aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-18 22:54:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

removing old files

Browse Source
This commit is contained in:
Amanda Rousseau
2017-11-17 14:34:31 -08:00
parent 4b33db23c9
commit 9ffe5aefbe
87 changed files with 0 additions and 67728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
dynamic2.md
View File

@@ -1,96 +0,0 @@
---
layout: default
permalink: /RE101/section6.1/
title: Dynamic Analysis
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 6: Finale #
Congrats, you made it through the workshop. All of your notes and debugging should have gotten you to come up with a similar control flow like the diagram and report below.
*Click to Enlarge*
[![alt text](https://securedorg.github.io/images/Diagram.png "diagram")](https://securedorg.github.io/images/Diagram.png)
## Simple Report
Filename: Unkown.exe
Sha256: a635f37c16fc05e554a6c7b3f696e47e8eaf3531407cac27e357851cb710e615
### Summary
This file creates a copy of itself in the %APPDATA% location, sets persistence mechanisms, and beacons to definitely-not-evil.com. If beacon is successful, it will open a messagebox, then decrypt the resource which will then spawn a shell window to open the resource.
### General Characteristics
The file is UPX packed
Import Functions:
* GetEnvironmentVariable
* CopyFile
* DeleteFile
* InternetOpen
* InternetConnect
* HttpOpenRequest
* HttpSendRequest
* MessageBox
* FindResource
* CryptStringToBinary
* CreateFile
* ShellExecute
* CreateProcess
### File System IOC
CreateFile C:\Users\victim\AppData\Roaming\dope.exe CreateFile icon.gif
### Network IOC
GET /ayy HTTP/1.1
Content-Type: text/html
MySpecialHeader: whatever
User-Agent: definitely-not-evil.com
Host: definitely-not-evil.com
Cache-Control: no-cache
### Registry IOC
RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dope
### Behavior & Control Flow
Processes Created dope.exe
1) Starts by decoding xor strings
2) Checks to see if dope.exe already exists in %APPDATA%
3) If it doesn't exist create a copy of itself to %APPDATA% as dope.exe
4) Set the startup registry key
5) Start the newly copied dope.exe process
6) Delete the original
7) Dope.exe will check the registry key if set
8) Call out to definitely-not-evil.com
9) If the result is "lmao" it will open a messagebox and extract the resource
10) Base64 decode the resource
11) Save decoded resource as icon.gif
12) Shellexecute to open icon.gif
[Section 6 <- Back](https://securedorg.github.io/RE101/section6)

83
fundamentals.md
View File

@@ -1,83 +0,0 @@
---
layout: default
permalink: /RE101/section1/
title: Fundamentals
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 1: Fundamentals #
## Environment Setup ##
In this section you will be setting up a safe virtual malware analysis environment. The virtual machine (VM) that you will be running the malware on should not have internet access nor network share access to the host system. This VM will be designated as the **Victim VM**. On the other hand, the **Sniffer VM** will have a passive role in serving and monitoring the internet traffic of the Victim VM. This connection remains on a closed network within virtualbox.
### Installing VirtualBox ###
For windows and osx, follow the instructions in the install binary.
| Windows | Mac OSX | Linux |
| --- | --- | --- |
| [![alt text](https://securedorg.github.io/images/VBwin.png "Windows Virualbox")](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-Win.exe) | [![alt text](https://securedorg.github.io/images/VBmac.png "OSX Virtualbox")](http://download.virtualbox.org/virtualbox/5.1.14/VirtualBox-5.1.14-112924-OSX.dmg) | [![alt text](https://securedorg.github.io/images/Vblinux.png "Linux Virtualbox")](https://www.virtualbox.org/wiki/Linux_Downloads) |
### Download Victim and Sniffer VMs ###
Please use the utility [7zip](http://www.7-zip.org/download.html). Unzip the files with 7zip below and in VirtualBox **File->Import** Appliance targeting the .ova file.
[Victim VM](https://drive.google.com/open?id=0B_0DJl2kuzoNZkpveEtiMWJKWDA)
* MD5sum: b84f0cdb7acc00aeb9effcee84b85f65 **Updated 9/11/2017**
* OS: Windows 7 Service Pack 1
* Architecture: Intel 32bit
* Username: victim
* Password: re1012017
* IP Address: 192.168.0.2
* Gateway: 192.168.0.1
* Zip size 3.96G, Final size required 10.1G
**Note:** If the VM is rebooting on you, open a command prompt with admin privileges and run "slmgr /rearm", then reboot. It should reset the VM's trial version.
[Sniffer VM](https://drive.google.com/open?id=0B_0DJl2kuzoNT3IwNElLV3VRdms)
* MD5sum: fc69591b0ce1cdc84fc5c63d02d30d5f **Updated 9/11/2017**
* OS: Ubuntu 16.04.2 LTS Desktop
* Architecture: Intel 64bit
* Username: sniffer
* password re1012017
* IP Address: 192.168.0.1
* Gateway: 192.168.0.1
* Zip size 2.08G, Final size required 6G
---
### Post Install Instructions ###
**Note:** If you are having problems getting the VM to run, revert to the AnalysisReady snapshot, then right-click on the VM and select discard the saved state.
1. Install VirtualBox CD on both VMs: Devices->Insert Guest Additions CD Image
* If it doesn't auto appear, navigate to the CD Drive to install
* Follow install directions from the Guest Additions Dialog
* Note: it will require install privileges so insert passwords for each VM
* Shutdown Both VMs after you have installed the Guest Additions CD.
2. Victim VM: Devices->Drag and Drop->Bidrectional
3. Victim VM: Devices->Shared Clipboard->Bidirectional
4. Both VMs: Devices->Network->Network Settings
* Select Attached to `Internal Network`
* Name should mirror both VMs. Default is `intnet`
5. Run/Play both VMs to verify network connectivity
* **Important** While running, take a snapshot of each VM and name each "Clean". This will save a clean slate for you to revert the VM image back to.
6. Sniffer VM: Ensure `inetsim` is running
* Open terminal and run: `ps -ef | grep inetsim`
* If no output, run: `/etc/init.d/inetsim start`
* Run the ps command again to confirm it's running.
* Expected output: ![alt text](https://securedorg.github.io/images/VerifyInetsim.png "ps output")
7. Victim VM: test connection to Sniffer VM
* In the search bar, type `cmd.exe` to open terminal
* Run command: `ping 192.168.0.1`
* Expected output: ![alt text](https://securedorg.github.io/images/PingGateway.png "Ping Output")
8. Sniffer VM: Devices->Shared Folders->Shared Folders Settings
* On your Host, create a folder called `sniffershare`
* In virtual box select Add New Shared Folder icon and navigate to the folder you just created (sniffershare)
* In Sniffer VM, open the terminal and run command:`mkdir ~/host; sudo mount -t vboxsf -o uid=$UID,gid=$(id -g) sniffershare ~/host`
[Intro <- Back](https://securedorg.github.io/RE101/intro) | [Next -> Anatomy of PE](https://securedorg.github.io/RE101/section1.2)

