Home
Travis Mathison
Cancel

Finding the start of Emotet malware in MFC app

Intro Sometimes you need to dig a little to really find where the start of malicious code is in a binary. Sometimes it is not obvious from static analysis how exactly code flows to the malicious p...

Searching IAT for DLLs

Intro With a given binary it is very simple to view the Import Address Table (IAT) and see what DLLs it imports and further, what functions are used within those DLLs. In my case, I needed to do t...

PEB/TEB/TIB Structure Offsets

Intro This is really more of a reference table post to show the PEB/TEB/TIB structure notable offsets that are commonly seen in malware as it performs references after fetching the Process Environm...

Manually Unpacking Malware (part 2)

Intro This is a follow on to the first post on this, Manually Unpacking Malware, where I talked about a way to break on the real entry point of a packed malware sample. This is a second technique ...

Manually Unpacking Malware

Intro This post is intended to show one technique that can be used in an attempt to unpack a sample that is suspected to be packed by either a known packer or something unknown or even custom. The...

Digging into obfuscated excel formula code

Intro A large amount of malware that targets businesses is through phishing attacks, and that is no different where I work. We have been getting an influx of excel attachments in phishing document...

Ghidra error: Unable to locate the DIA SDK

Ghidra error on auto-analysis In my flarevm using Windows 10 I have Visual Studio 2019 Community edition installed for building C/C++ programs as needed. When performing the initial auto-analysis ...

Getting Started with Ghidra and FlareVM

Goal This is a quick guide to get you started on installing FlareVM by FireEye and setting up Ghidra for reverse engineering malware. The FlareVM installation is a script you can run that will turn...

OSCE Review

General thoughts With past experience with Offensive Security, the training format was familiar which sped things up a bit for consuming the content. The Offensive Security Certified Expert (OSCE)...

SLAE32: Creating custom crypter shellcode

The blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-e...