Are you over 18 and want to see adult content?
More Annotations
A complete backup of portalnatural.com
Are you over 18 and want to see adult content?
A complete backup of themoderatevoice.com
Are you over 18 and want to see adult content?
A complete backup of mastodonrocks.com
Are you over 18 and want to see adult content?
A complete backup of iclicknprint.net
Are you over 18 and want to see adult content?
A complete backup of volkskrankheit.net
Are you over 18 and want to see adult content?
Favourite Annotations
โรงงานรับผลิตครีม รับผลิตสบู่ เครื่องสำอาง อาหารเสริม OEM ครบวงจร
Are you over 18 and want to see adult content?
GreenAkku - Photovoltaik, Solaranlagen, Batterie, Akkus Shop
Are you over 18 and want to see adult content?
Finance Train - Comprehensive educational resources for finance
Are you over 18 and want to see adult content?
Vitamin Köln - Das Gesundheitsmagazin für Köln
Are you over 18 and want to see adult content?
eJuice - Vape Products and Premium eLiquids - Cheap Prices on eJuice
Are you over 18 and want to see adult content?
Text
DOWNLOAD – NTCORE
Utilities. Cerbero Suite Date: present Author: Erik Pistelli State-of-the-art suite of tools for malware triage and file analysis. Analysis for many file formats including PE, Mach-O, ELF, Java, SWF, DEX, PDF, DOC, XLS, RTF, Zip and many more.EXPLORER SUITE
Download the Explorer Suite Current Version: III (18/11/2012) Small announcement: If you or your organization needs professional PE inspection, then take a look at Cerbero Suite (the commercial product of my company), which properly supports many file formats beyond the complete Portable Executable specification.It’s multi-platform (Windows, OS X & Linux) and it comes as a free trial. .NET GENERIC UNPACKER Download the .NET Generic Unpacker Current Version: 1.0.0.1. This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. 4GB PATCH – NTCORE Download the 4GB Patch Current Version: 1.0.0.1. I originally wrote this tool for a friend of mine who needed it. This very little tool patches x86 executables in order to let them have 4GB (instead of only 2) of virtual memory on x64 platforms.PHOENIX PROTECTOR
Download Phoenix Protector Current Version: 1.8.0.1. This application is now freeware for various reasons. I first wrote the core of the Phoenix Protector for a company when I was 19.PE DETECTIVE
Download the PE Detective Current Version: 1.2.1.1 . Created by Erik Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite JULY 2020 – NTCORE Month: July 2020 Video: Inspecting Windows Kernel Crash Dumps withCerbero Suite
THE CODE PROJECT
Powerful x86/x64 Mini Hook-Engine. Download demo projects and sources; Introduction. I wrote this little hook-engine for a much bigger article. Sometimes it seems such a vaste to write valuable code for large articles whose topic isn't directly related to the code. MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
NTCORE
This is the full analysis of a multi-stage malware. Sample hashes: MD5: A3BF316D225604AF6C74CCF6E2E34F41 SHA1: D20981637B1D9E99115BF6537226265502D3E716DOWNLOAD – NTCORE
Utilities. Cerbero Suite Date: present Author: Erik Pistelli State-of-the-art suite of tools for malware triage and file analysis. Analysis for many file formats including PE, Mach-O, ELF, Java, SWF, DEX, PDF, DOC, XLS, RTF, Zip and many more.EXPLORER SUITE
Download the Explorer Suite Current Version: III (18/11/2012) Small announcement: If you or your organization needs professional PE inspection, then take a look at Cerbero Suite (the commercial product of my company), which properly supports many file formats beyond the complete Portable Executable specification.It’s multi-platform (Windows, OS X & Linux) and it comes as a free trial. .NET GENERIC UNPACKER Download the .NET Generic Unpacker Current Version: 1.0.0.1. This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. 4GB PATCH – NTCORE Download the 4GB Patch Current Version: 1.0.0.1. I originally wrote this tool for a friend of mine who needed it. This very little tool patches x86 executables in order to let them have 4GB (instead of only 2) of virtual memory on x64 platforms.PHOENIX PROTECTOR
Download Phoenix Protector Current Version: 1.8.0.1. This application is now freeware for various reasons. I first wrote the core of the Phoenix Protector for a company when I was 19.PE DETECTIVE
Download the PE Detective Current Version: 1.2.1.1 . Created by Erik Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite JULY 2020 – NTCORE Month: July 2020 Video: Inspecting Windows Kernel Crash Dumps withCerbero Suite
