!apilookup - Win32 API Function Reference Locator for ImmunityDebugger

Hidey-ho everyone!

Well, after long time while I've been busy with a lot of stuff, finally I am back with a very nice goodie for you. As you have seen I am a big fan of ImmunityDebugger -but also of the old friend OllyDBG of course- and after some time I finally decided to put hands-on and make a plug-in.

Let me introduce you to the "!apilookup - Win32 API Function Reference Locator for ImmunityDebugger". The aim of this PyCommand is to provide quick access to Win32 API functions which are commonly required when performing debugging sessions. Yep!, NO MORE - Google => getprocaddress win32 api - Instead, on the ImmunityDebugger command bar just type this command: !apilookup getprocaddress and you will get direct-access to the required function. - Applauses!

Actually, one good point to note is the ability to provide not the whole word of a function, so you can do either !apilookup isdebuggerpresent or !apilookup isdebug, giving back the same results. RegEx r0x XD

For instance:

At this time I am pretty sure that you are wondering How The F**k I got the Win32.HLP as .CHM? Well, after a lot of time in searching Win32API.chm with no success, I've decided to make it. The support of .HLP files are no longer active for new versions of Windows, so many of the good old help files such as OllyDBG, ImmDBG and others are under this format. No PANIC. I've the CHM version for them too, but for a different post.

OK, so you know how the !apilookup works, this is how to get it. ]¬)

Installation steps:

1. Download the package from my git repo here.
2. Unrar and run the executable as Admin. - The exe looks malicious but it is not - promise. XD
3. Open ImmunityDebugger and in the command bar type: !apilookup <function>
4. Enjoy!

I know that there's an almost the same tool made by the master @MarioVilas, which offer on-line and updated references to APIs, so maybe you can use my "off-line" version when you don't have Inet access like my case when debugging on the bus or from any isolated location. 

That's all. Comment and share!

CHR1X'S REVERSING CHALLENGE: vuln1.exe

Hello everyone,

I am here again, a little more active than the previous weeks. Now, I have a challenge for YOU. I've been very interesting for some time in Binary Analysis, as you may know this is not an easy task, and in order to complete such you must be able to understand C/ASM code mainly.


So, what's the challenge? The objective is not to trigger the vulnerability, in other words don't think that the target is to control EIP -which actually you can do it- but not for this case, instead, you should be able to describe the root cause of the vulnerability, how did you find it and the steps you found it using the tools of your election, say through a Debugger, IDA or whatever.

The target file is a simple executable that you can download from here:

http://www42.zippyshare.com/v/49161100/file.html

To have a most closer look about what I am expecting as a solving tutorial is something like this:

http://secunia.com/gfx/pdf/Binary_Analysis_813.pdf

I truly believe that these practices are very good to reinforce or learn new things related to binary analysis.

For those that join the challenge can send the solution to my mail. BTW, the submitted solutions will be published here.

My new MalwareBytes - Anti-exploit T-Shirt!

Yep! I am very happy because I just got my MalwareBytes T-shirt. I really agree with such mindset of "Because every day is a zero-day". I really like it, look:

I would like to say thanks to Marcin and the MalwareBytes Team for giving me this nasty gift. 

But what is the MalwareBytes - Anti-Exploit product?

Well, this is a brand new product which can also be downloaded for free from here: http://www.malwarebytes.org/products/antiexploit/ and is basically a product that protects any exploit attempt against applications such as Browsers (Firefox, Chrome, IE, Opera) and other desktop-type applications such as Java, MS Word, VLC Player and more.

Here the screenshot:

This protection software reminds me to "The Enhanced Mitigation Experience Toolkit" (EMET). Here a good video to know what this product does: http://technet.microsoft.com/en-us/security/ff859539.aspx.

Would be good a benchmark like MB Anti-exploit vs EMET. ]¬)

Binary Auditing Training Package - Vulnerability Analysis Challenges (stack4.exe) - ImmunityDebugger

Hello mates, I am back again! Yeah, ph33r! hehe

Now, I am releasing the new video-tuto for the solution of stack4.exe which is part of the "Vulnerability Analysis Challenges" from http://www.binary-auditing.com.

This one was particularly tricky, since it has little things related to control codes, specifically about the CRLF characters. Seemed to be that was the simple assignation to EAX we have seen on the previous challenges but IS NOT, instead, the party is starting since we now need to redirect the program's flow execution. Oh yeah baby!!!!11 ]¬)

As always, if you have any questions or comments, please feel free to send me anything you want to my e-mail address (chr1x@izpwning.me) or better post your comments on the YouTube channel.

Previous Solutions/Challenges:

STACK1 - http://chr1x.izpwning.me/2013/08/binary-auditing-training-package.html
STACK2 - http://chr1x.izpwning.me/2013/09/binary-auditing-training-package.html
STACK3 - http://chr1x.izpwning.me/2013/09/binary-auditing-training-package_22.html

The Ruby Pen-tester: Cuando las herramientas ya no son suficientes (BugCon 2013)

Esta es mi presentación para la BugCon 2013 en la cual aborde el tema de el desarrollo de herramientas ad-hoc utilizando el lenguaje Ruby y no solo hacer uso de las herramientas tradicionales al estar ejecutando pruebas de penetración. En esta misma plática hago referencia a un caso fictício en el cual se requiere llegar a un objetivo específico y por tal motivo se explica el desarrollo de principio a fin de la herramienta que cubrirá la necesidad expuesta.

