41
HACKERSPACE Avril 2016 Reverse Engineering (RE) Reverse Code Engineering (RCE) «Si vous êtes curieux allez voir page 17, Bonne Chance!» par >_Franck Desert (Setec Astronomy) HACKFEST

HS - February 2015

Embed Size (px)

Citation preview

Page 1: HS - February 2015

HACKERSPACE

Avril 2016

Reverse Engineering (RE)

Reverse Code Engineering (RCE)

«Si vous êtes curieux allez voir page 17, Bonne Chance!»

par >_Franck Desert (Setec Astronomy)

HACKFEST

Page 2: HS - February 2015

>_About-FD ➛Marié (21 ans) - Papa

➛Français mais en mieux ;-))

➛Hackfest jeux depuis 2013 (à Quebec depuis 4 ans) ➚Travail dur pour sa Plate-forme Hostile (HF Phenix – Azure Cloud)

➚Et toutes les tâches que l’on me donne ;-)

➚ iHack 2016 surtout notez-le dans vos agendas !

➛Un enthousiaste de la sécurité depuis 25 ans

➚Spécialité RCE, Malware, Tous les langages me facinent,

➚Tous les Windows depuis le tout début,

➚Architecte Organique (Dev senior) chez CGI Qc depuis 4 ans.

Page 3: HS - February 2015

>_Remove-Context Les pré-requis et sous quel angle :

Apprendre où ré-apprendre tout le temps,

Remettre en question constatment son paradigme,

Focuser tout en modifiant son “MindSet”, Attention c’est une 101+,

Mon Angle d’attaque est orienté contre les Malwares et Veille Techno de codes.

Ce qui ne sera pas abordé :

Une liste bêtes que d’outils (c’est un bootcamp qu’il faudrait faire ;-)),

Une présentation d’un outil en particulier – (formation 1xx, 2xx, etc.),

Du “reversing” pur et dur dans un Desassembleur, (Barbant)

Du code assembleur seulement, de la lecture de mémoire, etc.,

Du “Pentesting” non plus (Vous avez les meilleurs dans la salle ;-))

Du “reversing” de Mobile, IoT, et autres systèmes,

Par contre c’est le même principe!

Page 4: HS - February 2015

>_Help-RCE « Reverse-Engineering » # « Rétro-ingénierie »

« Engine » # « Ingénier » dépends du génie (civil), ingénieux.

Page 5: HS - February 2015

>_Add-Context1 Focuser sur un vocabulaire commun

[Deboggage # (Desassemblage – Delinkage) # «Decompilage» # Pseudo-Code],

Focuser sur le terrain de chasse sur lequel vous allez évolué,

Focuser sur “L’ATOMIC” car “Too Big”, mais 4 Dimensions (on en reparle),

Focuser sur l’adaptation de son “MindSet” et de ses outils, (JeuxVideo)

Focuser sur les nouveaux paradigmes et moyens mis à votre disposition,

(Machine G8 Cloud, IoT, Service Batch, Parallèlisme, Machine à Learning, etc)

8 zettabytes of data predicted in 2016 (10007 ZB zettabyte 10008 YB yottabyte)

Page 6: HS - February 2015

>_Add-Context2 “TimeLess” – “TimeToMarket” – “DLP”

x = y / 2 cela peut être transformé par le compilateur en une série de 20 à 30

instructions processeur.

La sortie d’un dé-compilateur est 5 fois à 10 fois plus court que celle d’un

désassembleur

Page 7: HS - February 2015

>_Get-RealMarket

Réalité du marché, plus de 60% des utilisateurs de “Distros” dites de Pentest et/ou de “SandBox

Forensic” se trouvent être sous Windows. Après téléchargement elles sont installées en

“Dualboot” ou sur une Machine virtuelle. Rendu publique grâce à l’api de stats de Sourceforge.

.