THE CODE PROJECT
Powerful x86/x64 Mini Hook-Engine. Download demo projects and sources; Introduction. I wrote this little hook-engine for a much bigger article. Sometimes it seems such a vaste to write valuable code for large articles whose topic isn't directly related to the code. MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
ARTICLES – NTCORE
Rust for closed-source projects Date: 23/06/2019 Author: Erik Pistelli Rust in relation to closed-source projects. In this article I’m showing how to modify and build the Rust compiler on Windows in order to avoid revealing metadata inside of Rust executables. JULY 2020 – NTCORE Month: July 2020 Video: Inspecting Windows Kernel Crash Dumps withCerbero Suite
SCREENWRITER
Download the ScreenWriter Current Version: 1.1.0.1 Created by Erik Pistelli. This is a little freeware software which makes the writing of screenplays for TV and cinema extremely easy.VIRTUALREG MANAGER
Download VirtualReg Manager Current Version: 1.0.0.1. VirtualReg Manager is a utility which creates virtual registry files and is also able to edit them through a regedit-like interface.VISTA4EXPERTS
Download Vista4Experts Current Version: 1.2.0.1. Warning: the name of the program means that this utility configures Vista for people who know what they’re doing (e.g. lowering Vista’s defenses).DRIVER LIST
Download Driver List Current Version: 1.0.2 Very small utility which lists the loaded drivers. The utility is 64-bit compatible and can generate a report file from the list.QT’S GUI THREAD
If you’re a Qt developer, you surely are aware of the fact that you can only display GUI elements and access them from the main thread. This limitation as far as I know is mostly bound to the limitations of X and it isn’t to exclude that multithreading support for GUIs willbe added soon.
BATCH IMAGE MANIPULATION USING PYTHON AND GIMP Not a very common topic for me, but I thought it could be neat to mention some tips & tricks. I won’t go into the details of the Python GIMP SDK, most of it can be figured out from the GIMP documentation.I spent a total of one hour researching this topic, so I’m not an expert and I could have made mistakes, but perhaps I can save some effort to others which want to achieve the same results. RUST FOR CLOSED-SOURCE PROJECTS It’s true that there’s a linker option to stop the generation of debug information. I don’t use that option simply because if for some reason there’s a crash, the user can send me the crash dump and I have a PDB (debug symbols) to work with for the release executable.NTCORE REVAMPED
After over a decade, I finally took two afternoons to revamp this personal web-page and to merge the content of the old NTCore page with the content of its blog (rcecafe.net). NTCOREARTICLESDOWNLOADABOUT4GB PATCHEXPLORER SUITEKERNEL This is the full analysis of a multi-stage malware. Sample hashes: MD5: A3BF316D225604AF6C74CCF6E2E34F41 SHA1: D20981637B1D9E99115BF6537226265502D3E716DOWNLOAD – NTCORE
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc.EXPLORER SUITE
It’s multi-platform (Windows, OS X & Linux) and it comes as a free trial. Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder 4GB PATCH – NTCORE 4GB Patch. Download the 4GB Patch. Current Version: 1.0.0.1. I originally wrote this tool for a friend of mine who needed it. This very little tool patches x86 executables in order to let them have 4GB (instead of only 2) of virtual memory on x64 platforms. This tool comes very handy for applications which need a great amount of virtualmemory
.NET GENERIC UNPACKER Download the .NET Generic Unpacker. Current Version: 1.0.0.1. This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it’s veryPHOENIX PROTECTOR
The Phoenix Protector was created to protect .NET assemblies and it’s the ideal solution for every .NET developer, due to its support of every kind of project and compatibility with every version of the .NET framework. It has all common obfuscation features to secure your code. It provides obfuscation features like Name, String and ControlPE DETECTIVE
PE Detective. Download the PE Detective. Current Version: 1.2.1.1. Created by Erik Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite II, but it can be downloaded separately as well. The PE Detective can scan single PE files or entire directories (also recursively) and generate completereports.
