HOME _ .. .. u dF dF 88Nu. u. uL .. x. . u. u. '88bu. .u . .u . u. x. . u. u. '88bu. '88888.o888c .@88b @88R .@88k z88u x@88k u@88c. '*88888bu .u .d88B :@8c uL .d88B :@8c ...ue888b .@88k z88u x@88k u@88c. '*88888bu ^8888 8888 '"Y888k/"*P ~"8888 ^8888 ^"8888""8888" ^"*8888N ud8888. ="8888f8888r .ue888Nc.. ="8888f8888r 888R Y888r ~"8888 ^8888 ^"8888""8888" ^"*8888N 8888 8888 Y888L 8888 888R 8888 888R beWE "888L :888'8888. 4888>'88" d88E`"888E` 4888>'88" 888R I888> 8888 888R 8888 888R beWE "888L 8888 8888 8888 8888 888R 8888 888R 888E 888E d888 '88%" 4888> ' 888E 888E 4888> ' 888R I888> 8888 888R 8888 888R 888E 888E 8888 8888 `888N 8888 888R 8888 888R 888E 888E 8888.+" 4888> 888E 888E 4888> 888R I888> 8888 888R 8888 888R 888E 888E .8888b.888P .u./"888& 8888 ,888B . 8888 888R 888E 888F 8888L .d888L .+ 888E 888E .d888L .+ u8888cJ888 8888 ,888B . 8888 888R 888E 888F ^Y8888*"" d888" Y888*" "8888Y 8888" "*88*" 8888" .888N..888 '8888c. .+ ^"8888*" 888& .888E ^"8888*" "*888*P" "8888Y 8888" "*88*" 8888" .888N..888 `Y" ` "Y Y" `Y" 'YP "" 'Y" `"888*"" "88888% "Y" *888" 888& "Y" 'Y" `Y" 'YP "" 'Y" `"888*"" "" "YP' `" "888E "" .dWi `88E 4888~ J8% ^"===*"` archive | code | zines | papers | samples | translations | supporters | contact
(Anti)Reverse Engineering Fake EP trick by Rafael S Marques
Anti-Reverse Engineering Linux by Jacob Baines
The Ultimate Anti-Reversing Reference by Peter Ferrie
Obfuscation with Mixed Boolean-Arithmetic Expressions by Ninon Eyrolles
Windows VX Hiding your .NET - COMPlus_ETWEnabled by XPN (Mirror)
Hiding your .NET - ETW by XPN (Mirror)
Weaponizing Mapping Injection w/ Instru Callback for proc inject by Splinter Code (Mirror)
An Alternative Method To Enumerate Processes by smelly__vx
Abusing the Windows Power Management API by smelly__vx and am0nsec (Full source)
Weaponizing Windows Virtualization by smelly__vx (Full source)
Heresy's Gate: Ring 0 to Ring 3 via Worker Factories by zerosum0x0 (Mirror)
Cmd Hijack - a command/argument confusion with path traversal in cmd.exe by Julian Horoszkiewicz (Mirror)
GetEnvironmentVariable alternative to WriteProcessMemory in proc inject by J. M. Fernández
NINA: x64 Process Injection by 0x1337dtm
Hell's Gate: invoking syscalls from in-memory modules by Paul Laîné and smelly__vx
Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing by Forrest Orr (Mirror)
Defeating Userland Hooks ft. BitDefender by 0x00dtm
Add a new PE section & Code inside of it by Athena
Detailed Guide To Pe Infection by KOrUPt
Another detailed guide to PE infection by Athena
Hide process with DKOM without hardcoded offsets by ZwClose7
Hiding loaded driver with DKOM by ZwClose7
Linux VX Saruman - anti-forensics executable injector [TR2] by ElfMaster (Mirror)
dsym_obfuscate by ElfMaster (Mirror)
dt_infect v1.0 by ElfMaster (Mirror)
Sherlocked by ElfMaster (Mirror)
Linux.Proudhon.i386 by S01den
Wormable SSH by Anonymous_ (Mirror) (Full source)
Analysis Autochk Rootkit Analysis by Ori Damari (Mirror)
Muhstik Botnet Attacks Tomato Routers to Harvest New IoT Devices by Asher Davila
Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding by Asher Davila
A Curious Case Of MalwareBytes by 0x1337dtm
Mobile VX Infecting Android Applications: The New Way by Thatskriptkid
Persistence Abusing Windows Telemetry for Persistence by Christopher Paschen (Mirror)
Covert Data Persistence with Windows Registry Keys by Jackson T.