Vous pouvez aussi voir la répartition, au niveau mondial, des Windows OS qui arrivent autour de 85%

https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers

(1) Samurai Web Testing Framework - 66% windows download

https://sourceforge.net/projects/samurai/files/stats/timeline?dates=2013-05-27+to+2016-04-01

(2) Santoku Linux - 60% windows download

https://sourceforge.net/projects/santoku/files/stats/timeline?dates=2013-05-27+to+2016-04-01

(3) Parrot OS - 59% windows download

https://sourceforge.net/projects/parrotsecurity/files/stats/os?dates=2013-06-16%20to%202016-04-01

(4) Matriux - 69% windows download

https://sourceforge.net/projects/matriux/files/stats/os?dates=2010-11-19%20to%202016-04-01

Page 8: HS - February 2015

>_Get-ThePower

Bataille de formats XML, JSON, OpenXML, OpenDocument, etc.,

Office Open XML, OpenDocument (OASIS), XML, JSON, JSONP, etc.

Bataille de Virtualisation Matériel total (La guerre des “CLOUDs”) ;-),

Virtualisaton process comme SandBoxies, VmWare, VirtualBox, etc.

Bataille sur les moteurs JS (grand maître du WEB) et “layout” des moteurs.

ECMAScript (or ES), Rhino - Project Mozilla, CHAKRA EDGEHtml, V8 – Chrome,

SpiderMonkey - Firstversion Firefox, Carakan – Opera, SquirrelFish Extreme - SAFARI

https://en.wikipedia.org/wiki/Comparison_of_layout_engines_%28ECMAScript%29

Bataille sur les browsers qui sont des (Wrappeur, Loadeur, Hosteur, Eco-Système.)

L’industrialisation 4.0 et l’operationnalisation passe par le SOFTWARE “at large”

Page 9: HS - February 2015

>_What-Research La rétro-ingénierie comme attaque Étude pour trouver les points faibles d’un OS, d’un produit, etc.,

Étude pour peaufiner les techniques Virales et autres vulnérabilités,

Étude par passion et pour passer au HackFest ou au BlackHat ;-)

La rétro-ingénierie comme défense Étude de binaire malicieux (exemple : rootkit)

Étude de virus informatique en vue d'apporter un moyen d'éradication,

Étude et recherche de vulnérabilités dans les logiciels,

afin d'améliorer leur sécurité,

La rétro-ingénierie comme activité de veille technologique Étude des produits concurrents,

La détermination des composants utilisés,

L'identification d'éventuelles violations de brevets commises par un concurrent ou à éviter.

Page 10: HS - February 2015

>_Think-Langage

# Langages de programmations : Cibles, Sujets et surtout Moyens (temps,

argents,etc.)

L’assembleur est très rarement utilisé,

Le C et le C++ sont utilisés que pour des attaques payantes ou d’Etats,

Le Java, .NET avec le VB.NET (C#, F#),

Le VB6, Delphi Ancienne version ou Delphi EX 2013, PureBasic, xBasic,

Les Scripts VBA, Auto-IT, Batch, AutoKey, PowerShell, HTA, Javascript,

# Techniques d’executions,

# Code-natif - Code IL - Code Interprété,

# Tous les langages de Scripts,

# Wrappé, Hosté, Interprété, Droppé, etc.,

Page 11: HS - February 2015

>_Add-BadDefense1 Crypteur, Packeur, Obfuscateur,

Compresseur, Loadeur, Installeur, etc.

Noyer le programme,

Poupée russe, installation en Cascade, Multi-installation avec techniques et produits

différents,

Auto-extract, Portable, Connexion à Internet (Filehoster, xxxBin,etc.).

“HomeMade” avec un crypter dit “Cargo”, c’est du “Oligomorphic engine”!

Les meilleurs installeurs et compresseurs du moment : 7zip, Rar, PKZip, Lharc, etc.

“Encryption”, “Stealer”, “Countermeasure”, tout est bon pour rendre l’affaire difficile.