82
fundamentals2.md
View File

@@ -1,82 +0,0 @@
---
layout: default
permalink: /RE101/section1.2/
title: Fundamentals
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 1.2: Fundamentals #
## Anatomy of a Windows PE C program ##
Typical windows programs are in the Portable Executable (PE) Format. Its portable because it contains information, resources, and references to dynamic-linked libraries (DLL) that allows windows to load and execute the machine code.
![alt text](https://securedorg.github.io/images/Cprogram.gif "C Program")
---
## Windows Architecture ##
In this workshop we will be focusing on user-mode applications.
### User-mode vs. Kernel Mode [[1]][1] ###
- In user-mode, an application starts a user-mode process which comes with its own private virtual address space and handle table
- In kernel mode, applications share virtual address space.
[1]: https://msdn.microsoft.com/en-us/windows/hardware/drivers/gettingstarted/user-mode-and-kernel-mode?f=255&MSPPError=-2147217396
This diagram shows the relationship of application components for user-mode and kernel-mode.
![alt text](https://securedorg.github.io/images/WindowsArch.png "Windows Architecture")
---
## PE Header ##
The PE header provides information to operating system on how to map the file into memory.
The executable code has designated regions that require a different memory protection (RWX)
- Read
- Write
- Execute
This diagram shows how this header is broken up.
*Click to Enlarge*
[![alt text](https://securedorg.github.io/images/PE32.png "PE 32 Header")](https://securedorg.github.io/images/PE32.png)
Here is a hexcode dump of a PE header we will be working with.
*Click to Enlarge*
[![alt text](https://securedorg.github.io/images/PEHeader.gif "PE 32 Header Animated")](https://securedorg.github.io/images/PEHeader.gif)
---
## Memory Layout ##
- **Stack** - region of memory is added or removed using “last-in-first-out” (LIFO) procedure [[2]][2]
- **Heap** - region for dynamic memory allocation [[3]][3]
- **Program Image** - The PE executable code placed into memory
- **DLLs** - Loaded DLL images that are referenced by the PE
- **TEB** - Thread Environment Block stores information about the current running thread(s) [[4]][4]
- **PEB** - Process Environment Block stores information about loaded modules and processes. [[5]][5]
[2]: https://en.wikipedia.org/wiki/Stack_(abstract_data_type)
[3]: https://en.wikipedia.org/wiki/Heap_(data_structure)
[4]: https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
[5]: https://en.wikipedia.org/wiki/Process_Environment_Block
This diagram illustrates how the PE is placed into memory.
![alt text](https://securedorg.github.io/images/Memory.png "PE Memory Layout")
---
## The Stack ##
- Data is either pushed onto or popped off of the stack data structure
- **EBP** - Base Pointer is the register that used to store the references in the stack frame
This diagram represents a typical stack frame.
![alt text](https://securedorg.github.io/images/TheStackFrame.png "Stack Frame")
[Environment Setup <- Back](https://securedorg.github.io/RE101/section1) | [Next -> x86 Assembly](https://securedorg.github.io/RE101/section1.3)

133
fundamentals3.md
View File

@@ -1,133 +0,0 @@
---
layout: default
permalink: /RE101/section1.3/
title: Fundamentals
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 1.3: Fundamentals #
## x86 Assembly Language ##
The C programming is a high level language interpreted by the compiler that converts code into machine instructions called assembly language. By using a disassembler tool we can get the assembly language of a compiled C program.
The Intel 8086 and 8088 were the first CPUs to have an instruction set that is now commonly referred to as **x86**. Intel Architecture 32-bit (IA-32) sometimes also called i386 is the 32-bit version of the x86 instruction set architecture.
The x86 architecture is **little-endian**, meaning that multi-byte values are written least significant byte first.
#### How we see it:
| A0 | A1 | A2 | A3 |
#### Stored as Little Endian
| A3 | A2 | A1 | A0 |
---
## Opcodes and Instructions ###
Each Instruction represents opcodes (hex code) that tell the machine what to do next.
Three categories of instructions:
* Data Movement/Access
* Arithmetic / Logic
* Control-Flow
Common Instructions
* **mov, lea** (data movement, data access)
* **add, sub** (arithmetic)
* **or, and, xor** (Logic)
* **shr, shl** (Logic)
* **ror, rol** (Logic)
* **jmp, jne, jnz, jnb** (Control Flow)
* **push, pop, call, leave, enter, ret** (Control Flow)
Example below is moving value at 0xaaaaaaaa into ecx.
| Instruction | Opcode |
| --- | --- |
| `mov ecx,[0xaaaaaaaa];` | `8B 0D AA AA AA AA` |
Use the search page below or open the [Search Instructions](https://securedorg.github.io/x86.html) page to search for functions discussed above
<iframe src="https://securedorg.github.io/x86.html" width="640" height="480" frameborder="0" style="display:block; margin: 0 auto;"></iframe>
---
## Registers ###
The image below is what registers will look like in a debugger.
![alt text](https://securedorg.github.io/images/Registers.png "Registers")
#### General-Purpose Registers [[1]][1]
| Register | Description |
| --- | --- |
| **EAX** | Accumulator Register |
| **EBX** | Base Register |
| **ECX** | Counter Register |
| **EDX** | Data Register |
| **ESI** | Source Index |
| **EDI** | Destination Index |
| **EBP** | Base Pointer |
| **ESP** | Stack Pointer |
#### Segment Registers
| Register | Description |
| --- | --- |
| SS | Stack Segment, Pointer to the stack |
| CS | Code Segment, Pointer to the code |
| DS | Data Segment, Pointer to the data |
| ES | Extra Segment, Pointer to extra data |
| FS | F Segment, Pointer to more extra data |
| GS | G Segment, Pointer to still more extra data |
#### EFLAGS Register
| ID | Name | Description |
| --- | --- | --- |
| CF | Carry Flag | Set if the last arithmetic operation carried (addition) or borrowed (subtraction) a bit beyond the size of the register. This is then checked when the operation is followed with an add-with-carry or subtract-with-borrow to deal with values too large for just one register to contain |
| PF | Parity Flag | Set if the number of set bits in the least significant byte is a multiple of 2 |
| AF | Adjust Flag | Carry of Binary Code Decimal (BCD) numbers arithmetic operations |
| ZF | Zero Flag | Set if the result of an operation is Zero (0) |
| SF | Sign Flag | Set if the result of an operation is negative |
| TF | Trap Flag | Set if step by step debugging |
| IF | Interruption Flag | Set if interrupts are enabled |
| DF | Direction Flag | Stream direction. If set, string operations will decrement their pointer rather than incrementing it, reading memory backwards |
| OF | Overflow Flag | Set if signed arithmetic operations result in a value too large for the register to contain |
| IOPL | I/O Privilege Level field (2 bits) | I/O Privilege Level of the current process |
| NT | Nested Task flag | Controls chaining of interrupts. Set if the current process is linked to the next process |
| RF | Resume Flag | Response to debug exceptions |
| VM | Virtual-8086 Mode | Set if in 8086 compatibility mode |
| AC | Alignment Check | Set if alignment checking of memory references is done |
| VIF | Virtual Interrupt Flag | Virtual image of IF |
| VIP | Virtual Interrupt Pending flag | Set if an interrupt is pending |
| ID | Identification Flag | Support for CPUID instruction if can be set |
#### Instruction Pointer
The **EIP** register contains the address of the next instruction to be executed.
---
## Hello World ##
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/helloworld.gif "Hello World")](https://securedorg.github.io/images/helloworld.gif)
## Calling a Function ##
### Arguments on the Stack ###
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/FunctionCall.gif "Function Arguments")](https://securedorg.github.io/images/FunctionCall.gif)
### Local Variables on the Stack ###
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/FunctionCall2.gif "Function Locals")](https://securedorg.github.io/images/FunctionCall2.gif)
[1]: https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture
[Anatomy of PE <- Back](https://securedorg.github.io/RE101/section1.2) | [Next -> Section 2](https://securedorg.github.io/RE101/section2)