Common Language Runtime Hook for Persistence by Paul Laîné
Protecting Your Malware with blockdlls and ACG by XPN (Mirror)
MacOS VX MacOS Filename Homoglyphs Revisited by XPN (Mirror)
Metamorphism and Polymorphism Demonstration of assembler based Polymorphism by Rafael S Marques
Advanced Metamorphic Techniques in Computer Viruses
Hasherezade Collection
Code Pe-sieve
libpeconv
asm16 projects
hollows_hunter
mal_unpack
antianalysis_demos
tiny_tracer
libpeconv_tpl
ida_ifl
detours_cmake_tpl
pe_check
IAT_patcher
bearparser
exe_to_dll
tag_converter
persistence_demos
process_doppelganging
process_chameleon
demos
pe-bear-releases
shellconv
pe_to_shellcode
IAT_patcher_samples
ViDi
paramkit
bearparser_tests
dll_to_exe
module_overloading
malware_analysis
challs
beardisasm
chimera_pe
password_scrambler
hidden_bee_tools
flareon2019
libpeconv_wrappers
wke_exercises
crypto_utils
loaderine
libpeconv_demo
decryptors_archive
jpassword_scrambler
petya_key
petya_green
bootldr_demo
7ev3n_decoders
petya_recovery
mal_sort
metasploit_modules
bunitu_tests
mastercoder2014
Video Playlists
CrackMe DEMO: FlareOn4 Challenge6 solved with libPeConv DEMO: a custom PE loader using libpeconv
Demos My experiments with enSilo's Process Doppelganging My experiments with ProcessDoppelganging - running a PE from any file More fun with ProcessDoppelganging: running Mimikatz from hacker manifesto ;) Experiment: ProcessExplorer vs my "lil_calc" WarCon 2018 - demo
FAQ Unpacking PrincessLocker in 5 minutes - using ImmunityDbg and pe_unmapper Unpacking Cerber out of NSIS crypter + dumping the configuration (example #2)
Malware DEMO: A malware bypassing UAC set to max (Windows 7 32bit) Using IAT_Patcher in malware analysis PE_unmapper demo: unpacking TrickBot and FlokiBot Unpacking PrincessLocker in 5 minutes - using ImmunityDbg and pe_unmapper Unpacking Locky in 5 minutes - using ImmunityDbg and pe_unmapper Unpacking Cerber ransomware in 5 minutes + dumping the configuration (example #1) Unpacking Goldeneye ransomware in 2 minutes Unpacking SmokeLoader (Dofoil) in 5 minutes + converting the payload (DLL) into EXE Unpacking Andromeda (Gamaure) + initial analysis Unpacking Ursnif variant Unpacking Terdot.A/Zloader. Unpacking Ursnif variant Unpacking a MalPack with multiple payloads - part 1 Unpacking a MalPack with multiple payloads - part 2 DEMO: Man-In-The-Browser (Zbot intercepting HTTPS) Petya Eternal - is the Salsa key lost forever? How Kronos malware is paired with a browser Kronos malware - let's take a look at the webinjects DEMO: what happens when we run maliciou VBS script - attack of ransomware (GlobeImposter 2.0) Unpacking Ursnif Deobfuscating TrickBot's strings with libPeConv Unpacking ISFB (including the custom 'PX' format)
Malware Unpacking Unpacking Ursnif with Hollows Hunter Unpacking Smoke Loader Unpacking Kronos Unpacking Ursnif Unpacking Ramnit with HollowsHunter/PE-sieve Unpacking Loki Bot with HollowsHunter/PE-sieve Unpacking a monero miner with HollowsHunter [DEMO] HollowsHunter detects impersonated processes Unpacking TrickBot with PE-sieve DEMO: Unpackig process hollowing with PE-sieve Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder') Unpacking Magniber ransomware Unpacking a cryptocurrency miner (from NSIS-based cryptor) Unpacking BitPaymer ransomware Unpacking TrickBot and decoding config Unpacking Dridex loader Unpacking YoungLotus malware Unpacking Cerber ransomware (example #3) Unpacking Diamond Fox Unpacking Dreambot (aka ISFB, Ursnif) Unpacking a self overwriting PE (Neutrino bot - stage #1) Unpacking a self-overwriting PE (Zbot) Unpacking ISFB (including the custom 'PX' format) Unpacking Baldr stealer Unpacking Cerber out of NSIS crypter + dumping the configuration (example #2) Unpacking a MalPack with multiple payloads - part 1 Unpacking a MalPack with multiple payloads - part 2 Unpacking Terdot.A/Zloader. Unpacking Ursnif variant Unpacking Andromeda (Gamaure) + initial analysis Unpacking Goldeneye ransomware in 2 minutes Unpacking Cerber ransomware in 5 minutes + dumping the configuration (example #1) Unpacking SmokeLoader (Dofoil) in 5 minutes + converting the payload (DLL) into EXE Unpacking PrincessLocker in 5 minutes - using ImmunityDbg and pe_unmapper Unpacking Locky in 5 minutes - using ImmunityDbg and pe_unmapper PE_unmapper demo: unpacking TrickBot and FlokiBot