Tanto el código generado como la presentación puede ser descargadas desde mi github en: https://github.com/chr1x/s0nsofg0d_e-mail_Harvester/

Desde mi perspectiva, me he dado cuenta que el hecho de poder tener la capacidad de generar tus propias herramientas te da la oportunidad de encontrar vulnerabilidades muy específicas, las cuales como muchos sabemos herramientas de uso común no tienen la capacidad de identificarlas. El Pentester puede hacer uso de una combinación de herramientas comerciales/open-source y las propias y al final verán que siempre obtendrán mayores y mejores resultados.

Binary Auditing Training Package - Vulnerability Analysis Challenges (stack3.exe) - ImmunityDebugger

Hello everybody,

Today I am showing the solution for the stack3.exe challenge, which as you may know is part of the "Vulnerability Analysis Challenges" from http://www.binary-auditing.com.

This one is very similar like the previous ones and I would like to suggest you to see the last video-tutos for stack{1,2}.exe in order to understand what I am doing in the next challenges.

Suggestions? Comments? Drop me an e-mail: chr1x@izpwning.me

Links: 
Binary Auditing Training Package (http://www.binary-auditing.com)

Binary Auditing Training Package - Vulnerability Analysis Challenges (stack2.exe) - ImmunityDebugger

Hello everybody,

This week I had a free time and I've worked on the next challenge stack2.exe of the "Vulnerability Analysis Challenges". This one was a very nice one, since seems very similar as the stack1.exe challenge, but this time we need to solve a little dirty trap. I can honestly say that I had a good time trying to solve this challenge.

For the new visitors, I would like to invite them to my previous video-tutorial in where I show the solution to the stack1.exe challenge. Through this way you can understand very well the new ones, since I am not explaining certain concepts that I already explained.

Suggestions? Comments? Drop me an e-mail: chr1x@izpwning.me

Links: 
Binary Auditing Training Package (http://www.binary-auditing.com)

Binary Auditing Training Package - Vulnerability Analysis Challenges (stack1.exe) - ImmunityDebugger

This is the first video I made for the "Binary Auditing Training Package" of http://www.binary-auditing.com. If you are already familiar with the package you'll see that it contains LOTS of challenges, and I decided to go to the chapter 10 "Vulnerability Analysis", no reason in particular; Basically because it sounds sexy. hehe.

Today, I am presenting the solution for the first challenge which consists basically in giving a solution for /010 - vulnerability analysis/01_warming_up_on_stack/stack1.exe of the package playing around with the stack through buffers using the ImmunityDebugger as a main tool. I am going to create the same solution but now using the IDA disassembler.

It is good to mention that all of the challenges for this chapter are the old Gera's InsecureProgramming challenges compiled as Windows executables. Originally, the researchers interested in source-code auditing can use those challenges -written in C- to understand how the code looks and then also identify/exploit such vulnerabilities contained within the code. Of course we can get the source for all the challenges, but we are good boys and we are not cheating and our target is to solve the challenges from a Reverse Code Engineering (RCE) perspective.

Said so, here the video:

Suggestions? Comments? Drop me an e-mail: chr1x@izpwning.me

Links: 
Binary Auditing Training Package (http://www.binary-auditing.com)

The Binary Auditing Training Package (chr1x's Walkthrough)

Some time ago, browsing the Internetz I found a very very nice resource for those who are interested in learning BA (Binary Analysis) using tools such as IDA Pro. This resource in a shape of a training package called "Free IDA Pro Binary Auditing Training Material for University Lectures". This training is a complete set of information along with different "challenges" (Crackme's and ReverseMe's sounds familiar?) which are included on the same package with the aim to test your new knowledge. Nasty, right?

Since I am a guy who LOVES challenges, I've decided to start solving the contained challenges as a self-learning practice. I am going to publish the challenges on a video format just to give you an easy and graphical view of the way I used to solve them.

It is good to mention that I am not just doing dead-code analysis using IDA, I am also planning to follow the flow through the dynamic part (using a Debugger) in order to get a good understanding about how to analyze -or use the tools- depending of the target/situation.

As soon as I complete each challenge, I will update this blog so I'd suggest you to subscribe to the blog and you can get noticed once new content is uploaded.

I am going to advance as my spare time permits, It's not a promise but I'll try to upload stuff in a regular manner.

Final words:

I would like to extend my gratitude to Dr. Thorsten Schneider for give us the opportunity to get access to such amazing resource FOR FREE.

Links:

The Binary Auditing Training / Official website: http://www.binary-auditing.com/
The Binary Auditing Training Package (zip file) can be obtained directly from here.
- Zip password: fdcd2ff4c2180329053650f3075d39f4
- MD5 Hash: c2b4720549b3410385087fa1b1e28bc7

Tool update: MagicNumber Scanner v1.1.0

UPDATE: I'm glad to announce that my friend preth00nker and I worked together in the new version ( v1.1.0) of MagicNumber Scanner.

