, hacking, security issues, thoughts and ...

Partner channel: @cveNotify

For ads: https://telega.io/c/malwr
Download Telegram
Containers: Rootful, Rootless, Privileged and Super Privileged
πŸ—£fcano1

First off: Who the hell makes text highlighting for copy/paste the same colors as the text itself? That's seriously user-hostile and qualifies the site designer for an Asshat Of The Year award. Also, fix your damn CSP configuration, you're shitting out a bunch of blocked requests.

Anyways -

> A rootless container is a container that could be run without root privileges in the host. Docker runs containers launching them with the Docker daemon, which is run as root. Podman does not use any daemon and it does not need root to run containers.

This is wrong. Going by the docker rootless documentation directly, the docker daemon being run as root must be stopped as part of the rootlesskit installation; a systemd user service is started in its stead which is run as a user. As such, the daemon is no longer running as root, it's by default a unix socket and ends up getting placed in the user's XDGRUNTIMEDIR (which often means /run/user/$UID/docker.sock, my memory is fuzzy here).

This leads to interesting adventures with loginctl trying to keep systemd user units running without an active pty/tty, but is still manageable.

Also of note, cgroups v1 is non-viable with rootless docker; you have to get cgroups v2 configured (which requires some grub-fu) in order to get resource limitations to be effective for rootless docker. Might not be the case for podman, but definitely the case for docker.

Having been down this path recently trying to automate the deployment of rootless docker with Ansible, it's certainly an annoying process to automate.
πŸ‘€Katana__


πŸŽ–@malwr
πŸ‘1
Squalr Memory Editor - New Update for First Time in Years πŸ™‚
πŸ—£Aecial

Good to see you back. I've been using it for couple years already it's really good and thanks for all the effort you put in it.
πŸ‘€mahmozilla

Since Cheat Engine comes bundled with adware (unless you pay $$ to the creator's Patreon), there is increased demand for a good and free alternative.

I took a very break from this project to focus on building out an educational game to teach x86/x64 assembly called Squally, but I've been itching to get back to making this project better.

It's better than CE in many ways, but still has a ways to go. I still need to fix bugs, improve the UX, and finish a couple features.
πŸ‘€Aecial


πŸŽ–@malwr
πŸ‘1
NetWalker ransomware samples/source
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.

EDIT: since someone asked, I am doing a writeup on fileless powershell malware and I saw someone mention netwalker as a pretty notorious one. I would prefer wild samples so I can deobfuscate them myself as it will give more content but just the source code is cool as well
πŸ—£Aleks_Leeks

Hey you can find a ton of samples here - https://bazaar.abuse.ch/browse.php?search=tag%3ANetwalker

*No account setup required
πŸ‘€dkayem


πŸŽ–@malwr
πŸ‘2
Import Memory Map/structs with the version control tool
Hi,

i just found out about the version tracking tool and used it to save my self some time on a new riscv file im checking.
In the source file i already made some structs and mapped them to some memory i mapped with the cips datasheet. As a firmware update will not change the chip - i would love to take that work with me to the new version too. But neather for the structs i made nor for the memory map i can find the button that lets me inport it.
Am I just not finding one or is there simply none? (would be weird for the Memory Map, as there is an export to CSV which works fine - but no way to import it.)


Any tips would be appreciated!
πŸ—£Reni4n

In your first program, in the DataTypeManager window, in the upper right you can select an option to create a Program Archive. You can then share DataTypes to the archive, either by drag/drop into the archive or cut/paste, not a readily discoverable mechanism..

Then, in your new binary, add the archive in the DataTypeManager there and all the types in the archive can be used for typing variables, arguments, etc. (You can also drag/drop to the program, if you desire).

Subsequent changes in either program can be saved to the archive, then in the other program DataTypes can be updated from the archive.

Also, the archive can be added to source control and shared with other developers if you use the ghidra server.
πŸ‘€marcushall

I thought version tracking would move struct definitions with your markup to the new program version, but I could be misremembering. If you have custom set up entries in the Memory Map regions you should recreate them first before doing the version tracking tool for the best results.

The Data Type Manager will also let you export your custom defined structure manually if all else fails though. I don’t know of a way that migrates memory map settings automatically, however. I guess you could write a script.
πŸ‘€wilhelms21


πŸŽ–@malwr
Reverse engineering homelab, GDB and multiple architectures?
I recently competed in a CTF where I spent a large amount of time trying to get GDB to reverse a binary on both my Mac and Raspberry PI. At one point I installed the 'multiarch' version of GDB on the Raspberry Pi but was still not very successful. How would I create a homelab that could support as many architectures as possible (so I can be ready to RE any given binary or executable)? What are the tradeoffs of building a homelab with multiple architectures vs multi-architecture support in software like GDB?
πŸ—£UnemployedAWSGuy

qemu will let you run a variety of architectures and it has direct hooks for gdb. Run it on Linux directly and you can get acceleration from kvm.
πŸ‘€8309312feaa9aa4f4628

Snag a remnux image, I usually install pwndbg as well to enhance gdb. That’s the easy way.
πŸ‘€simpaholic

Have you seen Attify OS?

https://blog.attify.com/getting-started-with-firmware-emulation/

I realise now this doesn't specifically answer your question, but I'll leave it here as it's interesting for emulating different architectures
πŸ‘€bobalob_wtf


πŸŽ–@malwr