My Tools Using IAT_Patcher in malware analysis PE_unmapper demo: unpacking TrickBot and FlokiBot DEMO: imports_unerase - tool to recover erased imports Decoder for Latent Bot's strings DEMO: ChimeraPE v0.2 hook_finder - a small tool for investigating in-memory patches RunPE - 32 and 64 bit IFL - Interactive Functions List - a plugin for IDA Pro DEMO: a custom PE loader using libpeconv DEMO: FlareOn4 Challenge6 solved with libPeConv DEMO: Retrieving function names by checksums using libPeConv + code of the original malware hook finder vs Process Doppelganging DEMO: Unpackig process hollowing with PE-sieve [DEMO] HollowsHunter detects impersonated processes Unpacking Loki Bot with HollowsHunter/PE-sieve Tracing executables with a Pin Tool (tiny_tracer) PE-sieve 0.1.5 release notes - what are the dump modes about? ParamKit library
PeSeive Unpacking Ursnif with Hollows Hunter Unpacking Ursnif Unpacking Kronos PE-sieve 0.1.5 release notes - what are the dump modes about? PE-sieve v0.2.1 release notes - import recovery & unpacking UPX (part 1)
Ransomware Decryptors PrincessLocker - how to recover files Recovering files encrypted by 7ev3n ransomware (variant C) Recovering files encrypted by 7ev3n ransomware (variant B) Anti-Petya Live CD in action (antipetya_multi.iso) Recovering system after Petya ransomware attack AntiPetya Ultimate - LiveCD Using the obtained key petya key recovery
Tutorials Unpacking Locky in 5 minutes - using ImmunityDbg and pe_unmapper Unpacking PrincessLocker in 5 minutes - using ImmunityDbg and pe_unmapper PE_unmapper demo: unpacking TrickBot and FlokiBot Unpacking Cerber ransomware in 5 minutes + dumping the configuration (example #1) Unpacking Goldeneye ransomware in 2 minutes Unpacking SmokeLoader (Dofoil) in 5 minutes + converting the payload (DLL) into EXE Unpacking Andromeda (Gamaure) + initial analysis Unpacking Ursnif variant Unpacking a MalPack with multiple payloads - part 1 Unpacking a MalPack with multiple payloads - part 2 Deobfuscating TrickBot's strings with libPeConv Tracing executables with a Pin Tool (tiny_tracer) PE-sieve v0.2.1 release notes - import recovery & unpacking UPX (part 1)
WKE Installing HEVD Getting familiar with HackSys Extreme Vulnerable Driver Stealing an Access Token using WinDbg HEVD stack overflow
With Voice Unpacking Ursnif Deobfuscating TrickBot's strings with libPeConv Tracing executables with a Pin Tool (tiny_tracer) PE-sieve 0.1.5 release notes - what are the dump modes about? Unpacking Ursnif with Hollows Hunter Unpacking Baldr stealer Unpacking ISFB (including the custom 'PX' format) PE-sieve v0.2.1 release notes - import recovery & unpacking UPX (part 1) Mark & Hasherezade Funky Malware Formats How to make a PE with no sections (using Crinkler)
2020 The “Silent Night” Zloader/Zbot
2019 New version of IcedID Trojan uses steganographic payloads The Hidden Bee infection chain, part 1: the stegano pack A deep dive into Phobos ransomware Hidden Bee: Let’s go down the rabbit hole “Funky malware format” found in Ocean Lotus sample Analyzing a new stealer written in Golang
2018 What’s new in TrickBot? Deobfuscating elements Fake browser update seeks to compromise more MikroTik routers Reversing malware in a custom format: Hidden Bee elements Process Doppelgänging meets Process Hollowing in Osiris dropper ‘Hidden Bee’ miner delivered via improved drive-by download toolkit Magniber ransomware improves, expands within Asia PBot: a Python-based adware Blast from the past: stowaway Virut delivered with Chinese DDoS bot Avzhan DDoS bot dropped by Chinese drive-by attack LockCrypt ransomware: weakness in code can lead to recovery Hermes ransomware distributed to South Koreans via recent Flash zero-day A coin miner with a “Heaven’s Gate”