190
idacheatsheet.html
View File

@@ -1,190 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<link rel="stylesheet" href="https://securedorg.github.io//assets/css/style.css?v=5e63b4f7f8d5ec379a428172f4517e17cf6f662e">
</head>
<body>
<table>
<tr><td>
<h1>IDAPro</br>Cheat Sheet</h1>
<table>
<caption style="text-align: left;"><h3>Navigation<h3></caption>
<tr><td>Jump to operand</td><td>Enter</td></tr>
<tr><td>Jump in new window</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+<img src="https://securedorg.github.io/images/Enter-50.png" alt="Enter"></td></tr>
<tr><td>Jump to previous position</td><td>Esc</td></tr>
<tr><td>Jump to Next position</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/images/Enter-50.png" alt="Enter"></td></tr>
<tr><td>Jump to address</td><td>G</td></tr>
<tr><td>Jump by name</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+L</td></tr>
<tr><td>Jump to function</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+P</td></tr>
<tr><td>Jump to segment</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+S</td></tr>
<tr><td>Jump to segment register</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+G</td></tr>
<tr><td>Jump to problem</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Q</td></tr>
<tr><td>Jump to cross reference</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+X</td></tr>
<tr><td>Jump to xref to operand</td><td> X</td></tr>
<tr><td>Jump to entry point</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+E</td></tr>
<tr><td>Mark Position</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+M</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Search</h3></caption>
<tr><td>Next code</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+C</td></tr>
<tr><td>Next data</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+D</td></tr>
<tr><td>Next explored</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+A</td></tr>
<tr><td>Next unexplored</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+U</td></tr>
<tr><td>Immediate value</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+I</td></tr>
<tr><td>Next immediate value</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+I</td></tr>
<tr><td>Text</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+T</td></tr>
<tr><td>Next text</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+T</td></tr>
<tr><td>Sequence of bytes</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+B</td></tr>
<tr><td>Next sequence of bytes</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+B</td></tr>
<tr><td>Not function</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+U</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Graphing</h3></caption>
<tr><td>Flow chart</td><td>F12</td></tr>
<tr><td>Function calls</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F12</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Comments</h3></caption>
<tr><td>Enter comment</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+; </td></tr>
<tr><td>Enter repeatable comment</td><td>; </td></tr>
<tr><td>Enter anterior lines</td><td>Ins </td></tr>
<tr><td>Enter posterior lines</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+Ins </td></tr>
<tr><td>Insert predefined comment</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F1</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Data Format Options</h3></caption>
<tr><td>ASCII strings style</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+A</td></tr>
<tr><td>Setup data types</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+D</td></tr>
</table>
</td>
<td>
<table>
<caption style="text-align: left;"><h3>Open Subviews</h3></caption>
<tr><td>Names</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F4</td></tr>
<tr><td>Functions</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F3</td></tr>
<tr><td>Strings</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F12</td></tr>
<tr><td>Segments</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F7</td></tr>
<tr><td>Segment registers</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F8</td></tr>
<tr><td>Signatures</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F5</td></tr>
<tr><td>Type libraries</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F11</td></tr>
<tr><td>Structures</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F9</td></tr>
<tr><td>Enumerations</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F10</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>File Operations</h3></caption>
<tr><td>Parse C header file</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F9</td></tr>
<tr><td>Create ASM file</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+F10</td></tr>
<tr><td>Save database</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+W</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Debugger</h3></caption>
<tr><td>Star process</td><td>F9</td></tr>
<tr><td>Terminate process</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F2</td></tr>
<tr><td>Step into</td><td>F7</td></tr>
<tr><td>Step over</td><td>F8</td></tr>
<tr><td>Run until return</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F7</td></tr>
<tr><td>Run to cursor</td><td>F4</td></tr>
<tr><td>Breakpoints</td></tr>
<tr><td>Breakpoint list</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+B</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Watches</caption>
<tr><td>Delete watch</td><td>Del</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Tracing</caption>
<tr><td>Stack trace</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+<img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+S</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Miscellaneous</h3></caption>
<tr><td>Calculator</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+/ </td></tr>
<tr><td>Cycle through open views</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Tab </td></tr>
<tr><td>Select tab</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt"> + [1…N] </td></tr>
<tr><td>Close current view</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+F4</td></tr>
<tr><td>Exit</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+X </td></tr>
<tr><td>IDC Command</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+F2</td></tr>
</table>
</td>
<td>
<table>
<caption style="text-align: left;"><h3>Edit (Data Types etc)</h3></caption>
<tr><td>Copy</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Ins</td></tr>
<tr><td>Begin selection</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+L</td></tr>
<tr><td>Manual instruction</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+F2</td></tr>
<tr><td>Code</td><td>C</td></tr>
<tr><td>Data</td><td>D</td></tr>
<tr><td>Struct variable</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+Q</td></tr>
<tr><td>ASCII string</td><td>A</td></tr>
<tr><td>Array</td><td>Num *</td></tr>
<tr><td>Undefine</td><td>U</td></tr>
<tr><td>Rename</td><td>N</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Operand Type</caption>
<tr><td>Offset (data segment)</td><td>O</td></tr>
<tr><td>Offset (current segment)</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+O</td></tr>
<tr><td>Offset by (any segment)</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+R</td></tr>
<tr><td>Offset (user-defined)</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+R</td></tr>
<tr><td>Offset (struct)</td><td>T</td></tr>
<tr><td>Number (default)</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+3</td></tr>
<tr><td>Hexadecimal</td><td>Q</td></tr>
<tr><td>Decimal</td><td>H</td></tr>
<tr><td>Binary</td><td>B</td></tr>
<tr><td>Character</td><td>R </td></tr>
<tr><td>Segment</td><td>S</td></tr>
<tr><td>Enum member</td><td>M </td></tr>
<tr><td>Stack variable</td><td>K</td></tr>
<tr><td>Change sign</td><td><img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+-</td></tr>
<tr><td>Bitwise negate</td><td> <img src="https://securedorg.github.io/images/Shift-50.png" alt="Shift">+`</td></tr>
<tr><td>Manual</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+F1</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Segments</caption>
<tr><td>Edit segment</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+S</td>
<tr><td>Change segment register value</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+G</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Structs</caption>
<tr><td>Struct var</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+Q</td><tr>
<tr><td>Force zero offset field</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+Z</td></tr>
<tr><td>Select union member</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+Y</td></tr>
</table>
<table>
<caption style="text-align: left;"><h3>Functions</caption>
<tr><td>Create function</td><td>P</td></tr>
<tr><td>Edit function</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+P </td></tr>
<tr><td>Set function end</td><td>E </td></tr>
<tr><td>Stack variables</td><td><img src="https://securedorg.github.io/images/Ctrl-50.png" alt="Ctrl">+K </td></tr>
<tr><td>Change stack pointer</td><td><img src="https://securedorg.github.io/images/Alt-50.png" alt="Alt">+K</td></tr>
<tr><td>Rename register</td><td>V</td></tr>
<tr><td>Set function type</td><td>Y</td></tr>
</table>
</td>
</tr>
</table>
</body>
</html>

BIN
images/Alt-50.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 995 B

BIN
images/CFFexplorer.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 239 KiB

BIN
images/CodeObfuscation.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 MiB

BIN
images/Cprogram.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.4 MiB

BIN
images/Ctrl-50.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1014 B

BIN
images/DLLload.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 297 KiB

BIN
images/Diagram.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 70 KiB

BIN
images/Enter-50.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.0 KiB

BIN
images/FunctionCall.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 152 KiB

BIN
images/FunctionCall2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 180 KiB

BIN
images/IdaFree.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 783 KiB

BIN
images/Memory.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 555 KiB

BIN
images/PE32.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.8 MiB

BIN
images/PEHeader.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 134 KiB

BIN
images/Persistence.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 62 KiB

BIN
images/PingGateway.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 11 KiB

BIN
images/Registers.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 134 KiB

BIN
images/Shift-50.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 949 B

BIN
images/TheStackFrame.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 99 KiB

BIN
images/VBmac.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
images/VBwin.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 17 KiB

BIN
images/Vblinux.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
images/VerifyInetsim.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 160 KiB

BIN
images/WindowsArch.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 418 KiB

BIN
images/bikeloop.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.8 MiB

BIN
images/cube.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.6 MiB

BIN
images/cube2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 650 KiB

BIN
images/deathunicorn.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 49 KiB

BIN
images/dyn10.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 212 KiB

BIN
images/dyn11.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 867 KiB

BIN
images/dyn12.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 244 KiB

BIN
images/dyn13.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 340 KiB

BIN
images/dyn14.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.2 MiB

BIN
images/dyn15.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 MiB

BIN
images/dyn16.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 MiB

BIN
images/dyn17.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 248 KiB

BIN
images/dyn2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 229 KiB

BIN
images/dyn3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 250 KiB

BIN
images/dyn4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 401 KiB

BIN
images/dyn5.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 426 KiB

BIN
images/dyn6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
images/dyn8.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 210 KiB

BIN
images/dyn9.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 893 KiB

BIN
images/hackerman.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.0 MiB

BIN
images/helloworld.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 408 KiB

BIN
images/keyboarddbg.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 219 KiB

BIN
images/maping.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 KiB

BIN
images/mimikatzElevate.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.7 KiB

