ReverseEngineering
@reverseengine
1.25K subscribers
41 photos
10 videos
69 files
710 links
Download Telegram
About
Blog
Apps
Platform
Join
ReverseEngineering
1.25K subscribers
ReverseEngineering
Abusing native Windows functions for shellcode execution

http://ropgadget.com/posts/abusing_win_functions.html
1
112 viewsedited  
ReverseEngineering
A Deep Dive Into Malicious Direct Syscall Detection

https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection
Palo Alto Networks Blog
A Deep Dive Into Malicious Direct Syscall Detection - Palo Alto Networks Blog
This blog explains how attackers use direct syscalls to overcome most EDR solutions, by first discussing the conventional Windows syscall flow and how most EDR solutions monitor those calls.
1
128 viewsedited  
ReverseEngineering
x64dbg plugin for simple spoofing of CPUID instruction behavior

https://github.com/jonatan1024/CpuidSpoofer
GitHub
GitHub - jonatan1024/CpuidSpoofer: x64dbg plugin for simple spoofing of CPUID instruction behavior
x64dbg plugin for simple spoofing of CPUID instruction behavior - jonatan1024/CpuidSpoofer
1
138 viewsedited  
ReverseEngineering
fpicker: Fuzzing with Frida

https://insinuator.net/2021/03/fpicker-fuzzing-with-frida

https://github.com/ttdennis/fpicker
GitHub
GitHub - ttdennis/fpicker: fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)
fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing) - ttdennis/fpicker
1
205 viewsedited  
ReverseEngineering
Finally, PageDOut No. 8 is out

https://pagedout.institute/?page=issues.php
Paged Out!
Deeply technical zine. And it's free.
1
212 views
ReverseEngineering
Windows Kernel Programming.pdf
11.3 MB
3
183 views
ReverseEngineering
Assemble your PC and upgrade your laptops.pdf
160 MB
🔥21
171 views
ReverseEngineering
VX-Underground - Black Mass Volume2.pdf
4.6 MB
VX-Underground - Black Mass Volume.pdf
12.9 MB
2
163 views
ReverseEngineering
Accelerated_Disassembly,_Reconstruction_and_Reversing_@redbluehit.pdf
7 MB
Advanced_Windows_Memory_Dump_Analysis_with_Data_Structures_@redbluehit.pdf
7.3 MB
Accelerated_Windows_Malware_Analysis_with_Memory_Dumps_@redbluehit.pdf
7.8 MB
3
156 views
ReverseEngineering
Memory Systems
Cache DRAM Disk.pdf
23.1 MB
1
127 views
ReverseEngineering
Bypassing Frida: Advance Frida Detection Bypass

https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-1-cc7c1dfbad9d


https://medium.com/@haxymad/bypassing-frida-advanced-frida-detection-bypass-part-2-e3466a141a4c


https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-3-339aa1202c48


https://medium.com/system-weakness/bypassing-frida-advanced-frida-detection-bypass-part-4-c258e8f5aa64
Medium
Bypassing Frida: Advanced Frida Detection Bypass — Part 1
Hey dude.
1🔥1
138 viewsedited  
ReverseEngineering
VM Detection Tricks, Part 1: Physical memory resource maps

In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.

https://labs.nettitude.com/blog/vm-detection-tricks-part-1-physical-memory-resource-maps
LRQA
VM Detection Tricks, Part 1: Physical memory resource maps
In this series we’ll document a novel and as-yet-undocumented Virtual Machine detection trick for each month of 2021. These detection tricks will be focused on 64-bit Windows 10 or Windows Server 2019 guests, targeting a variety of VM platforms.
1
148 views
ReverseEngineering
Decompilation Debugging

https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code
clearbluejar
Decompilation Debugging
Debugging an application can provide the insight needed troubleshoot a subtle bug in your software. Normally, when debugging, you have source code and data type information (aka symbols) to help navigate your application. In the world of Reverse Engineering…
1
174 views
ReverseEngineering
Сustom shellcode compiler for Binary Ninja

https://scc.binary.ninja/index.html
1
177 views
ReverseEngineering
IDA Pro 9.3 KeyGen.py
10.7 KB
IDA Pro 9.3 KeyGen


pip install + privilege escalation on Win (ShellExecuteW(..., "runas", ...) + generation of JSON license and signature + copying idapro.hexlic to %APPDATA%\Hex-Rays\Ida Pro\idapro.hexlic + of course editing the registry HKCU\SOFTWARE\Hex-Rays\IDA\Licenses\ + patching IDA binaries

On *nix/mac - it searches for libida.so, libida32.so, .dylib in the current directory and patches them

@reverseengine
5
256 views
ReverseEngineering
🟢 7️⃣ Page Permissions

هر صفحه حافظه:

Read

Write

Execute
مثال:

Code → RX

Data → RW


📌 مهم: چون Debugger و loader با این پرمیژن‌ ها کار میکنن



🟢 7️⃣ Page Permissions

Each memory page:

Read

Write

Execute

Example:

Code → RX

Data → RW


📌 Important: Because Debugger and loader work with these permissions

@reverseengine
1
111 viewsedited  
ReverseEngineering
🟢 8️⃣ User Mode vs Kernel Mode

CPU
دو حالت داره:

User Mode
برنامه‌های معمولی
دسترسی محدود

Kernel Mode
خود سیستم‌عامل
دسترسی کامل

برنامه مستقیم نمیتونه کارهای حساس انجام بده باید syscall بزنه

📌  RE:

میفهمید چرا بعضی دستورها خطا میدن




🟢 8️⃣ User Mode vs Kernel Mode

CPU has two modes:

User Mode

Normal programs
Limited access


Kernel Mode

The operating system itself
Full access

A program cannot do sensitive work directly, it must make a syscall

📌 RE:

Do you understand why some commands give errors?

@reverseengine
2
73 viewsedited