Thursday, February 23, 2012

URL's to Learn Malware Analysis, RCE

Following links will be pretty useful to learn Malware Analysis, Reverse Code Engineering(RCE) etc.

http://forum.tuts4you.com/index.php
http://www.woodmann.com/TiGa/idaseries.html
http://www.openrce.org/articles/
http://www.kernelmode.info/forum/index.php
http://crackmes.de/

Debugging Book
http://advancedwindowsdebugging.com/portal/portal_downloads.htm


Step 1: Learn C/C++/Delphi etc. You can't reverse engineer if you can't forward engineer.
Step 2: Learn x86 assembly - http://opensecuritytraining.info/IntroX86.html (includes videos)
Step 3: Learn x86 architecture - http://opensecuritytraining.info/IntermediateX86.html (includes videos)
Step 4: Learn PE binary format - http://opensecuritytraining.info/LifeOfBinaries.html (includes videos)
Step 5: Learn about IDA & general RE thought process - http://opensecuritytraining.info/IntroductionToReverseEngineering.html (video pending)
Step 6: Learn about some stealth malware techniques - http://opensecuritytraining.info/Rootkits.html (includes videos)
Step 7: Learn more by encouraging other people to submit their own class material - http://opensecuritytraining.info/Why.html
http://opensecuritytraining.info/Training.html

check it out: http://www.accessroot.com/arteam/site/news.php
another awesome tuts: http://portal.b-at-s.net/download.php

Some Sites
http://j00ru.vexillium.org/
http://www.analyze-v.com/
http://byteworm.com/
http://blog.zemana.com/2012/05/kaynaklar.html
http://fumalwareanalysis.blogspot.in/p/malware-analysis-tutorials-reverse.html
http://thelegendofrandom.com/blog/sample-page
http://beginners.re/

Live Malware Samples
http://www.offensivecomputing.net/
http://www.malwaredomainlist.com/
http://www.malc0de.org/database
http://www.virussign.com/index.html
http://www.vx.netlux.org/
http://openmalware.org/
http://virusshare.com/
https://twitter.com/MalwareChannel 
http://www.vxheavens.com/
http://malshare.com/
https://avcaesar.malware.lu/
http://www.malwareblacklist.com/showMDL.php
https://malwr.com/
http://secuboxlabs.fr/
http://www.virusign.com/
http://virusshare.com/

Other useful sources
http://zeltser.com/combating-malicious-software/malware-sample-sources.html
http://reverseengineering.stackexchange.com/questions/206/where-can-i-as-an-individual-get-malware-samples-to-analyze
http://reverseengineering.stackexchange.com/questions/265/where-to-find-free-training-in-reverse-engineering

Suspicious files can be analyzed at
https://www.virustotal.com/

Malicious PDF Files
http://filex.jeek.org/archive_PDF.zip

Android Malware Samples
http://contagiodump.blogspot.in/
http://www.malgenomeproject.org/

For Mac OS X related resources, refer
http://darshanams.blogspot.in/2012/05/mac-os-x-infector-and-research.html

Tools
IDA/Olly/WinDBG
ImpREC
LordPE
Sysinternal's Tool Suite
Exeinfo PE/ PEiD
PEstudio
CFF Explorer
FileAlyzer
PEview

Let me know new sites, will update the same here :-) !!!
Posted by at 2 comments:
Labels: , ,

Tuesday, January 31, 2012

10 must-read Books for Developers

I liked the article so reposting it. Hope you will enjoy !!!

Blog site Stackoverflow posed an interesting question: "If you could go back in time and tell yourself to read a specific book at the beginning of your career as a developer, which book would it be?"
The accumulated wisdom of Stackoverflow readers posted over the past three years reads like a who's-who of the programming book industry, but several missing titles caught my eye.
Here's the Stackoverflow list:
"Code Complete" by Steve McConnell (2004)". Tackles every facet of programming, with tons of examples.
"The Pragmatic Programmer" by Andrew Hunt and David Thomas (1999). Concentrates on nitty-gritty real-world approaches to solving problems through code.
"Structure and Interpretation of Computer Programs" (2nd Edition, 1996) "by Harold Abelson, Gerald Sussman, and Julie Sussman. Concentrates on breaking big problems down into little ones, and ensuring the pieces come back to build the whole. The book is available under the Creative Commons Noncommercial License, for free on the Web.
"The C Programming Language" (2nd Edition, 1988) by Brian Kernighan and Dennis Richie. Not only offers the definitive guide to C, but shows you how to program in general. My personal choice for the most important first book.
"Introduction to Algorithms" by Thomas Cormen, Charles Leiserson, Ronald Rivest, and Clifford Stein (2009). Gives fast ways to solve complex problems, using the right data structures. Comprehensive and quintessentially useful.
"Refactoring: Improving the Design of Existing Code" by Martin Fowler, Kent Beck, John Brant, and William Opdyke (1999). Shows you how to rebend a programming pretzel, taking poorly designed code and turning it into something even humans can understand.
"Design Patterns: Elements of Reusable Object-Oriented Software" by Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides (1994). Serves as a reference of object oriented techniques. I'm surprised to see this on a list of "beginning of your career" books because it's much more suitable for people with a lot of OOP under their belts.
"The Mythical Man-Month" by Frederick Brooks (1995)". A management classic in the finest tradition. While not a programming book, a must-read for every developer.
"The Art of Computer Programming, Volume 1: Fundamental Algorithms" (3rd Edition, 1997) by Donald Knuth. For anyone with a mathematical predilection, Volumes 1 and 3 ("Sorting and Searching") stand out as true bibles of the industry. With Volumes 2 ("Seminumerical Algorithms") and 4A ("Combinatorial Algorithms, Enumeration and Backtracking") published, plans are still in place for Volume 4B ("Graph and Network Algorithms"), Volume 4C (maybe Volumes 4D and 4E, "Optimization and Recursion"), Volume 5 ("Syntactic Algorithms"), Volume 6 ("Context-Free Languages"), and Volume 7 ("Compiler Techniques").
"Compilers: Principles, Techniques and Tools" (2nd Edition, 2006) by Alfred Aho, Monica Lam, Ravi Sethi, and Jeffrey Ullman. The 1,000-page "dragon book" focuses on compilers, but in so doing covers topics every developer should understand.
What's missing? I mentioned Knuth's Volume 3, but several others pop out.
If you veer off the developer-centric track for a moment, many classics would broaden the horizons of any aspiring analyst. "Godel, Escher, Bach" by Douglas Hofstadter (1979) and "Zen and the Art of Motorcycle Maintenance" by Robert Pirsig (1974) always come up as manifestos of the developer class.