Custum Base64 avec un « character set »

("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/”)

(“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/”)

Page 13: HS - February 2015

>_Remove-BadEvasion

FireEye utiliser EMET pour rendre inactif EMET,

(Enhanced Mitigation Experience Toolkit)

https://www.fireeye.com/blog/threat-research/2016/02/

using_emet_to_disabl.html

Evasion des AVs,

Persistances des systèmes,

Exploit-Kit, (Cf la capture ci-jointe)

resource://gre/modules/ (comme exemple dans FireFox),

Powershell avec DotNET. (voir PowerMemory GitHub)

Page 14: HS - February 2015

>_Set-GoodAttack

Changer son Paradigme,

“Retourner aux origines”

(exemple quickbms),

Tout est bon à récupérer dans

n’importe quel domaine,

Par cible,

Par sujet,

Par langage,

Par infrastructure, Os,

(dé)Crypteur, (dé)Packeur,

(dé)Obfuscateur, (dé)Compresseur,

(dé)Installeur, etc.,

Page 15: HS - February 2015

>_Add-GoodEffect

“Effet de bord” (UPX Packer et Yoda Crypter), Annulation de protections,

« Copy-Paste Pattern », reconnaissable (Yara Rules, MetaExploit, etc.),

Exploit-Kit - retourner l’arme contre l’attaquant, Faire de l’Immuno-Marqueur,

Debugging JavaScript Inside (resource://gre/modules/) (about:about) Firefox.

https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Debugging_JavaScript

Online : «Beautifier», IDE, Décryptage, Déboguer, etc.

http://crypo.bz.ms/encryptors

Page 16: HS - February 2015

>_Extract-RussianDoll

Produits “dit” officiels masquant des appels internet et installations frauduleuses

Les attaquants doivent se défendre,

Les défenseurs doivent attaquer,

Différencier le playload final (Rootkit, RunPe, Native code, etc.)

Déploiement et Campagne de contamination - mode mixte, “Low&Slow” (213 jours), etc.

https://addons.mozilla.org/fr/firefox/blocked/

Code Franckeinstein, Multi-Os, Multi-Network, C&C, etc.

Page 17: HS - February 2015

>_Get-HASH

ALORS M’AVEZ-VOUS TROUVÉ? NON! ALLEZ GO! GO!

Caché, Fusionné, Mergé ?

Si vous trouvez le HASH vous trouverez un Bonus ;-)

(Ce hash sera utilisable pour le iHACK 2016, le 11 Juin Prochain ;-))

Page 18: HS - February 2015

>_Create-Environement IDEs, RAD (Rapid application development), Système en ligne, etc.,

Browsers et leurs environements, (Collections pour Firefox),

Technique comme Linux-Like - http://cmder.net/

Technique de classements et de Bookmarks, Technique des Alias Gmail avec le +,

Avatar, ne jamais laisser de traces (même pour son égo),

Awesome liste Github et autres,

https://github.com/vhf/free-programming-books/blob/master/free-programming-books.md?sf21101349=1

https://github.com/rshipp/awesome-malware-analysis

https://github.com/sindresorhus/awesome

Challenge, CTF Kata, CTF physique, Collaboration,

Bulletins, Blog des sociétés de sécurité,

Twitter et les sites de Surveillances des recherches (Visibrain, Tiobe, etc.),

Allez voir mon ami Aditya Agrawal de Manifest Security !

https://manifestsecurity.com/

Page 19: HS - February 2015

>_Get-5Dimension Vision 4D, Inventez votre 5 Dimension ;-))

Tout est prétexte à être “reverser”, même les outils qui vous servent à “reverser”,

Tout est bon pour trouver l’information, le moindre indice peut être important,

Youtube (etc.), Réseau Sociaux, une capture d’écran, Pastebin (etc.),

OpenSource (toutes les forges), Black-forum, Forum de jeux,

Réfléchissez Enquêteur, (des noms, pseudo, groupes, lieux, le tout mixé),

Jamais de mauvais codes, toujours une technique à découvrir,

Environnement Virtuel, Environnement Hostile (The Zoo Malware),

http://ytisf.github.io/theZoo/

https://github.com/ytisf/theZoo

VxShare, mais sur invitation!