BIN
images/procmon.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 143 KiB

BIN
images/restart.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.5 KiB

BIN
images/rightarrow.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.8 KiB

BIN
images/secret.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.7 MiB

BIN
images/static1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
images/static2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 152 KiB

BIN
images/static3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 83 KiB

BIN
images/static4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
images/static5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 57 KiB

BIN
images/static6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
images/static7.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 313 KiB

BIN
images/static8.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 625 KiB

BIN
images/static9.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 71 KiB

BIN
images/timetriage.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 219 KiB

BIN
images/triage1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

BIN
images/triage2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
images/triage3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 67 KiB

BIN
images/triage4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 98 KiB

BIN
images/triage5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 259 KiB

BIN
images/triageVMs.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 79 KiB

BIN
images/triageVMs2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 554 KiB

BIN
images/triageVMs3.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 195 KiB

BIN
images/x64dbg.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 276 KiB

60
intro.md
View File

@@ -1,60 +0,0 @@
---
layout: default
permalink: /RE101/intro/
title: Intro
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Introduction #
![alt text](https://securedorg.github.io/images/cube.gif "Cube")
# Reverse Engineering #
"is the processes of extracting knowledge or design information from anything man-made and re-producing it or re-producing anything based on the extracted information" [[1]][1]
## What does it mean to be a reverse engineer? ##
## You can ##
* Take things apart to figure out how it works
* Love puzzle solving
* Develop experiments and tools
* Think outside the box
* Constantly learn new things
![alt text](https://securedorg.github.io/images/bikeloop.gif "Bike")
## Game Plan ##
* Determine what are the goals
* Get to just what you need, or
* Know enough to recreate it
* Use reconnaissance and triage skills to determine a target starting point
* Work step by step to get to your goals
* Record your findings through the analysis
## Analysis Flow for Malware Analysis ##
* Setup a baseline analysis environment
* Triage to determine a starting point
* Static Analysis - Get a sense of where everything is before debugging
* Dynamic Analysis - Determine behaviors that cant be understood by static analysis
* Manual Debugging - Stepping through the program to navigate to your goals
[1]: https://en.wikipedia.org/wiki/Reverse_engineering
[Next -> Section 1](https://securedorg.github.io/RE101/section1)

37
malware.md
View File

@@ -1,37 +0,0 @@
---
layout: default
permalink: /RE101/section2/
title: Malware Techniques
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 2: Malware Overview #
## Typical Attack Flow ##
| Perimeter Recon | Infiltrate | Internal Recon | Entrench | Exfiltrate | Purge |
| ------------ |:------------:|:------------:|:------------:|:------------:|:------------:|
| ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) |
## Malware Classes
| Class | Description |
| --- | --- |
| **Virus** | Code that propagates (replicates) across systems with user intervention |
| **Worm** | Code that self-propagates/replicates across systems without requiring user intervention |
| **Bot** | Automated process that interacts with other network services |
| **Trojan** | Malware that is often disguised as legitimate software |
| **Ransomware** | Malware that holds the victim's data hostage by cryptography or other means |
| **Rootkit** | Masks its existence or the existence of other software |
| **Backdoor** | Enables a remote attacker to have access to or send commands to a compromised computer |
| **RAT** | Remote Access Trojan, similar to a backdoor |
| **Info Stealer** | Steals victims information, passwords, or other personal data |
| **HackTool** | Admin tools or programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious |
| **Hoax** | Program may deliver a false warning about a computer virus or install a fake AV |
| **Dropper/Downloader** | Designed to "install" or download some sort of malware |
| **Adware** | Automatically renders advertisements in order to generate revenue for its author.|
| **PUP/PUA** | Potentially Unwanted Program, sometimes added to a system without the user's knowledge or approval |
[x86 Assembly <- Back](https://securedorg.github.io/RE101/section1.3) | [Next -> Malware Techniques](https://securedorg.github.io/RE101/section2.1)

242
malware2.md
View File

@@ -1,242 +0,0 @@
---
layout: default
permalink: /RE101/section2.1/
title: Malware Techniques
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 2.1: Malware Techniques #
The malware classes may exhibit one or more of the following techniques. [Mitre Att&ck](https://attack.mitre.org/wiki/Main_Page) framework provides a great reference for many of these techniques.
## Techniques Overview
* [Compression](#compression)
* [Obfuscation](#obfuscation)
* [Persistence](#persistence)
* [Privilege Escalation](#privilege-escalation)
* [Defense Evasion](#defense-evasion)
* [Credential Theft](#credential-theft)
* [Reconnaissance](#recon)
* [Lateral Movement](#lateral-movement)
* [Execution](#execution)
* [Collection](#collection)
* [Exfiltration](#exfiltration)
* [Command and Control](#command-and-control)
---
## Compression
* Combining the compressed data with decompression code into a single executable
* Runtime packers
* Self extractive archives
* List of packers
* [Themida](http://www.oreans.com/themida.php)
* [Armadillo](http://www.siliconrealms.com/armadillo.php)
* [ASPack](http://www.aspack.com/aspack.html)
* [ASPR (ASProtect)](http://www.aspack.com/asprotect32.html)
* [BoxedApp Packer](http://www.boxedapp.com/boxedapppacker)
* [CExe](http://www.scottlu.com/Content/CExe.html)
* [dotBundle](http://www.dotbundle.com)
* [Enigma Protector](http://www.enigmaprotector.com)
* [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm)
* [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm)
* [eXPressor](http://www.cgsoftlabs.ro/express.html)
* [FSG](http://xtreeme.prv.pl/)
* [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/)
* [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&amp;id=dev)
* [MPRESS](http://www.matcode.com/mpress.htm)
* [Obsidium](http://www.obsidium.de)
* [PESpin](http://pespin.w.interia.pl)
* [Petite](http://www.un4seen.com/petite)
* [RLPack Basic](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml)
* [Smart Packer Pro](http://www.smartpacker.nl)
* [Themida](http://www.oreans.com/themida.php)
* [UPX](https://upx.github.io/)
* [VMProtect](http://vmpsoft.com/products/vmprotect)
* [XComp/XPack](http://soft-lab.de/JoKo)
[Goto Top^](#techniques-overview)
---
## Obfuscation
* Deliberate act of creating obfuscated code that is difficult for humans to understand
* Plain text strings will appear as base64 or Xor
* Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
* Control-Flow Flattening
* String Encryption
![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation")
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| EXTRAC32.EXE | f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051 | [virustotal](https://www.virustotal.com/en/file/f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051/analysis/) |
[Goto Top^](#techniques-overview)
---
## Persistence
* Once malware gains access to a system, it often looks to be there for a long time.
* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.
![alt text](https://securedorg.github.io/images/Persistence.png "Persistence")
Example: Dll Search Order Hijacking
![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading")
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| Banker Trojan| cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff | [virustotal](https://www.virustotal.com/en/file/cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff/analysis/) |
[Goto Top^](#techniques-overview)
---
## Privilege Escalation
* Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
* Common Techniques:
* Dll Search Order Hijacking
* Dll injection
* Exploiting a vulnerability
* BufferOverflow
* StackOverflow
* Heapspray
* Return Orientated Programming (ROP)
* Credential Theft
* UAC Bypasses
[Goto Top^](#techniques-overview)
---
## Defense Evasion
* Evading detection or avoiding defenses.
* Common Techniques:
* Killing AV
* Deleting itself after a run
* Timebombs/Timestomping
* Stolen Certificates
* Dll Side Loading
* Masquerading
* Process Hollowing
* Code Injection
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| darkcomet backdoor | 1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee | [virustotal](https://www.virustotal.com/en/file/1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee/analysis/) |
[Goto Top^](#techniques-overview)
---
## Credential Theft
* Going after password storage
* Keylogging passwords
* Screenshots
Example: Mimikatz
Credential theft
![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating")
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| mimikatz | b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25 | [virustotal](https://www.virustotal.com/en/file/b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25/analysis/) |
[Goto Top^](#techniques-overview)
---
## Reconnaissance
* Gain knowledge about the system and internal network.
[Goto Top^](#techniques-overview)
---
## Lateral Movement
* Enable an adversary to access and control remote systems on a network
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| winmail.dat^QGIS-KOMIT .zip^QGIS-KOMIT .exe | c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb | [virustotal](https://www.virustotal.com/en/file/c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb/analysis/) |
[Goto Top^](#techniques-overview)
---
## Execution
* Techniques that result in execution of adversary-controlled code on a local or remote system
* scripts
* post-exploitation
[Goto Top^](#techniques-overview)
---
## Collection
* Identify and gather information, such as sensitive files, from a target network prior to exfiltration
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| keylogger | 5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa | [virustotal](https://www.virustotal.com/en/file/5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa/analysis/) |
[Goto Top^](#techniques-overview)
---
## Exfiltration
* Removing files and information
[Goto Top^](#techniques-overview)
---
## Command and Control
* Communicate with systems under their control
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| backdoor | 02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76 | [virustotal](https://www.virustotal.com/en/file/02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76/analysis/) |
[Goto Top^](#techniques-overview)
[Malware Classes <- Back](https://securedorg.github.io/RE101/section2) | [Next -> Section 3](https://securedorg.github.io/RE101/section3)