CHANGELOG
===========

v1.0

• Initial version

v1.1.0

• Converting to class code
• Refactoring code
• Adding rspec test files
• Adding HTML capability

You can grab your copy directly from git:

https://github.com/chr1x/magicnumscanner/

Download it, test it, and let us know if you find any bug or if you want to contribute with the signatures db.

Thanks!

-chr1x

Pwning Everywhere: The Bus Android Tablet

Hello everybody,

This new section is called "Pwning Everywhere" in where basically I will post -as the name says- all the coolest hacks I made in software, hardware or any weird thing that crosses my way.

This time, like a very curious guy I am, when traveling on a bus I was very bored and then I tried to watch some horror movies in the Android tablet which is located in front of the sit, so I just started looking for something good to see -nothing- then I decided to explore a bit. After poking around for some time this is what I found:

Access to the config

Access to the File system (looking for the horror movies) hehe

Access to the File system

Found a functionality to execute a shell!

Application shell access!

This was the first time I worked with Android and I think it was not so bad after all, but bad for my neck!

NOTE: I did not modified/deleted anything, for those who are scared about cracking actions. hehe

Thanks for watching.

-chr1x

Tool release: MagicNumber Scanner v1.0

Hello everybody,

As you may know, for certain activities in Reversing -like malware analysis- require a lot of tasks that can be automated using scripting languages and a big question comes here: "How I can do it? How it works?". In order to try to find an answer to those questions I decided to start exploring in how to use Ruby from the "binary" perspective.

There are a lot of different ways to deal with binary data, in this case I found that the simple "File" method can do the job. One important thing here is that you should "open" such file in read-only AND binary mode, otherwise you will get a lot of bad stuff, in terms of processing the right data.

As a result of this little research I wrote a tool called: "MagicNumber Scanner v1.0" which is basically a tool that receive as input a file and try to identify the file-type based on file signatures or in other words, the "Magic numbers".

I didn't try to reinvent the wheel, since you can use the "file" *nix/linux command actually, but in this case I am adding a little bit more of information like the generated URL based on the file-extension that you can visit if you have any doubt about what the file is, what program you can use to open it, and so on.

Below some screen captures:

Screenshot #1: Results when scanning an EXE file

Here we have a second case in where I arbitrarily renamed a file from .gif to .zip, and the tool shows how the magic-number detection identify that the real file-type is in fact a GIF file.

Screenshot #2: Results when scanning a fake ZIP file (originally is a GIF file)

Features:

• Magic-number scanning based on a simple signature list.
• Automatically generates a URL with the identified extension pointing to the http://filext.com/ website. (e.g. http://filext.com/file-extension/EXE)

TODO:

• Generation of HTML report that shows more information about the file extension.

I had great time researching how to do such *things* in Ruby, I did it the same in the past and I really liked as well, but is always good how to do it using different languages.

I would recommend you to download the code and see what I did, try to replicate the same but with other purpose. Remember, the sky is the limit.

How to install:

From git, or you can download the .rb file from here, or the .exe version from here.

If you find any bugs, let me know. 

...and like Jason Hawes from TAPS/GhostHunters says: Onto the next. 

Thanks! ]¬)

PE101 - a Windows executable walkthrough

I found a very nice reference for a PE executable. This one shows up a very deep explanation of a "Dissected PE" structure through a graphical Hex-editor perspective. Enjoy!

Screenshot

You can get it from here.

Malicious Software and its Underground Economy: Two Sides to Every Story - My experience

Hello everybody,

As many of you may know, the  Royal Holloway, University of London along with Coursera joined forces and opened to the Internet a free-of-change course called "Malicious Software and its Underground Economy: Two Sides to Every Story". This course was made by a couple of researchers, mainly the Dr. Lorenzo Cavallaro which is a wonderful guy with a broad very experience on the field as well as a high technical skill regarding malware- related topics.

Basically, the 6 week long course was amazing and very educational. Going from theoretical information (bonus quizzes) and practical/reversing challenge -with some anti-debugging tricks-, this last one if you wanted to get a *distinction* in the certificate . Fortunately, I completed and passed all the quizzes at the 1st time and also completed the Reverse Engineering challenge (in a couple of minutes, actually) ]¬P.

 What I learned? Well, I found very useful information regarding Botnets, Mobile malware as well as how the Internet gangs operates to perform certain activities. I belive from a researcher perspective, this can allow us to enrich/increase our knowledge and to identify new lines of investigation as well as fresh techniques in order to identify this kind of malicious activities.

I support the fact of the Universities can open and give opportunities to all the people that cannot attend -phisically talking- to the university, like in this case.

I had great time taking the course as well as solving the RCE challenge. Also, I would like to thank Dr. Lorenzo for all the good content and effort provided within the course.

Now, let's wait for my certificate. ]¬)

Course link: https://class.coursera.org/malsoftware-001/index