Page 20: HS - February 2015

>_Get-Example1

Page 21: HS - February 2015

>_Get-ToolsBox Compilers

Assemblers

Assemblers IDE C++ IDE

Disassemblers & Debuggers

Debuggers Ollydbg 2 Plugins Ollydbg 1 Plugins

Disassemblers

IDA Tools

Android .NET .NET Debuggers VB Delphi Java Flash Misc

Logging and Monitoring Tools

Malware Analysis Tools

Mobile Malware Analysis PDF Tools Sandboxes

PE Tools

PE Editors PE Analyzers PE Rebuilders Resource Editors

Environ 90 Fichiers dans l’archive OneDrive.

c’est le même fichier lorsque vous le voyez en lien.

Pour le MDP : HackerSpace2016 - (casse sensitive)

Page 22: HS - February 2015

>_Get-ToolsBox Compilers, Assemblers and IDE

A collection of Assemblers, IDE and free compilers. Probably you already have some but others might prove hard to find on the internet and

they can still come in handy every now and then.

[Assemblers]

FASM: http://flatassembler.net/download.php

The flat assembler is a fast and efficient self-assembling 80×86 assembler for DOS, Windows and Linux operating systems. Currently it

supports all 8086-80486/Pentium instructions with MMX, SSE, SSE2, SSE3 and 3DNow! extensions and x86-64 (both AMD64 and EM64T)

instructions, can produce output in binary, MZ, PE, COFF or ELF format.

Masm 11: OneDrive PhenixZ

Microsoft assembler

Tasm 5.0: OneDrive PhenixZ

Turbo assembler

[Assembler IDE]

WinAsm 5.1.8.8: OneDrive PhenixZ

WinAsm Studio is a free Integrated Development Environment IDE for developing 32-bit Windows. The MASM is supported inherently, while

there’re FASM and FASM Add-Ins.

Page 23: HS - February 2015

>_Get-ToolsBox [C/C++ IDE]

Visual Studio Express: http://www.microsoft.com/express/download/

Microsoft Visual Studio is the main Integrated Development Environment (IDE) from Microsoft. It can be used to develop console and

Graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native

code together with managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET

Compact Framework and Microsoft Silverlight.

Code::Blocks: http://www.codeblocks.org/

Code::Blocks is a free C++ IDE built to meet the most demanding needs of its users. It is designed to be very extensible and fully configurable

and has multiple compiler support (default GCC).

Page 24: HS - February 2015

>_Get-ToolsBox [Disassemblers & Debuggers]

OllyDbg 2.01: OneDrive PhenixZ

OllyDbg 2.01 [ Now supports plugin! ]

OllyDbg v1.10: OneDrive PhenixZ

Debugger… You should know it

WinDbg: http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Windows Symbol Packages: http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx

Microsoft Debugger

X64dbg: http://x64dbg.com/

An open-source x64/x32 debugger for windows. Supports also plugins

OllyDbg 2 Plugin

Sequential Dumper OneDrive PhenixZ

More information on Zairon site: http://zairon.wordpress.com/2014/04/03/my-new-ollydbg-plugin-sequential-dumper/

Sequential Dumper is conceptually able to dump blocks of memory in sequence: it monitors the flow of the malware code trying to dump all the

new allocated/decrypted parts in different memory areas containing code of the malware itself.

DbgHook : OneDrive PhenixZ

DbgHook is a small plugin for Olly 2.1 that hooks the classics functions used for antidebug’s tricks, the driver is for Windows 7 x64 (tested on

build 7600.16385.1), so for running it need to be registered and PatchGuard disabled (you can use tools like DSEO).

ollydbg2-python: https://github.com/0vercl0k/ollydbg2-python

Scripting OllyDBG2 using Python.