127
retools.md
View File

@@ -1,127 +0,0 @@
---
layout: default
permalink: /RE101/section3/
title: RE Tools
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 3: Reverse Engineering (RE) Tools #
## Disassemblers
* [Ida](https://www.hex-rays.com/products/ida/)
* Free (Used in this workshop)
* Pro (Most Popular)
* [Radare](https://www.radare.org)
* [Capstone](http://www.capstone-engine.org/)
---
## Debuggers
* [x64dbg](http://x64dbg.com/) (Used in this workshop)
* [Immunity](https://www.immunityinc.com/products/debugger/)
* [OllyDbg](http://www.ollydbg.de/) (Most Popular)
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit)
---
## Decompilers
* [Snowman](https://derevenets.com/) (Integrated with x64dbg)
* [dotPeek](https://www.jetbrains.com/decompiler/) .NET decompiler
---
## Information Gathering
* [CFF Explorer](http://www.ntcore.com/exsuite.php) - PE header parser (Used in this workshop)
* [PE Explorer](http://www.heaventools.com/overview.htm) - PE inspection tool (Used in this workshop)
* [BinText](https://www.mcafee.com/hk/downloads/free-tools/bintext.aspx) - Extract string from a binary
* [Sysinternals Suite](https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx) (Used in this workshop)
* procmon
* procexplorer
* [InetSim: Internet Services Simulation Suite](http://www.inetsim.org/downloads.html) (Used in this workshop)
* [Yara: pattern matching rule engine](https://virustotal.github.io/yara/)
* [Wireshark](https://www.wireshark.org/download.html) - network sniffing (Used in this workshop)
* [API Monitor](http://www.rohitab.com/downloads)
### Helpful Websites
* [virustotal.com](https://www.virustotal.com/) - free service that analyzes suspicious files and URLs
* [malwr.com](https://malwr.com/) - Malwr is a free malware analysis service
* [hyrbid-analysis](https://www.hybrid-analysis.com/) - free malware analysis service
* [whois.domaintools.com](http://whois.domaintools.com/) - look up domains
* [robtex.com](https://www.robtex.com/) - free DNS lookup tool
* [www.debuggex.com](https://www.debuggex.com/) - Online Visual Regex Tester
---
## Support
* [HxD Hex Editor](https://mh-nexus.de/en/hxd/) (Used in this workshop)
* [Python](https://www.python.org/downloads/) - used for automating tasks
---
## Tools Used in the Workshop
### Disassembler: IdaFree
![alt text](https://securedorg.github.io/images/IdaFree.gif "IdaFree Layout")
* **Visual Modes**
* **Graph Mode** - control flow diagram
* **Text Mode** - default view of disassembled code
* **Command Cheatsheet**
* Please refer to this [Ida cheatsheet](https://securedorg.github.io/idacheatsheet.html)
* **Common Commands**
| Action | Command |
| --- | --- |
| Jump to xref to operand | X |
| Jump to address | G |
| Enter comment | Shift+; |
---
### Debugger: x64dbg
![alt text](https://securedorg.github.io/images/x64dbg.gif "x64dbg Layout")
**Common Commands**
| Action | Command |
| --- | --- |
| Enter comment | ; |
| BreakPoint | F2 |
| Step into | F7 |
| Step over | F8 |
| Run | F9 |
| Edit Instruction | Space |
### Keyboard Layout for IdaFree and x64dbg
![alt text](https://securedorg.github.io/images/keyboarddbg.gif "Keyboard Layout")
---
## Information Gathering: CFF Explorer
* Parses the PE headers
* Explores Resources
* Unpacks UPX
![alt text](https://securedorg.github.io/images/CFFexplorer.gif "CFF Explorer")
## Information Gathering: Sysinternals Suite
* advanced system utilities
* **ProcMon** - Monitor processes/thread, files system, network, and registry activity on the system
* **ProcExp** - Monitor processes running on the system
![alt text](https://securedorg.github.io/images/procmon.png "ProcExp")
[Section 2.1 <- Back](https://securedorg.github.io/RE101/section2.1) | [Next -> Section 4](https://securedorg.github.io/RE101/section4)

