Irregular Expressions » tools

Working With Packed / Protected Executables

Dan O'Connor — Sat, 18 Aug 2012 05:39:43 +0000

First I have to say that I dislike having to do this. My main problem is that if you are going to take the time to pack and attempt to protect your EXE, it’s obvious that you are up to no good.

For legitimate applications there is times when you would want to do this, but if it’s some random EXE from a payload…

In my cases I try to avoid working with the source file, I will do as much as possible by running it a lab. But you can miss timed actions and other types of triggers. Also there is hardly a magic bullet to deal with these, as a start I use PEiD. After that is all about what packs that EXE and you tracking it down. If a generic tool won’t unpack it you are in for a fun day looking for something.

In other cases if the file is packed all at once, but it does not have any defense mechanisms you can dump the running EXE from memory. Sometimes you can have a file that has multiple sections packed, then you can mix in some anti-analysis tools and its not a enjoyable process.

New Tool

Dan O'Connor — Wed, 27 Jun 2012 18:20:12 +0000

Mandiant has added a new tool to their repository.

http://www.mandiant.com/resources/downloads/

It’s a memory analysis tool for Macs.

https://blog.mandiant.com/archives/2866

I can’t wait for an excuse to use it for something constructive. You will find tools like this extremely useful when investigating issues of possible infections or strange behaviour.

Update to WinAUTOPWN

Dan O'Connor — Wed, 27 Jun 2012 17:57:12 +0000

Fun little framework to play with.

http://120.61.144.194/w/

I usually prefer *nix based tools but it’s always good to have a spare around.

New favorite toy

Dan O'Connor — Wed, 27 Oct 2010 18:53:11 +0000

Dropbox is my new favorite toy, it can do automatic online backup and works on Linux, Mac, Windows and mobile devices. This includes the iPhone and iPad.

This is a great tool for synchronizing files to your mobile device.

http://www.dropbox.com/

One thing I wish I could do, and maybe i am just missing it. Is I want to take files that I am working on, like something in Keynote and save it or move it into my dropbox.

learning to use nmap

Dan O'Connor — Tue, 26 Oct 2010 04:44:37 +0000

For those that do not know this, when you are learning to use nmap and would like a target that is on the internet and wont get your door knocked on.

You can use scanme.nmap.org.

You can http to it and it has a banner explaining also.

Enjoy.

# nmap -A -T4 scanme.nmap.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-26 04:39 UTC
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.039s latency).
Not shown: 990 filtered ports
PORT      STATE  SERVICE     VERSION
21/tcp    open   ftp?
22/tcp    open   ssh         OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA)
|_2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA)
25/tcp    closed smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http        Apache httpd 2.2.3 ((CentOS))
|_html-title: Go ahead and ScanMe!
113/tcp   closed auth
554/tcp   open   rtsp?
7070/tcp  open   realserver?
31337/tcp closed Elite