JULY 2020 – NTCORE Video: Inspecting Windows Kernel Crash Dumps with Cerbero Suite. Abrief introduction.
CFF EXPLORER
CFF Explorer update: scripting arguments. Arguments can now be passed through command line just by making them follow the name of the script. E.g.: “CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3”. To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thingas in C.
MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
NTCOREARTICLESDOWNLOADABOUT4GB PATCHEXPLORER SUITEKERNEL This is the full analysis of a multi-stage malware. Sample hashes: MD5: A3BF316D225604AF6C74CCF6E2E34F41 SHA1: D20981637B1D9E99115BF6537226265502D3E716DOWNLOAD – NTCORE
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc.EXPLORER SUITE
It’s multi-platform (Windows, OS X & Linux) and it comes as a free trial. Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder 4GB PATCH – NTCORE 4GB Patch. Download the 4GB Patch. Current Version: 1.0.0.1. I originally wrote this tool for a friend of mine who needed it. This very little tool patches x86 executables in order to let them have 4GB (instead of only 2) of virtual memory on x64 platforms. This tool comes very handy for applications which need a great amount of virtualmemory
.NET GENERIC UNPACKER Download the .NET Generic Unpacker. Current Version: 1.0.0.1. This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it’s veryPHOENIX PROTECTOR
The Phoenix Protector was created to protect .NET assemblies and it’s the ideal solution for every .NET developer, due to its support of every kind of project and compatibility with every version of the .NET framework. It has all common obfuscation features to secure your code. It provides obfuscation features like Name, String and ControlPE DETECTIVE
PE Detective. Download the PE Detective. Current Version: 1.2.1.1. Created by Erik Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite II, but it can be downloaded separately as well. The PE Detective can scan single PE files or entire directories (also recursively) and generate completereports.
JULY 2020 – NTCORE Video: Inspecting Windows Kernel Crash Dumps with Cerbero Suite. Abrief introduction.
CFF EXPLORER
CFF Explorer update: scripting arguments. Arguments can now be passed through command line just by making them follow the name of the script. E.g.: “CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3”. To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thingas in C.
MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
JULY 2020 – NTCORE Video: Inspecting Windows Kernel Crash Dumps with Cerbero Suite. Abrief introduction.
ARTICLES – NTCORE
The second of a two series of articles about the .NET framework internals and the protections available for .NET assemblies. In these articles the .NET internals are presented from the perspective of a reverser. In this article native compiling protections and all the methods to overcome them are analyzed in depth.SCREENWRITER
Download the ScreenWriter. Current Version: 1.1.0.1. Created by Erik Pistelli. This is a little freeware software which makes the writing of screenplays for TV and cinema extremely easy. It follows the standard American indentation rules and provides auto-completion for characters, places and day times. You can also export your scripts inDRIVER LIST
Driver List. Download Driver List. Current Version: 1.0.2. Very small utility which lists the loaded drivers. The utility is 64-bit compatible and can generate a report file from the list. DownloadDriver List.
ABOUT NTCORE
About NTCore. For direct contact write to ntcore@protonmail.com. You can also find me on Twitter as erikpistelli and on YouTube. ErikPistelli.