176
static.md
View File

@@ -1,176 +0,0 @@
---
layout: default
permalink: /RE101/section5/
title: Static Analysis
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 5: Static Analysis #
![alt text](https://securedorg.github.io/images/cube2.gif "static cube")
Static analysis is like reading a map for directions on where to go. As you follow through this map you capture notes on what things might look interesting when you actually begin your journey.
This section will teach you how to jump into code in static disassembly then rename and comment on interesting assembly routines that we will debug in **Section 6**.
---
## LAB 2
### Possible Packer?
Notice in CFF explorer that there is UPX in the header.
![alt text](https://securedorg.github.io/images/triage2.png "UPX")
When you open the executable in IDA, you will notice large section of non-disassembled code.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")](https://securedorg.github.io/images/triage4.png)
Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")](https://securedorg.github.io/images/triage5.png)
---
### Reopen the executable in IDA.
The next step is getting a sense as to what the program is doing.
So far we can assume:
* This exe is connecting to the internet somehow
* This exe is using a string encryption function
* This exe might be spawning a shell
Most windows programs start at address **004010000**.
---
### Jumping in!
Navigate to the **Strings** window.
Here is an interesting string that we should start with:
![alt text](https://securedorg.github.io/images/static1.png "Strings window")
This string is a typical registry key path to allow programs to autorun/startup on reboot. This is considered a [persistence](https://securedorg.github.io/RE101/section2.1/#persistence) mechanism. Double Click the string.
Using the **X** key we can jump to the reference of that string in the assembly code.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static2.gif "Strings window")](https://securedorg.github.io/images/static2.gif)
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
We should rename this function **SetRegkey**.
---
Jump up to the calling function using **X** on **SetRegkey**. Scroll up until you see some interesting API.
Notice it's calling [InternetOpen](https://msdn.microsoft.com/en-us/library/windows/desktop/aa385096.aspx) which opens a HTTP session.
This function call has the following arguments:
**C++**
```c++
HINTERNET InternetOpen(
_In_ LPCTSTR lpszAgent, // Arg 1 = URL
_In_ DWORD dwAccessType, // Arg 2
_In_ LPCTSTR lpszProxyName, // Arg 3
_In_ LPCTSTR lpszProxyBypass,// Arg 4
_In_ DWORD dwFlags // Arg 5
);
```
We need to figure out what register **esi** is because it contains the URL we are looking for.
**Assembly x86**
```assembly
push 0 ; Arg 5
push 0 ; Arg 4
push 0 ; Arg 3
push 1 ; Arg 2
push esi ; Arg 1 URL
call ds: InternetOpenA
```
Right before the first **push 0** there is a **mov esi,eax** which means esi = eax.
When a function returns, the return value is stored in **eax**. So let's look into the function that is being called. It takes a string as the first argument (that is a wicked string), while the second argument might be the string length. Press Enter to jump to the function.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static3.png "Unknown Function")](https://securedorg.github.io/images/static3.png)
Scroll down until you find **xor al, 5Ah**. Eventually you will be able to recognize when a string loop is being processed in assembly. In this case, it is **xor** a byte with **5Ah** which is **Z** in [ascii](http://www.asciitable.com/).
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static4.png "Xor routine")](https://securedorg.github.io/images/static4.png)
We can assume that this function is doing some kind of Xor encoding. So let's rename this function as XorDecode. We will need this information later when we debug in Section 6.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static5.png "Rename function")](https://securedorg.github.io/images/static5.png)
Let's use the tool **XORSearch** to see if we can find some interesting xor decoded strings. Open the terminal **cmd.exe** from the start bar, and navigate to the XORSearch.exe
```XORSearch.exe <Path to UnknownUnpacked.exe> "A string to test"```
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static6.png "xor search")](https://securedorg.github.io/images/static6.png)
**"Yo this is dope!"** How weird.
---
## Getting the bigger picture
Let's navigate to the start of the program using the **X** key. Use the spacebar to toggle between graph view and text view.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static7.gif "start function")](https://securedorg.github.io/images/static7.gif)
It's easy to trace back through the program disassembly, but let's look at some control flow assembly instructions. Remember **jmp, jne, jnz, jnb** are control flow functions.
**Jump Examples**
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static9.gif "jz jump")](https://securedorg.github.io/images/static9.gif)
```assembly
jz loc_401962 ; jump to offset loc_401962 if the previous condition is zero
```
```assembly
jle short loc_401634 ; jump to relative offset 401634 if the previous condition is less than or equal to
```
Next scroll down through and find the order of API function calls in the program. You should make note of all the function offsets.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/static8.gif "program scrolling")](https://securedorg.github.io/images/static8.gif)
Some of the more interesting API Calls from the image above. Look up what each function does, many are self explanatory.
* GetEnvironmentVariable
* CopyFile
* DeleteFile
* InternetOpen
* InternetConnect
* HttpOpenRequest
* HttpSendRequest
* MessageBox
* FindResource
* CryptStringToBinary
* CreateFile
* ShellExecute
* CreateProcess
Now you know how to navigate the disassembly forward and backwards to get to interesting routines. The next step is making a rough path to follow for deeper analysis in Section 6.
![alt text](https://securedorg.github.io/images/maping.jpg "handwritten")
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)

33
tool.md
View File

@@ -1,33 +0,0 @@
---
layout: default
permalink: /RE101/Tools/
title: RE Tools
---
# Required Tools #
Please download the tools based on the operating system you are running
## Virtual Box ##
### Windows ###
[VirtualBox](#)
### Mac OSX ###
[VirtualBox](#)
### Linux ###
[VirtualBox](#)
## Windows 7 Virtual Box VM ##
[windows 7 VM](#)
# Tools Already Installed in VM #
## Hex Editor ##
## x64bdg ##
## IdaFree ##

121
triage.md
View File

@@ -1,121 +0,0 @@
---
layout: default
permalink: /RE101/section4/
title: Triage Analysis
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 4: Triage Analysis #
![alt text](https://securedorg.github.io/images/timetriage.gif "hourglass")
Depending on your workload, you want to spend the least amount of time trying to determine what the malware is doing and how to get rid of it. Many malware analysts use their own triage analysis, similar to that in the Emergency Room at the hospital.
You will want to quickly narrow down specific information and indicators before moving on to deeper static and dynamic analysis.
This checklist should get you started:
- File Context and Delivery
- File Information & Header Analysis
- Get Basic PE information
- Simple Search
- Collect Strings
- Check AV vendors
- Quick VM Detonation
- Capture network information
---
## Download the Unknown Malware
[**HERE**](https://drive.google.com/open?id=0B_0DJl2kuzoNRTEtQmx0SjJYZXc)
Password is "infected"
---
### File Context and Delivery
When you receive the malware binary, it's important to ask how the malware got there in the first place.
Questions to ask:
* Did it come from an email?
* Did it come from a browser download?
* Was it quarantined in an Anti-Virus?
* Is it an anomalous process running?
### File Information & Header Analysis
* Use a **file** command (sniffer VM) to determine the file type
* Verify the file header using a hex editor (HxD)
### Get Basic PE information
* Parse the PE header using the tool CFF Explorer
* Determine what resources, DLL imports, and libraries used
* Example: If you see **Ws2_32.dll** it might be setting up a network connection because it's used for setting up sockets
### Simple Search
* Calculate the hash of the file an check the web to see if it's been seen already