Sticking to developing, though, I'm surprised that these didn't make the top 10:
"Clean Code: A Handbook of Agile Software Craftsmanship" by Robert Martin (2008), emphasizes the importance of building code that can be digested, working through lots of real-world examples. It covers some of the same ground as Martin's earlier book, "Agile Software Development," and sets the stage for Martin's new book, "The Clean Coder."
"Code: The Hidden Language of Computer Hardware and Software" by Charles Petzold (2000) should be on the short list of everyone who's involved in the computer industry, developer or not. Petzold covers the basics -- number systems, high-level languages, comm protocols, hardware, GUIs -- and doesn't overwhelm with jargon.

For anyone destined to a corporate IT job, these three should be required reading:
"Patterns of Enterprise Application Architecture" by Martin Fowler (2002) helps corporate developers recognize common patterns in real-world problems, and digs into solution details for each pattern.
"Coders at Work" by Peter Seibel (2009) takes case histories -- which is to say, influential developers' real-life stories -- and weaves them into a powerful view of how 15 of the industry's best and brightest kicked some serious technical butt.
"Peopleware" (2nd edition. 1999)" by Tom DeMarco and Timothy Lister emphasizes the human element in software development and how to put together a project that actually gets work done.

I won't say that list is definitive, but if there's a nascent developer, developer wannabe, or burned-out developer seeking inspiration in your circle of friends, do them a favor and get them one of these books.

This story, "10 must-read books for developers" was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Happy Reading ;-) !!!
Posted by at 4 comments:
Labels:

Wednesday, January 25, 2012

SOC Interview Questions 1

Below are the questions collected from friends who attended interviews related to Security Operations Center (SOC).

Difference between Probe vs Scan.
Difference between Security event and Security incident.
Wwhat is incident response (IR)?
How will you carry on Network forensics?
How will you carry on Memory forensics?
What is APT (Advanced Persistent Threat)?
What is IOC (related to APT)?
What is ROT13?
What is C2 (Command and Control)?
Difference between normal threat vs APT ?
Vulnerability vs Threat vs Exploit vs Risk.
Different Evasion techniques of Malware?
Different ways of compressing Malware?
What is threat agent?
Explain drive-by downloads.
Difference between Symmetric and Asymmetric encryption?
How do you collect image for Forensics without modifying the integrity of data on the PC/Laptop?
(http://darshanams.blogspot.com/2010/09/forensics-1-extracting-image.html)
Size of Registers in CPU? Are registers same for different CPU's?
How to change Linux root password?

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2011/09/portable-document-files.html
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

Will come up with more questions once I get in touch with other friends.
Posted by at 2 comments:
Labels: ,

Endianness: Different Processors

Endianness refers to the way data is represented in memory by different processors. For details about endianness you can refer
http://en.wikipedia.org/wiki/Endianness

We will run below code on two different CPU architectures, Intel and MIPS
*******Start of Code endi.c ********
#include
#include

int main()
{
        int magiclhtona, magiclntoha, magiclhton1, magiclntoh1, htonli2, htonsi2, ntohli2, ntohsi2, htonli6, htonsi6, ntohli6, ntohsi6;
        magiclhtona = htonl(0xa1b2c3d4);
        magiclntoha = ntohl(0xa1b2c3d4);

        magiclhton1 = htonl(0x1f8b0800);
        magiclntoh1 = ntohl(0x1f8b0800);

        htonli2 = htonl(25);
        htonsi2 = htons(25);
        ntohli2 = ntohl(25);
        ntohsi2 = ntohs(25);

        htonli6 = htonl(65535);
        htonsi6 = htons(65535);
        ntohli6 = ntohl(65535);
        ntohsi6 = ntohs(65535);

        printf("magiclhtona=%p magiclntoha=%p,magiclhton1=%p, magiclntoh1=%p, htonli2=%d htonsi2=%d ntohli2=%d ntohsi2=%d, htonli6=%d, htonsi6=%d, ntohli6=%d, ntohsi6=%d\n", magiclhtona, magiclntoha, magiclhton1, magiclntoh1,htonli2, htonsi2, ntohli2, ntohsi2, htonli6, htonsi6, ntohli6, ntohsi6);
}
    return 0;