Page 25: HS - February 2015

>_Get-ToolsBox [OllyDbg 1 Plugin]

FullDisasm 3.0.1.175: OneDrive PhenixZ

FullDisasm is a small plugin for OllyDbg 1.10 which allows you to replace the old disassemble.

HideDebugger 1.24: OneDrive PhenixZ

Hide Debugger is a plugin that uses various tricks to hide the presence of the debugger.

ODbgScript 1.82.6: OneDrive PhenixZ

ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language.

OllyAdvanced 1.27: OneDrive PhenixZ

All in one OllyDbg plugin: olly hidding, olly bugs fix etc… [ Fixed some bugs to work on Windows Vista/7 OS ]

OllyStealth64 1.3: OneDrive PhenixZ

Anti Anti and compatibility plugin for Olly 1.10 running on Vista x64.

OllyDbg PDK v1.10: OneDrive PhenixZ

OllyDbg Plugin Development Kit

OllyDump 3.00.110: OneDrive PhenixZ

Dump the process with a rebuilded IT

Qcmdline 1.06: OneDrive PhenixZ

A commandline for OllyDbg with much more features than the standard one

SehSpy 0.1: OneDrive PhenixZ

Useful while you are stepping through SEH Handlers

StrongOD 0.4.8.892: OneDrive PhenixZ

This plugin is more usefull to set some OllyDbg settings, especially in unpacking case to make it very strong.

PhantOm 1.85: OneDrive PhenixZ

Another plugin, like StrongOD, that allows you to mod your Olly.

Illy 0.1 Beta 3 : OneDrive PhenixZ

Try to debug your .NET targets into Olly!

Page 26: HS - February 2015

>_Get-ToolsBox

[Disassemblers]

IDA 6.9 Demo: https://www.hex-rays.com/products/ida/support/download_demo.shtml

IDA Demo version

IDA 5.0 Free: http://www.hex-rays.com/idapro/idadownfreeware.htm

IDA 5.0 Freeware version

W32Dasm zip: [password: disassembler ] OneDrive PhenixZ

The famous disassembler patched to include VB support and comments in the listing

IDA Utilities

Determina PDB plugin 1.0: OneDrive PhenixZ

This is a replacement for the IDA PDB plugin which significantly improves the analysis of binaries with public debugging symbols.

Delphi signatures 1.0: OneDrive PhenixZ

Delphi 6 and 7 IDA signatures.

IDA Stealth 1.3.3: OneDrive PhenixZ

IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques.

Rock4 v2: OneDrive PhenixZ

Rockey4 v2.x C++ library IDA signatures.

Sentinel Hardware Keys: OneDrive PhenixZ

Sentinel Hardware Keys v1.0.3 IDA signature.

Sentinel Lm: OneDrive PhenixZ

From SentinelLm 7.0 to 7.3 and 8.x IDA signatures.

Sentinel SuperPro: OneDrive PhenixZ

From Sentinel SuperPro 6.0 to 6.4.4 IDA signatures.

Page 27: HS - February 2015

>_Get-ToolsBox

IDA Utilities

PatchDiff2 2.0.10b: OneDrive PhenixZ

PatchDiff2 is a plugin that can analyze two IDB files and find the differences between both.

Funcap 0.91 : OneDrive PhenixZ

IDA Pro script to add useful runtime info to static analysis.

IDA Sploiter 1.0: http://thesprawl.org/projects/ida-sploiter/

IDA Pro script designed to enhance IDA’s capabilities as an exploit development and vulnerability research tool.

IDA Patcher 1.2: http://thesprawl.org/projects/ida-patcher/

IDA Pro script designed to enhance IDA’s ability to patch binary files and memory.

IDAPython 1.7.2: https://github.com/idapython/bin

IDAPython is an IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro.