### Collect Strings
* Using the string command in linux or BinText tool, extract the strings to find any clues
### Check AV vendors
* Run the file against an Anti-Virus or VirusTotal to see if there are any detections
### Quick VM Detonation
* Use open source VM detonation services like hybrid-analysis.com or malwr.com to get the behavior quickly
### Capture network information
* Use the VM detonation service to capture any network connections or packet data.
* If you can't do this then we will need to dynamically debug the malware.
---
## Malware Analysis Report
You will want to capture this information throughout your investigation either through notes or report documents.
You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/ReportForm.html)
---
## LAB 1
1. Run the Victim VM
2. Copy over the unknown file
3. Check the file header by opening the file in the hex editor **HxD**
* Notice the first 2 bytes are **MZ** meaning it's a PE Binary
![alt text](https://securedorg.github.io/images/triage1.png "MZ Header")
4. Add the file extension **.exe** to the **Unknown** file so that it reads as **Unknown.exe**. Now right click the file and select **CFF explorer** to check the PE header
* Note the imports it's using
![alt text](https://securedorg.github.io/images/triage3.png "Imports")
5. Calculate the hash using **quickhash**, go to virustotal.com and search the hash
6. Open the file in **BinText** and record any interesting strings
7. Quick Detonation
The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM's internet traffic is captured by the Sniffer VM.
![alt text](https://securedorg.github.io/images/triageVMs.gif "Victim and Sniffer")
On the **Sniffer VM** open the terminal and run `sudo wireshark` to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim.
On the **Victim VM** open the SysInternals **procmon.exe** and **procexp.exe** so that we can monitor filesystem and process events.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/triageVMs2.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs2.gif)
Go ahead and detonate the the malware.
On the **Sniffer VM** look for an **HTTP** request. Right click and **Follow->TCP Stream**. I will display the HTTP get request that was sent by the malware.
*Click Image to Enlarge*
[![alt text](https://securedorg.github.io/images/triageVMs3.gif "Victim and Sniffer")](https://securedorg.github.io/images/triageVMs3.gif)
[Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5)

829
view.css
View File

@@ -1,829 +0,0 @@
body
{
background:#fffff;
font-size:small;
margin:8px 0 16px;
text-align:left;
}
#form_container
{
background:#fff;
border:1px solid #ccc;
margin:0 auto;
text-align:left;
width:640px;
}
#top
{
display:block;
height:10px;
margin:10px auto 0;
width:650px;
}
.malwarereport
{
font-family:Consolas, monaco, monospace;
font-size:small;
width:650px;
}
.malwarereport br {
border-bottom:1px dashed black;
display:block;
margin:10px auto 0;
}
.malwarereport br:before { /* and :after */
border-bottom:1px dashed black;
/* content and display added as per porneL's comment */
content: "";
display: block;
}
.malwarereport br { /* and :before and :after */
content: url(a_dashed_line_image);
}
/**** Form Section ****/
.appnitro
{
font-family:Lucida Grande, Tahoma, Arial, Verdana, sans-serif;
font-size:small;
}
.appnitro li
{
width:61%;
}
form ul
{
font-size:100%;
list-style-type:none;
margin:0;
padding:0;
width:100%;
}
form li
{
display:block;
margin:0;
padding:4px 5px 2px 9px;
position:relative;
}
form li:after
{
clear:both;
content:".";
display:block;
height:0;
visibility:hidden;
}
.buttons:after
{
clear:both;
content:".";
display:block;
height:0;
visibility:hidden;
}
.buttons
{
clear:both;
display:block;
margin-top:10px;
}
* html form li
{
height:1%;
}
* html .buttons
{
height:1%;
}
* html form li div
{
display:inline-block;
}
form li div
{
color:#444;
margin:0 4px 0 0;
padding:0 0 8px;
}
form li span
{
color:#444;
float:left;
margin:0 4px 0 0;
padding:0 0 8px;
}
form li div.left
{
display:inline;
float:left;
width:48%;
}
form li div.right
{
display:inline;
float:right;
width:48%;
}
form li div.left .medium
{
width:100%;
}
form li div.right .medium
{
width:100%;
}
.clear
{
clear:both;
}
form li div label
{
clear:both;
color:#444;
display:block;
font-size:9px;
line-height:9px;
margin:0;
padding-top:3px;
}
form li span label
{
clear:both;
color:#444;
display:block;
font-size:9px;
line-height:9px;
margin:0;
padding-top:3px;
}
form li .datepicker
{
cursor:pointer !important;
float:left;
height:16px;
margin:.1em 5px 0 0;
padding:0;
width:16px;
}
.form_description
{
border-bottom:1px dotted #ccc;
clear:both;
display:inline-block;
margin:0 0 1em;
}
.form_description[class]
{
display:block;
}
.form_description h2
{
clear:left;
font-size:160%;
font-weight:400;
margin:0 0 3px;
}
.form_description p
{
font-size:95%;
line-height:130%;
margin:0 0 12px;
}
form hr
{
display:none;
}
form li.section_break
{
border-top:1px dotted #ccc;
margin-top:9px;
padding-bottom:0;
padding-left:9px;
padding-top:13px;
width:97% !important;
}
form ul li.first
{
border-top:none !important;
margin-top:0 !important;
padding-top:0 !important;
}
form .section_break h3
{
font-size:110%;
font-weight:400;
line-height:130%;
margin:0 0 2px;
}
form .section_break p
{
font-size:85%;
margin:0 0 10px;
}
/**** Buttons ****/
input.button_text
{
overflow:visible;
padding:0 7px;
width:auto;
}
.buttons input
{
font-size:120%;
margin-right:5px;
}
/**** Inputs and Labels ****/
label.description
{
border:none;
color:#222;
display:block;
font-size:95%;
font-weight:700;
line-height:150%;
padding:0 0 1px;
}
span.symbol
{
font-size:115%;
line-height:130%;
}
input.text
{
background:#fff url(../../../images/shadow.gif) repeat-x top;
border-bottom:1px solid #ddd;
border-left:1px solid #c3c3c3;
border-right:1px solid #c3c3c3;
border-top:1px solid #7c7c7c;
color:#333;
font-size:100%;
margin:0;
padding:2px 0;
}
input.file
{
color:#333;
font-size:100%;
margin:0;
padding:2px 0;
}
textarea.textarea
{
background:#fff url(../../../images/shadow.gif) repeat-x top;
border-bottom:1px solid #ddd;
border-left:1px solid #c3c3c3;
border-right:1px solid #c3c3c3;
border-top:1px solid #7c7c7c;
color:#333;
font-family:"Lucida Grande", Tahoma, Arial, Verdana, sans-serif;
font-size:100%;
margin:0;
width:99%;
}
select.select
{
color:#333;
font-size:100%;
margin:1px 0;
padding:1px 0 0;
background:#fff url(../../../images/shadow.gif) repeat-x top;
border-bottom:1px solid #ddd;
border-left:1px solid #c3c3c3;
border-right:1px solid #c3c3c3;
border-top:1px solid #7c7c7c;
}
input.currency
{
text-align:right;
}
input.checkbox
{
display:block;
height:13px;
line-height:1.4em;
margin:6px 0 0 3px;
width:13px;
}
input.radio
{
display:block;
height:13px;
line-height:1.4em;
margin:6px 0 0 3px;
width:13px;
}
label.choice
{
color:#444;
display:block;
font-size:100%;
line-height:1.4em;
margin:-1.55em 0 0 25px;
padding:4px 0 5px;
width:90%;
}
select.select[class]
{
margin:0;
padding:1px 0;
}
*:first-child+html select.select[class]
{
margin:1px 0;
}
.safari select.select
{
font-size:120% !important;
margin-bottom:1px;
}
input.small
{
width:25%;
}
select.small
{
width:25%;
}
input.medium
{
width:50%;
}
select.medium
{
width:50%;
}
input.large
{
width:99%;
}
select.large
{
width:100%;
}
textarea.small
{
height:5.5em;
}
textarea.medium
{
height:10em;
}
textarea.large
{
height:20em;
}
/**** Errors ****/
#error_message
{
background:#fff;
border:1px dotted red;
margin-bottom:1em;
padding-left:0;
padding-right:0;
padding-top:4px;
text-align:center;
width:99%;
}
#error_message_title
{
color:#DF0000;
font-size:125%;
margin:7px 0 5px;
padding:0;
}
#error_message_desc
{
color:#000;
font-size:100%;
margin:0 0 .8em;
}
#error_message_desc strong
{
background-color:#FFDFDF;
color:red;
padding:2px 3px;
}
form li.error
{
background-color:#FFDFDF !important;
border-bottom:1px solid #EACBCC;
border-right:1px solid #EACBCC;
margin:3px 0;
}
form li.error label
{
color:#DF0000 !important;
}
form p.error
{
clear:both;
color:red;
font-size:10px;
font-weight:700;
margin:0 0 5px;
}
form .required
{
color:red;
float:none;
font-weight:700;
}
/**** Guidelines and Error Highlight ****/
form li.highlighted
{
background-color:#fff7c0;
}
form .guidelines
{
background:#f5f5f5;
border:1px solid #e6e6e6;
color:#444;
font-size:80%;
left:100%;
line-height:130%;
margin:0 0 0 8px;
padding:8px 10px 9px;