*******Endof Code endi.c ********
To understand the output we should know what is he endianness of the Processors we are using
Intel        Little Endian
MIPS     Big Endian

Output on Intel processor
[praveen]# ./endi
magiclhtona=0xd4c3b2a1 magiclntoha=0xd4c3b2a1,magiclhton1=0x88b1f, magiclntoh1=0x88b1f, htonli2=419430400 htonsi2=6400 ntohli2=419430400 ntohsi2=6400, htonli6=-65536, htonsi6=65535, ntohli6=-65536, ntohsi6=65535

Output on MIPS processor
praveen# ./endi
magiclhtona=0xa1b2c3d4 magiclntoha=0xa1b2c3d4,magiclhton1=0x1f8b0800, magiclntoh1=0x1f8b0800, htonli2=25 htonsi2=25 ntohli2=25 ntohsi2=25, htonli6=65535, htonsi6=65535, ntohli6=65535, ntohsi6=65535
praveen#

Modify endi.c source file by adding below code
        int htonli8 = htonl(65538);
        int htonsi8 = htons(65538);
        int ntohli8 = ntohl(65538);
        int ntohsi8 = ntohs(65538);
       printf("htonli8=%d, htonsi8=%d, ntohli8=%d, ntohsi8=%d\n", htonli8, htonsi8, ntohli8, ntohsi8);

Output on Intel Processor
htonli8=33554688, htonsi8=512, ntohli8=33554688, ntohsi8=512

Output on MIPS Processor
htonli8=65538, htonsi8=2, ntohli8=65538, ntohsi8=2

Hope this will help someone somewhere to understand endianness on different Processors.


Other articles on C language
http://darshanams.blogspot.in/2011/09/building-single-binary-from-multiple-c.html
http://darshanams.blogspot.in/2011/07/message-queues-introduction.html
Posted by at No comments:
Labels:

Thursday, September 29, 2011

Building Binary from multiple C files: Using custom header, accessing variables across multiple .c files

One of my friend requested me to add basic stuff related to C programming. Initially when I started coding I was skeptical using custom header files, using same variable in different .c files and building binary from multiple C files. This post probably clears all those doubts.

Below shapshot shows content in header file (praveen.h) and code in different C files (sharedvar1.c, sharedvar2.c).

Below snapshot shows how to compile multiple C files to create a single binary and also output of the program.


Also we have learned how to access single variable across multiple files.
Hope this might have helped from someone somewhere :) !!!
Posted by at No comments:
Labels:

Thursday, September 8, 2011

Malicious PDF: Portable Document Files Compresion/Encoding/Obfuscation

Malicious PDF's has increased manifold which are used to infect computers with Malware of execute code when PDF files are opened. We will see various ways how javascript embedded within PDF's can be compressed or encoded to evade detection by IDS/IPS and Anti Virus. Normally many PDF Parsers crash while analyzing the malicious/malformed file but Adobe reader successfully opens the file which leads to infection.

Below is the malicious PDF file viewed in text editor.



PDF Parsers might have issues in analyzing following abnormal files:
1. Portable Document File Format does not strictly abide to its specification.
2. PDF Version might be malformed (NULL value, incomplete value etc) (can see in above pic)
3. May not contain endobj or endstream (atleast one string should be present within an object)
4. May not contain xref table
5. Names may be Encoded (/JavaScript as /J#61vaScript).
6. No %%EOF header
7. There might be multiple %%EOF headers or trailer’s  indicating incremental updates.
8. PDF embedded within other PDF (same object numbers in a single file).
9. Different types of Evasions/ Encoding can be found at

Different Encoding/Compressions Filter types are
/FlateDecode
/ASCIIHexDecode
/ASCII85Decode
/JBIG2Decode
/LZWDecode
/RunLengthDecode
/SCIIHexDecode, 
/CCITTFaxDecode
/DCTDecode
/JPXDecode
This might not be the full list of Filters (not sure) .

Below snapshot shows highly obfuscated  PDF file



Good articles related to PDF's can be found at
http://blog.didierstevens.com/category/pdf/
http://www.decalage.info/file_formats_security/pdf
http://code.google.com/p/corkami/wiki/PDFTricks

For quick analysis of a PDF file you can upload to
http://wepawet.cs.ucsb.edu/

Live malicious PDF files can be found at
http://filex.jeek.org/archive_PDF.zip
Please do not open files in the archive with any of the PDF readers.

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

Comments are most welcome :) !!!
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)