Squalr Memory Editor - New Update for First Time in Years 🙂
🗣Aecial

Good to see you back. I've been using it for couple years already it's really good and thanks for all the effort you put in it.
👤mahmozilla

Since Cheat Engine comes bundled with adware (unless you pay $$ to the creator's Patreon), there is increased demand for a good and free alternative.

I took a very break from this project to focus on building out an educational game to teach x86/x64 assembly called Squally, but I've been itching to get back to making this project better.

It's better than CE in many ways, but still has a ways to go. I still need to fix bugs, improve the UX, and finish a couple features.
👤Aecial


🎖@malwr

NetWalker ransomware samples/source
Does anyone know when I could get my hands on a sample of netwalker ransomware. Pardon my ignorance but I do not know where to find samples online.

EDIT: since someone asked, I am doing a writeup on fileless powershell malware and I saw someone mention netwalker as a pretty notorious one. I would prefer wild samples so I can deobfuscate them myself as it will give more content but just the source code is cool as well
🗣Aleks_Leeks

Hey you can find a ton of samples here - https://bazaar.abuse.ch/browse.php?search=tag%3ANetwalker

*No account setup required
👤dkayem


🎖@malwr

Import Memory Map/structs with the version control tool
Hi,

i just found out about the version tracking tool and used it to save my self some time on a new riscv file im checking.
In the source file i already made some structs and mapped them to some memory i mapped with the cips datasheet. As a firmware update will not change the chip - i would love to take that work with me to the new version too. But neather for the structs i made nor for the memory map i can find the button that lets me inport it.
Am I just not finding one or is there simply none? (would be weird for the Memory Map, as there is an export to CSV which works fine - but no way to import it.)


Any tips would be appreciated!
🗣Reni4n

In your first program, in the DataTypeManager window, in the upper right you can select an option to create a Program Archive. You can then share DataTypes to the archive, either by drag/drop into the archive or cut/paste, not a readily discoverable mechanism..

Then, in your new binary, add the archive in the DataTypeManager there and all the types in the archive can be used for typing variables, arguments, etc. (You can also drag/drop to the program, if you desire).

Subsequent changes in either program can be saved to the archive, then in the other program DataTypes can be updated from the archive.

Also, the archive can be added to source control and shared with other developers if you use the ghidra server.
👤marcushall

I thought version tracking would move struct definitions with your markup to the new program version, but I could be misremembering. If you have custom set up entries in the Memory Map regions you should recreate them first before doing the version tracking tool for the best results.

The Data Type Manager will also let you export your custom defined structure manually if all else fails though. I don’t know of a way that migrates memory map settings automatically, however. I guess you could write a script.
👤wilhelms21


🎖@malwr

Reverse engineering homelab, GDB and multiple architectures?
I recently competed in a CTF where I spent a large amount of time trying to get GDB to reverse a binary on both my Mac and Raspberry PI. At one point I installed the 'multiarch' version of GDB on the Raspberry Pi but was still not very successful. How would I create a homelab that could support as many architectures as possible (so I can be ready to RE any given binary or executable)? What are the tradeoffs of building a homelab with multiple architectures vs multi-architecture support in software like GDB?
🗣UnemployedAWSGuy

qemu will let you run a variety of architectures and it has direct hooks for gdb. Run it on Linux directly and you can get acceleration from kvm.
👤8309312feaa9aa4f4628

Snag a remnux image, I usually install pwndbg as well to enhance gdb. That’s the easy way.
👤simpaholic

Have you seen Attify OS?

https://blog.attify.com/getting-started-with-firmware-emulation/

I realise now this doesn't specifically answer your question, but I'll leave it here as it's interesting for emulating different architectures
👤bobalob_wtf


🎖@malwr

Today, I published another RE "mini-course": Join me for some fun reversing, hacking, and weaponizing XP Solitaire using Ghidra, x64dbg, Python, and C++!
🗣0xFF0F

I feel like a perpetual beginner - Always struggling to inch ahead on hacking: The art of exploitation (to ensure I truly understand what Im looking at - or at least enough to be curious), but this is such an assist and will help me tremendously.


