Seeing an increase in MySQL attacks hitting your network and interested in knowing more about them? If so, then these posts are for you. They have all the fun involved from noticing an increase in traffic to extracting malware from a packet capture and analysing it. If you like the thrills and spills of scripting information processing tasks, then read on. If you’d rather I just got to the point and presented information about the attacks, then you can probably skip this first post. Continue Reading
Ever wondered whether it would be possible to find strings that have been xored, without undoing the xor? After seeing Lenny Zeltzer demonstrate the ‘xorsearch’ command, I started to wonder if it was possible to find xored strings by considering how each byte differed from the byte next to it.
Introducing the Muse Food category. This category is for ‘food for thought’, that is, ideas or concepts that I’m thinking about but haven’t yet done anything useful with. It is basically me thinking aloud.
The ideas aren’t guaranteed to be practical, correct, or even sensible, but they may provoke ideas/discussion in other people in which case I’d appreciate a comment and, if applicable, a blog link.
Alternatively, you can leave a comment if you would like to start a train of thought of your own.
If your computer, mobile phone, or any other piece of I.T. equipment starts behaving differently, then it is probably wise to investigate further as it could indicate a malware infection. I remembered this lesson on Friday when I was left stranded by the side of the road, due to car trouble after ignoring what I suspect with hindsight, was a subtle change in my car’s behaviour. Continue Reading
‘Self Modifying Code: Changing Memory Protection‘ described how self modifying code first needs to add write permissions to the memory page(s) before it can modify the code. There is another way of creating self modifying code which doesn’t require a call to VirtualProtect() — modify the characteristics of the .text (code) section in the EXE file. Continue Reading
Self modifying code is a phrase used to describe programs that are able to change themselves. Using self modifying code can make it harder to reverse engineer a program, largely because the ‘actual code may differ from that shown’. That is, the actual code that ends up executing may be different from the code that is first shown during disassembly. Join me as I attempt to relive my youth and create some self modifying code, only this time it will have to work under the memory protection schemes implemented by the 80×86 processors and MS Windows. Continue Reading
Examining a piece of malware for strings (sequences of printable characters) can reveal a few clues about what the malware does, or what it is capable of doing. Part three started disassembling the functions to see how closely their behaviour matched the predictions in part two, but sadly ended just as things were getting exciting. In part four, the saga continues. Continue Reading
Examining a piece of malware for strings (sequences of printable characters) can reveal a few clues about what the malware does, or what it is capable of doing. Part two predicted the behaviour of some functions, based on which strings they referenced. Part three will start to disassemble these functions to see how closely the predicted behaviour matches their actual behaviour. Continue Reading
You’d think that with fifteen years experience working in I.T., and the experience working with computers before that, that I would have learned to save my work often! I figured that I’d be ok, as the WordPress web interface keeps telling me that it has saved a draft copy. That was fine until I somehow wiped out a whole load of content only to then have the WordPress web interface save the remaining text as the draft. Continue Reading
Examining a piece of malware for strings (sequences of printable characters) can reveal a few clues about what the malware does, or what it is capable of doing. Part two demonstrates one way of finding the functions that reference the strings, and uses this information to hazard a guess at what those functions do. Continue Reading