IDA Toolbag 2.0: https://thunkers.net/~deft/code/toolbag/docs.html

The IDA Toolbag is a plugin providing supplemental functionality to the Hex-Rays IDA Pro disassembler.

IDAscope 1.2.1: https://bitbucket.org/daniel_plohmann/simplifire.idascope/

IDAscope is an IDA Pro extension with the goal to ease the task of (malware) reverse engineering.

BinSourcerer 1.31: https://github.com/BinSigma/BinSourcerer

BinSourcerer is an assembly to source code matching framework written in Python.

Page 28: HS - February 2015

>_Get-ToolsBox Android

AndroChef Java Decompiler: http://www.neshkov.com/ac_decompiler.html

With AndroChef Java Decompiler you can decompile apk., dex, jar and java class-files.

.NET

{smartkill} v0.6: OneDrive PhenixZ

.NET 1/2/3 Patcher/Encoder/Decoder

.NET Reflector 6.6.0.30: OneDrive PhenixZ

.NET Reflector enables you to decompile and analyze .NET assemblies in C#, Visual Basic and IL.

.NET Reflector Add-Ins: http://www.codeplex.com/reflectoraddins

ILSpy 2.3.1.1855: OneDrive PhenixZ

Same program of Reflector but freeware.

reflexil 2.0 ILSpy addon: OneDrive PhenixZ

IlDasm v4.0.30319.17929: OneDrive PhenixZ

IL Disassembler

PEBrowse Professional Interactive 10.1.5: OneDrive PhenixZ

.NET 1.1/2 Debugger, 64bit exe files are supported

PEBrowseDbg64 6.3: OneDrive PhenixZ

For 64bit OS

De4Dot: https://github.com/0xd4d/de4dot

de4dot is a .NET deobfuscator and unpacker written in C#.

It will try its best to restore a packed and obfuscated assembly to almost the original assembly.

Page 29: HS - February 2015

>_Get-ToolsBox .NET Debuggers

dnSpy: https://github.com/0xd4d/dnSpy

.NET assembly editor, decompiler, and debugger

DILE 0.2.13: OneDrive PhenixZ

Dotnet IL Editor (DILE) allows disassembling and debugging .NET 1.0/1.1/2.0/3.0/3.5/4.0 applications without source code or .pdb files.

It can debug even itself or the assemblies of the .NET Framework on IL level

VB

WKT VB Debugger 4.3: OneDrive PhenixZ

Visual Basic P-Code Debugger (click on Ignore if and error window pops up during install process)

VB Decompiler: OneDrive PhenixZ

VB 1, 2, 3 decompiler

VB Decompiler Lite 10.3 : OneDrive PhenixZ

P-code decompiler and native code for VB5-6 programs

ExDec: OneDrive PhenixZ

P-code decompiler for VB 5/6 programs

P-Code Opcodes List: http://web.archive.org/web/20101127044116/http:/vb-decompiler.com/pcode/opcodes.php?t=1

Database of P-Code Opcodes

Page 30: HS - February 2015

>_Get-ToolsBox

Delphi

Delphi Decompiler v3.99.0a build 2005: OneDrive PhenixZ

Decompiler for Delphi 3, 4, 5, 6, C++ Builder and Kylix

Delphi Decompiler v3.10.1527 + Source Code: OneDrive PhenixZ

Decompiler for Delphi 3, 4, 5, 6, C++ Builder and Kylix, source code included

Delphi DFM Explorer 0.1b: OneDrive PhenixZ

Delphi DFM Explorer

Interactive Delphi Reconstructor: OneDrive PhenixZ

All Delphi’s Knowledge base version: http://kpnc.org/idr32/en/download.htm

A very useful tool to work with Delphi executable

Delphi Decompiler 1.7 build 929: OneDrive PhenixZ

Remake of DeDe

Java

Java Decompiler

Java Decompiler: OneDrive PhenixZ

Java Decompiler Gui: http://jd.benow.ca/

JD may be used to recover lost source code and explore the source of Java runtime libraries. (JD Project)

Java Bytecode Visualizer 4.4: http://www.drgarbage.com/download/

Inspect, understand and debug Java bytecode.

javadecompilers.com: http://www.javadecompilers.com/

Decompile Java code online.