2017 Napoleon: a new version of Blind ransomware BadRabbit: a closer look at the new version of Petya/NotPetya Magniber ransomware: exclusively for South Koreans Inside the Kronos malware – part 2 Inside the Kronos malware – part 1 TrickBot comes up with new tricks: attacking Outlook and browsing data Bye, bye Petya! Decryptor for old versions released. Keeping up with the Petyas: Demystifying the malware family EternalPetya – yet another stolen piece in the package? EternalPetya and the lost Salsa20 key LatentBot piece by piece Elusive Moker Trojan is back Diamond Fox – part 2: let’s dive in the code Diamond Fox – part 1: introduction and unpacking Explained: Sage ransomware Explained: Spora ransomware Zbot with legitimate applications on board From a fake wallet to a Java RAT Post-holiday spam campaign delivers Neutrino Bot
2016 Goldeneye Ransomware – the Petya/Mischa combo rebranded Simple userland rootkit – a case study PrincessLocker – ransomware with not so royal encryption Floki Bot and the stealthy dropper Introducing TrickBot, Dyreza’s successor Lesser known tricks of spoofing extensions Unpacking the spyware disguised as antivirus Shakti Trojan: Technical Analysis Decrypting Chimera ransomware Unpacking yet another .NET crypter From Locky with love – reading malicious attachments Third time (un)lucky – improved Petya is out Untangling Kovter’s persistence methods Satana ransomware – threat coming soon? DMA Locker 4.0: Known ransomware preparing for a massive distribution Petya and Mischa – Ransomware Duet (Part 2) Petya and Mischa – Ransomware Duet (Part 1) 7ev3n ransomware turning ‘HONE$T’ Rokku Ransomware shows possible link with Chimera Petya – Taking Ransomware To The Low Level Maktub Locker – Beautiful And Dangerous Cerber ransomware: new, but mature Look Into Locky Ransomware LeChiffre, Ransomware Ran Manually Ransom32 – look at the malicious package
2015 Inside Chimera Ransomware – the first ‘doxingware’ in wild Malware Crypters – the Deceptive First Layer No money, but Pony! From a mail to a trojan horse A Technical Look At Dyreza Unpacking Fraudulent “Fax”: Dyreza Malware from Spam Rainbows, Steganography and Malware in a new .NET cryptor Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets Revisiting The Bunitu Trojan Elusive HanJuan EK Drops New Tinba Version (updated) Unusual Exploit Kit Targets Chinese Users (Part 2)
`. `odms- `odmmmmmy- `ymmmmmmmmh. hmmmmmmd` ymmmmmmd ymmmmmmd ymmmmmmd ymmmmmmd ymmmmmmd ymmmmmmd -yo-..............hmmmmmmd...............+y: -ymmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmh: `smmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmh. `+dmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmh: `omdysyyyyssssyyyyydmmmmmmmyyyyyyyyyyyyssydmh/ .` hmmmmmmm - hmmmmmmm `- hmmmmmmm -` `+dmdssssssssssssssssssssssssdmmmmmmmsssssssssssssssssssssssshmdo` `+dmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmdo` `odmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmms. .smmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmms. .o:........................hmmmmmmm-.......................:o- hmmmmmmm` hmmmmmmm` ````` hmmmmmmm` ````` -/oyhmmmmmmmdhs+:` hmmmmmmm` `:+sydmmmmmmmdhs+:` `:sdmmmmmmmmmmmmmmmmmmho- hmmmmmmm` .+ymmmmmmmmmmmmmmmmmmmy/` `+dmmmmmmmmmmmmmmmmmmmmmmmmh+.hmmmmmmm./hmmmmmmmmmmmmmmmmmmmmmmmmdo` :dmmmmmmmmmmmddhhdmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmddhddmmmmmmmmmmmd/ /mmmmmmmmmh+-` `.:ohmmmmmmmmmmmmmmmmmmmmmmmmho/.` `-+ymmmmmmmmmo :mmmmmmmmh: .+dmmmmmmmmmmmmmmmmmmd+. -ymmmmmmmm/ hmmmmmmmy` :ymmmmmmmmmmmmmmh/ ommmmmmmd` .mmmmmmmd` -smmmmmmmmmmh: hmmmmmmm: -mmmmmmmy -dmmmmmmmmm/ ommmmmmm/ `mmmmmmmd `smmmmmmmmmmmmy. ymmmmmmm- smmmmmmms `+dmmmmmmmmmmmmmmmo` +mmmmmmmh `dmmmmmmmh: -odmmmmmmmmmdmmmmmmmmms- -ymmmmmmmd. .dmmmmmmmmds/-.` `-/sdmmmmmmmmmmy.`smmmmmmmmmmds/-.` `.-/ohmmmmmmmmd- `ymmmmmmmmmmmmmmmmmmmmmmmmmmmmmd/ -hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmy. :ymmmmmmmmmmmmmmmmmmmmmmmmmd+` /dmmmmmmmmmmmmmmmmmmmmmmmmmh: -ohmmmmmmmmmmmmmmmmmmmds: :sdmmmmmmmmmmmmmmmmmmmds- ./oydmmmmmmmmmdhs+- -/shdmmmmmmmmmdyo/. `..----.` `..---..`