position:absolute;
top:0;
visibility:hidden;
width:42%;
z-index:1000;
}
form .guidelines small
{
font-size:105%;
}
form li.highlighted .guidelines
{
visibility:visible;
}
form li:hover .guidelines
{
visibility:visible;
}
.no_guidelines .guidelines
{
display:none !important;
}
.no_guidelines form li
{
width:97%;
}
.no_guidelines li.section
{
padding-left:9px;
}
/*** Success Message ****/
.form_success
{
clear: both;
margin: 0;
padding: 90px 0pt 100px;
text-align: center
}
.form_success h2 {
clear:left;
font-size:160%;
font-weight:normal;
margin:0pt 0pt 3px;
}
/*** Password ****/
ul.password{
margin-top:60px;
margin-bottom: 60px;
text-align: center;
}
.password h2{
color:#DF0000;
font-weight:bold;
margin:0pt auto 10px;
}
.password input.text {
font-size:170% !important;
width:380px;
text-align: center;
}
.password label{
display:block;
font-size:120% !important;
padding-top:10px;
font-weight:bold;
}
#li_captcha{
padding-left: 5px;
}
#li_captcha span{
float:none;
}
/** Embedded Form **/
.embed #form_container{
border: none;
}
.embed #top, .embed #bottom, .embed h1{
display: none;
}
.embed #form_container{
width: 100%;
}
.embed #footer{
text-align: left;
padding-left: 10px;
width: 99%;
}
.embed #footer.success{
text-align: center;
}
.embed form.appnitro
{
margin:0px 0px 0;
}
/*** Calendar **********************/
div.calendar { position: relative; }
.calendar table {
cursor:pointer;
border:1px solid #ccc;
font-size: 11px;
color: #000;
background: #fff;
font-family:"Lucida Grande", Tahoma, Arial, Verdana, sans-serif;
}
.calendar .button {
text-align: center;
padding: 2px;
}
.calendar .nav {
background:#f5f5f5;
}
.calendar thead .title {
font-weight: bold;
text-align: center;
background: #dedede;
color: #000;
padding: 2px 0 3px 0;
}
.calendar thead .headrow {
background: #f5f5f5;
color: #444;
font-weight:bold;
}
.calendar thead .daynames {
background: #fff;
color:#333;
font-weight:bold;
}
.calendar thead .name {
border-bottom: 1px dotted #ccc;
padding: 2px;
text-align: center;
color: #000;
}
.calendar thead .weekend {
color: #666;
}
.calendar thead .hilite {
background-color: #444;
color: #fff;
padding: 1px;
}
.calendar thead .active {
background-color: #d12f19;
color:#fff;
padding: 2px 0px 0px 2px;
}
.calendar tbody .day {
width:1.8em;
color: #222;
text-align: right;
padding: 2px 2px 2px 2px;
}
.calendar tbody .day.othermonth {
font-size: 80%;
color: #bbb;
}
.calendar tbody .day.othermonth.oweekend {
color: #fbb;
}
.calendar table .wn {
padding: 2px 2px 2px 2px;
border-right: 1px solid #000;
background: #666;
}
.calendar tbody .rowhilite td {
background: #FFF1AF;
}
.calendar tbody .rowhilite td.wn {
background: #FFF1AF;
}
.calendar tbody td.hilite {
padding: 1px 1px 1px 1px;
background:#444 !important;
color:#fff !important;
}
.calendar tbody td.active {
color:#fff;
background: #529214 !important;
padding: 2px 2px 0px 2px;
}
.calendar tbody td.selected {
font-weight: bold;
border: 1px solid #888;
padding: 1px 1px 1px 1px;
background: #f5f5f5 !important;
color: #222 !important;
}
.calendar tbody td.weekend {
color: #666;
}
.calendar tbody td.today {
font-weight: bold;
color: #529214;
background:#D9EFC2;
}
.calendar tbody .disabled { color: #999; }
.calendar tbody .emptycell {
visibility: hidden;
}
.calendar tbody .emptyrow {
display: none;
}
.calendar tfoot .footrow {
text-align: center;
background: #556;
color: #fff;
}
.calendar tfoot .ttip {
background: #222;
color: #fff;
font-size:10px;
border-top: 1px solid #dedede;
padding: 3px;
}
.calendar tfoot .hilite {
background: #aaf;
border: 1px solid #04f;
color: #000;
padding: 1px;
}
.calendar tfoot .active {
background: #77c;
padding: 2px 0px 0px 2px;
}
.calendar .combo {
position: absolute;
display: none;
top: 0px;
left: 0px;
width: 4em;
border: 1px solid #ccc;
background: #f5f5f5;
color: #222;
font-size: 90%;
z-index: 100;
}
.calendar .combo .label,
.calendar .combo .label-IEfix {
text-align: left;
padding: 1px;
}
.calendar .combo .label-IEfix {
width: 4em;
}
.calendar .combo .hilite {
background: #444;
color:#fff;
}
.calendar .combo .active {
border-top: 1px solid #999;
border-bottom: 1px solid #999;
background: #dedede;
font-weight: bold;
}

1
view.js
View File

@@ -1 +0,0 @@
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3(7.X){7["R"+a]=a;7["z"+a]=6(){7["R"+a](7.1k)};7.X("1e",7["z"+a])}E{7.19("z",a,15)}2 j=H V();6 a(){2 e=q.1d("1a");3(e){o(e,"P");2 N=B(q,"*","14");3((e.12<=10)||(N=="")){c(e,"P",d)}}4=B(q,"*","1n");k(i=0;i<4.b;i++){3(4[i].F=="1g"||4[i].F=="1f"||4[i].F=="1c"){4[i].1b=6(){r();c(v.5.5,"f",d)};4[i].O=6(){r();c(v.5.5,"f",d)};j.D(j.b,0,4[i])}E{4[i].O=6(){r();c(v.5.5,"f",d)};4[i].18=6(){o(v.5.5,"f")}}}2 C=17.16.13();2 A=q.M("11");3(C.K("J")+1){c(A[0],"J",d)}3(C.K("I")+1){c(A[0],"I",d)}}6 r(){k(2 i=0;i<j.b;i++){o(j[i].5.5,"f")}}6 B(m,y,w){2 x=(y=="*"&&m.Y)?m.Y:m.M(y);2 G=H V();w=w.1m(/\\-/g,"\\\\-");2 L=H 1l("(^|\\\\s)"+w+"(\\\\s|$)");2 n;k(2 i=0;i<x.b;i++){n=x[i];3(L.1j(n.8)){G.1i(n)}}1h(G)}6 o(p,T){3(p.8){2 h=p.8.Z(" ");2 U=T.t();k(2 i=0;i<h.b;i++){3(h[i].t()==U){h.D(i,1);i--}}p.8=h.S(" ")}}6 c(l,u,Q){3(l.8){2 9=l.8.Z(" ");3(Q){2 W=u.t();k(2 i=0;i<9.b;i++){3(9[i].t()==W){9.D(i,1);i--}}}9[9.b]=u;l.8=9.S(" ")}E{l.8=u}}',62,86,'||var|if|elements|parentNode|function|window|className|_16|initialize|length|addClassName|true|_1|highlighted||_10||el_array|for|_13|_6|_c|removeClassName|_e|document|safari_reset||toUpperCase|_14|this|_8|_9|_7|load|_4|getElementsByClassName|_3|splice|else|type|_a|new|firefox|safari|indexOf|_b|getElementsByTagName|_2|onfocus|no_guidelines|_15|event_load|join|_f|_11|Array|_17|attachEvent|all|split|450|body|offsetWidth|toLowerCase|guidelines|false|userAgent|navigator|onblur|addEventListener|main_body|onclick|file|getElementById|onload|radio|checkbox|return|push|test|event|RegExp|replace|element'.split('|'),0,{}))

90
x86.html
View File

@@ -1,90 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<link rel="stylesheet" href="/assets/css/style.css?v=5e63b4f7f8d5ec379a428172f4517e17cf6f662e">
</head>
<body>
<script language="JavaScript" type="text/javascript">
function loadXMLDoc(dname)
{
if (window.XMLHttpRequest)
{
xhttp=new XMLHttpRequest();
}
else
{
xhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xhttp.open("GET",dname,false);
xhttp.send();
return xhttp.responseXML;
}
function searchXML()
{
xmlDoc=loadXMLDoc("https://securedorg.github.io/x86.xml");
x=xmlDoc.getElementsByTagName("Instruction");
input = document.getElementById("input").value;
size = input.length;
if (input == null || input == "")
{
document.getElementById("results").innerHTML= "Please enter a character or name!";
return false;
}
for (i=0;i<x.length;i++)
{
Instruction = xmlDoc.getElementsByTagName("Instruction")[i].getAttribute("name");
startString = Instruction.substring(0,size);
if (startString.toLowerCase() == input.toLowerCase())
{
iname=x[i].getAttribute("name");
isummary=x[i].getAttribute("summary");
operandText = "<table><th>name</th><th>operands</th><th>opcode</th>";
ioperand=x[i].getElementsByTagName("InstructionForm");
for (y=0;y<ioperand.length;y++)
{
operandText += "<tr><td>" + ioperand[y].getAttribute("gas-name") + "</td>";
operand = ioperand[y].getElementsByTagName("Operand");
operandText += "<td>";
for (k=0;k<operand.length;k++)
{
operandText += operand[k].getAttribute("type") + " ";
}
operandText += "</td><td>";
if (ioperand[y].getElementsByTagName("Encoding")[0].getElementsByTagName("Prefix").length != 0)
{
operandText += ioperand[y].getElementsByTagName("Encoding")[0].getElementsByTagName("Prefix")[0].getAttribute("byte") + " ";
}
opcode = ioperand[y].getElementsByTagName("Encoding")[0].getElementsByTagName("Opcode");
for (m=0;m<opcode.length;m++)
{
operandText += opcode[m].getAttribute("byte") + " ";
}
operandText += "</td></tr>";
}
operandText += "</table>"
divText = "<h1>The instruction details are:</h1><br /><table border=1><tr><th>Instruction</th><th>Summary</th><th>Variations</th></tr>" + "<tr><td>" + iname + "</td><td>" + isummary + "</td><td>" + operandText + "</td></tr>" + "</table>";
break;
}
else
{
divText = "<h2>The contact does not exist.</h2>";
}
}
document.getElementById("results").innerHTML= divText;
}
</script>
Search Instruction: <input type="text" name="Instruction" id="input">
<br />
<input type="submit" value="Submit" onClick="searchXML()">
<br />
<br />
<div id="results">
</div>
</body>
</html>

65428
x86.xml
View File

File diff suppressed because it is too large Load Diff