Home
Travis Mathison
Cancel

Hex-Rays IDA Tips and Tricks

Hex-Rays tips and tricks to IDA Pro Igor Skochinsky of Hex-Rays presents a new IDA Pro tip every week. This is more of a pointer toward a “season 1” compilation of these tips and to the Hex-Rays b...

NPM COA@2.0.3 DanaBot Dropper

Table of Contents Executive Summary Actions leading to a DanaBot secondary payload Visual path of execution What gets dropped? IOC’s Technical Analysis ...

Malware Report: CTS

Table of Contents Executive Summary Initial binary Infected binaries MITRE Attack Matrix Indicators of Compromise Threat intel insights Technical Anal...

RC4 Crypto Usage in Malware

Table of Contents Intro The malware sample used in this blog post The KSA and PRGA functions Observing call into function Key-scheduling algorithm (KSA) KSA identity permutatio...

Resolving IAT with AGDCservices Scripts

Table of Contents Intro Attribution My IDA Pro 7.6 plugin scripts (rough conversion of theirs) Details Color coding instructions IAT Resolution The IDA Pr...

String and function hiding techniques

Table of Contents Intro The malware sample used in this blog post Visual of observed flows Notable Techniques Hiding strings via single byte pushes to stack Getting DllBase...

Malware decrypting into new memory maps

Table of Contents Intro The malware sample used in this blog post Dealing with decoded bytes into new memory map Memory allocation and passing control Viewing new bytes in ID...

Finding the start of Emotet malware in MFC app

Intro Sometimes you need to dig a little to really find where the start of malicious code is in a binary. Sometimes it is not obvious from static analysis how exactly code flows to the malicious p...

Searching IAT for DLLs

Intro With a given binary it is very simple to view the Import Address Table (IAT) and see what DLLs it imports and further, what functions are used within those DLLs. In my case, I needed to do t...

PEB/TEB/TIB Structure Offsets

Intro This is really more of a reference table post to show the PEB/TEB/TIB structure notable offsets that are commonly seen in malware as it performs references after fetching the Process Environm...