Page 31: HS - February 2015

>_Get-ToolsBox

Flash

Flash Disassembler v1.62: OneDrive PhenixZ

Source Code: OneDrive PhenixZ

Flash SWF Disassembler

Free Flash Decompiler 8.0.1: OneDrive PhenixZ

Flash SWF decompiler and editor

Misc

Help Decompiler 2.1: OneDrive PhenixZ

Windows Help File Decompiler

Page 32: HS - February 2015

>_Get-ToolsBox

Logging and Monitoring Tools

A collection of useful monitoring tool designed to explore and log the activities on a running process.

Api Monitor v2 Alpha 13 – Portable [DL]: OneDrive PhenixZ

Latest Version ( rohitab.com ): http://www.rohitab.com/apimonitor

Handy and customizable Api Monitor with advanced filtering capabilities. Standalone version for 32/64bit systems.

Filemon 7.04 for Nt/Xp/…: OneDrive PhenixZ

Filemon for Nt/Xp/… on Amd64: OneDrive PhenixZ

Filemon source code: OneDrive PhenixZ

The famous file monitor

Ice Sword v1.22: OneDrive PhenixZ

An effective tool against rootkits, with a lot of additional functions like process dumper/killer/explorer, raw disk access monitor and much more.

Process Hacker 2.38.343: OneDrive PhenixZ

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.

Sysinternals Suite – update 02/02/2016: OneDrive PhenixZ

The Sysinternals Troubleshooting Utilities (such as Process Explorer, Process Monitor and so on) rolled up into a single Suite of tools.

Regmon 7.04 for Nt/Xp/…: OneDrive PhenixZ

Regmon for Nt/Xp/… on Amd64: OneDrive PhenixZ

Regmon source code: OneDrive PhenixZ

The famous registry monitor

Spy++ v11.00.50727: OneDrive PhenixZ

Spying tool with point-and-click Handle/ID grabbing

Page 33: HS - February 2015

>_Get-ToolsBox Malware Analysis Tools

A list of analysis tools designed to log the activities of a process, log its network traffic, access to the registry etc.

SysAnalyzer setup (old): OneDrive PhenixZ

SysAnalyzer GitHub repo (updated): https://github.com/dzzie/SysAnalyzer

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer

was designed to enable analists to quickly build a comprehensive report as to the actions a binary takes on a system.

Regshot 1.9.0: OneDrive PhenixZ

Regshot is an open-source (GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a

second one – done after doing system changes or installing a new software product.

Wireshark: http://www.wireshark.org/download.html

Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as

detailed as possible.

Robtex Online Service: http://www.robtex.com/

IPs, Domains, Network Structure Analysis tool.

VirusTotal: http://www.virustotal.com/

Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of

malware detected by antivirus engines.

Mobile-Sandbox: http://mobilesandbox.org/

Mobile-Sandbox.com provides static and dynamic malware analysis for Android OS smartphones.

Malzilla: OneDrive PhenixZ

MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability

to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate

javascript aswell.

Volatility: https://github.com/volatilityfoundation

Volatility Framework is a completely open collection of tools, for the extraction of digital artifacts from volatile memory (RAM) samples.

Page 34: HS - February 2015

>_Get-ToolsBox Mobile malware analysis tools are included together with useful sandboxing software for dynamic analysis.

APKTool: http://code.google.com/p/android-apktool/

A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after

making some modifications; it makes possible to debug smali code step by step.

Dex2Jar: http://code.google.com/p/dex2jar/

Designed to read the Android Dalvik Executable (.dex/.odex) format. It reads the dex instruction to dex-ir format and can convert to ASM format.

Can also be used to perform some basic deobfuscation.