I already got pumped from seeing your intro meaning that the knowledge is slowly setting in, and I've been avoiding ghidra out of fear of becoming a script kiddie, but exposure to the elements in a controlled and explanatory manner is going to help me become a lot more familiar with my surroundings a looot faster!


Please do more of this Jeff0!
Thanks!
👤Wetter42

I'm having a hard time trying to grasp the basics for assembly/RE. Will definitely try it :) thank you for your effort on this, really appreciate it a lot!
👤xatan__

I second the other poster. I’ve been having fun following along!
👤prbecker


🎖@malwr

The dark side of wine
🗣EverlastingOutset

sudo wine
👤LushTourney


🎖@malwr

Using AI to write Malware?! (Short Film on the ethical reasoning)
🗣Techryptic

Just like art it takes away from the creators. And I love to automate.
👤thadude400

It can also be trained to write malware in a particular style ie impersonation
👤quzaire

Author here, wanted to start the conversation on AI being used in our field.

AI can be used in software reverse engineering for several purposes. It can be used to automate the process of reverse engineering a software program to identify its structure and components. AI can also be used to detect malicious code or vulnerabilities in a software program. AI can also be used to identify and analyze patterns in the code in order to gain insight into how the program works and how to improve it.

Finally, AI can be used to automate the process of generating documentation for a software program, which can be used by developers to understand how the program works.
👤Techryptic


🎖@malwr

The Windows Process Journey — csrss.exe (Client Server Runtime Subsystem)
The goal of “csrss.exe” (Client Server Runtime Subsystem) is to be the user-mode part of the Win32 subsystem (which is responsible for providing the Windows API). “csrss.exe” is included in Windows from Windows NT 3.1. It is located at “%windir%\\System32\\csrss.exe” (which is most of the time C:\\Windows\\System32\\csrss.exe).

From Windows NT 4.0 most of the Win32 subsystem has been moved to kernel mode — “With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode” (https://learn.microsoft.com/en-us/previous-versions//cc750820(v=technet.10)?redirectedfrom=MSDN#XSLTsection124121120120?redirectedfrom=MSDN#XSLTsection124121120120)). Thus “csrss.exe” manages today GUI shutdowns and windows console (today it is “cmd.exe”).

Overall, we can say that today “csrss.exe” handles things like process/threads, VDM (Visual DOS machine emulation), creating of temp files and more (https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/) . It is executed by “local system” and there is one instance per user session. Thus, at minimum we will have two (one for session 0 and on for session 1) — as shown in the screenshot below. “csrss.exe” has a handle for each process/thread in the specific session it is part of. Also, for each running process a CSR_PROCESS structure is maintained (https://www.geoffchappell.com/studies/windows/win32/csrsrv/api/process/process.htm), by the way we can leverage this fact for identifying hidden processes (like by using “psxview” from the volatility framework — https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#psxview).

“smss.exe” is the process which starts “csrss.exe” together with “winlogon.exe” (more about it in a future writeup), after finishing “smss.exe” exits. In case you want to read more about “smss.exe” you can read the following link (https://medium.com/@boutnaru/the-windows-process-journey-smss-exe-session-manager-subsystem-bca2cf748d33). By the way, from Windows 7 (and later) “csrss.exe” executes “conhost.exe” instead of drawing the console windows by itself (I am going to elaborate about that in the next writeup).

Lastly, “csrss.exe” loads “csrsrv.dll”, “basesrv.dll” and “winsrv.dll” as shown in the screenshot below. If we want to go over some of the source code of “csrss.exe” we can use the ReactOS which is a “A free Windows-compatible Operating System”, which is hosted in github.com. The relevant code of the entire subsystem can be found at https://github.com/reactos/reactos/tree/master/subsystems/csr. We can also debug “csrss.exe” using WinDbg, it is important to know that since Windows “csrss.exe” is a protected process so it can be debugged form kernel mode only (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-csrss). A list of all the “csrss.exe” API list can be found here https://j00ru.vexillium.org/csrss\_list/api\_table.html.


https://preview.redd.it/cbrjyid38n3a1.png?width=1498&format=png&auto=webp&s=614e9a773e17d29f5288d4dc9e4f191f97c46708
🗣boutnaru


🎖@malwr