THE CODE PROJECT
Powerful x86/x64 Mini Hook-Engine. Download demo projects and sources; Introduction. I wrote this little hook-engine for a much bigger article. Sometimes it seems such a vaste to write valuable code for large articles whose topic isn't directly related to the code. MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
RUST FOR CLOSED-SOURCE PROJECTS One of the aspects about Rust in connection to closed-source projects which needs to be mentioned is that there’s a lot of debug information inside of a Rust executable, even in release mode. Every panic! in Rust prints out a lot of metadata. Let’s take for PORTING A CHIP-8 EMULATOR TO RUST You’re learning and sharing always kind behavior Ntos 🙂. What I often find astonishing is how low-skilled people like me start with “hello world !” scripts, while skilled people like you, start with complete/complex applications and call them simple projects. A MALWARE WITH MY NAME October 6, 2010 at 11:41 am. Well, look in the registry in the run and the location can be easily spot the task manager (or task explorer). Just look for a 3-letter named process like “klb.exe”. It uses random letters. Kill it, remove the file, remove the entry in the registry (Run) and that should be it. NTCOREARTICLESDOWNLOADABOUT4GB PATCHEXPLORER SUITEKERNEL This is the full analysis of a multi-stage malware. Sample hashes: MD5: A3BF316D225604AF6C74CCF6E2E34F41 SHA1: D20981637B1D9E99115BF6537226265502D3E716DOWNLOAD – NTCORE
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. 4GB PATCH – NTCORE 4GB Patch. Download the 4GB Patch. Current Version: 1.0.0.1. I originally wrote this tool for a friend of mine who needed it. This very little tool patches x86 executables in order to let them have 4GB (instead of only 2) of virtual memory on x64 platforms. This tool comes very handy for applications which need a great amount of virtualmemory
EXPLORER SUITE
It’s multi-platform (Windows, OS X & Linux) and it comes as a free trial. Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder .NET GENERIC UNPACKER Download the .NET Generic Unpacker. Current Version: 1.0.0.1. This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it’s veryPHOENIX PROTECTOR
The Phoenix Protector was created to protect .NET assemblies and it’s the ideal solution for every .NET developer, due to its support of every kind of project and compatibility with every version of the .NET framework. It has all common obfuscation features to secure your code. It provides obfuscation features like Name, String and ControlPE DETECTIVE
PE Detective. Download the PE Detective. Current Version: 1.2.1.1. Created by Erik Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite II, but it can be downloaded separately as well. The PE Detective can scan single PE files or entire directories (also recursively) and generate completereports.
CFF EXPLORER
CFF Explorer update: scripting arguments. Arguments can now be passed through command line just by making them follow the name of the script. E.g.: “CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3”. To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thingas in C.
RUST FOR CLOSED-SOURCE PROJECTS One of the aspects about Rust in connection to closed-source projects which needs to be mentioned is that there’s a lot of debug information inside of a Rust executable, even in release mode. Every panic! in Rust prints out a lot of metadata. Let’s take for MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
NTCOREARTICLESDOWNLOADABOUT4GB PATCHEXPLORER SUITEKERNEL This is the full analysis of a multi-stage malware. Sample hashes: MD5: A3BF316D225604AF6C74CCF6E2E34F41 SHA1: D20981637B1D9E99115BF6537226265502D3E716DOWNLOAD – NTCORE
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. 4GB PATCH – NTCORE 4GB Patch. Download the 4GB Patch. Current Version: 1.0.0.1. I originally wrote this tool for a friend of mine who needed it. This very little tool patches x86 executables in order to let them have 4GB (instead of only 2) of virtual memory on x64 platforms. This tool comes very handy for applications which need a great amount of virtualmemory
EXPLORER SUITE
It’s multi-platform (Windows, OS X & Linux) and it comes as a free trial. Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder .NET GENERIC UNPACKER Download the .NET Generic Unpacker. Current Version: 1.0.0.1. This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it’s veryPHOENIX PROTECTOR
The Phoenix Protector was created to protect .NET assemblies and it’s the ideal solution for every .NET developer, due to its support of every kind of project and compatibility with every version of the .NET framework. It has all common obfuscation features to secure your code. It provides obfuscation features like Name, String and ControlPE DETECTIVE
PE Detective. Download the PE Detective. Current Version: 1.2.1.1. Created by Erik Pistelli, a freeware PE identifier. This tool was originally designed to be part of the Explorer Suite II, but it can be downloaded separately as well. The PE Detective can scan single PE files or entire directories (also recursively) and generate completereports.