Smali: http://code.google.com/p/smali/

smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation.

PDF Tools

PeePDF: https://github.com/jesparza/peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not

Sandboxes

Cuckoo Sandbox: http://www.cuckoosandbox.org/

Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files.

DroidBox: https://github.com/pjlantz/droidbox

DroidBox is developed to offer dynamic analysis of Android applications.

Malwasm: https://code.google.com/p/malwasm/

Malwasm is a tool based on Cuckoo Sandbox designed to help perform step by step analysis, log all malware activities and store them into a

web accessible database.

Page 35: HS - February 2015

>_Get-ToolsBox

PE Tools

A collection of tools for your daily PE interactions: editors, analyzers, rebuild and resource extractors.

PE Editors

Cerbero PE Insider: http://cerbero.io/peinsider/

Explorer Suite III Multi-Platform Version: http://ntcore.com/Files/ExplorerSuite.exe

Explorer Suite III Stand-alone Version: http://ntcore.com/Files/CFF_Explorer.zip

PE Editor with support for: PE32, PE64, .NET, and process monitor/dumper

Lord PE 1.41 Deluxe b: OneDrive PhenixZ

PE Editing suite

ProcDump v1.6.2: OneDrive PhenixZ

Unpacker, Decryptor, PE Editor

Page 36: HS - February 2015

>_Get-ToolsBox

PE Analyzers

Crypto Searcher: OneDrive PhenixZ

Crypto has hundreds of signatures used to detect crypto algos used in a program

Detect it Easy 1.00: OneDrive PhenixZ

Another one PE identifier.

PEiD 0.95: OneDrive PhenixZ

PE Identifier, with many interesting plugins [ Include a working in progress userdb.txt; last update 25/06/2009 ]

PROTECTiON iD 6.7.5 December 2015: OneDrive PhenixZ

The ultimate Game Protection Scanner

RDG Packer Detector 0.7.5: OneDrive PhenixZ

PE identifier, often better than PeId

Stud PE v. 2.6.1.0: OneDrive PhenixZ

Another PE identifier

PeStudio 8.51: OneDrive PhenixZ

PeStudio is a unique tool that performs the static investigation of 32-bit and 64-bit executable

Page 37: HS - February 2015

>_Get-ToolsBox

PE Rebuilders

Import Recostructor 1.7 FINAL: OneDrive PhenixZ

Useful for rebuilding the IT of PE executable (PE+ not supported)

CHimpREC 1.0.0.1: OneDrive PhenixZ

Rebuilder for PE/PE+ executable

Relox 1.0a: OneDrive PhenixZ

Useful for rebuilding the Reloc table of an unpacked dll

Scylla 0.9.8: OneDrive PhenixZ

A powerful PE reconstructor for x86/x64 platforms which supports also plugins

Resource editors

XNResourceEditor 3.0.0.1: OneDrive PhenixZ

Resource Editor

Resource Hacker 4.2.5: OneDrive PhenixZ

A complete resource editing tool

Page 38: HS - February 2015

>_Get-R&D

Also known as RE4B. Written by Dennis Yurichev (yurichev.com).

"Reverse Engineering for Beginners" free book

A4 (for browsing or printing) A5 (for ebook readers)

Nom de quelques «Repository» a essayer d’avoir :

AhmedHacks

Ultra Hacker Tools

ShkoShiko hacker AIO

ExelabVideoKurs

repo.Malekal

FeliksPack3

Sites Webs à suivre :

Woodman RCE, Tuts4PC, OpenRCE, etc.

Page 39: HS - February 2015

>_Add-Calendar

iHACK 2016

11 JUIN 2016

Venez en nombre…

HACKFEST

Page 40: HS - February 2015

>_Set-Merci

>_Get-Questions ?

“Setec Astronomy” est

l’anagramme de “too many secrets”!

Un autre moyen de “Reverser”

Page 41: HS - February 2015

HACKFEST