CFF EXPLORER
CFF Explorer update: scripting arguments. Arguments can now be passed through command line just by making them follow the name of the script. E.g.: “CFF Explorer.exe” “C:\mydir\script.cff” arg1 arg2 “arg 3”. To access the arguments from the scripting part you can use the global variables argv and argc, which are the same thingas in C.
RUST FOR CLOSED-SOURCE PROJECTS One of the aspects about Rust in connection to closed-source projects which needs to be mentioned is that there’s a lot of debug information inside of a Rust executable, even in release mode. Every panic! in Rust prints out a lot of metadata. Let’s take for MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
ARTICLES – NTCORE
The second of a two series of articles about the .NET framework internals and the protections available for .NET assemblies. In these articles the .NET internals are presented from the perspective of a reverser. In this article native compiling protections and all the methods to overcome them are analyzed in depth. JULY 2020 – NTCORE Video: Inspecting Windows Kernel Crash Dumps with Cerbero Suite. Abrief introduction.
SCREENWRITER
Download the ScreenWriter. Current Version: 1.1.0.1. Created by Erik Pistelli. This is a little freeware software which makes the writing of screenplays for TV and cinema extremely easy. It follows the standard American indentation rules and provides auto-completion for characters, places and day times. You can also export your scripts inDRIVER LIST
Driver List. Download Driver List. Current Version: 1.0.2. Very small utility which lists the loaded drivers. The utility is 64-bit compatible and can generate a report file from the list. DownloadDriver List.
ABOUT NTCORE
About NTCore. For direct contact write to ntcore@protonmail.com. You can also find me on Twitter as erikpistelli and on YouTube. ErikPistelli.
THE CODE PROJECT
Powerful x86/x64 Mini Hook-Engine. Download demo projects and sources; Introduction. I wrote this little hook-engine for a much bigger article. Sometimes it seems such a vaste to write valuable code for large articles whose topic isn't directly related to the code. RUST FOR CLOSED-SOURCE PROJECTS One of the aspects about Rust in connection to closed-source projects which needs to be mentioned is that there’s a lot of debug information inside of a Rust executable, even in release mode. Every panic! in Rust prints out a lot of metadata. Let’s take for MICROSOFT’S RICH SIGNATURE (UNDOCUMENTED) Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team backthen.
PORTING A CHIP-8 EMULATOR TO RUST You’re learning and sharing always kind behavior Ntos 🙂. What I often find astonishing is how low-skilled people like me start with “hello world !” scripts, while skilled people like you, start with complete/complex applications and call them simple projects. A MALWARE WITH MY NAME October 6, 2010 at 11:41 am. Well, look in the registry in the run and the location can be easily spot the task manager (or task explorer). Just look for a 3-letter named process like “klb.exe”. It uses random letters. Kill it, remove the file, remove the entry in the registry (Run) and that should be it.Skip to content
NTCORE
Menu
* Home
* Articles
* Download
* About
VIDEO: INSPECTING WINDOWS KERNEL CRASH DUMPS WITH CERBERO SUITE A brief introduction. Author Erik Pistelli Posted on July 21, 2020 Categories VideoTags crash dump
, Kernel
Leave a comment on Video: Inspecting Windows Kernel Crash Dumps with Cerbero Suite VIDEO: INSPECTING WINDOWS CRASH DUMPS WITH CERBERO SUITE A brief introduction. Author Erik Pistelli Posted on July 20, 2020 Categories VideoTags crash dump
Leave a comment on Video: Inspecting Windows Crash Dumps with Cerbero Suite VIDEO: ANALYSIS OF A MULTI-STAGE MALWARE (DOC -> VBA -> JSCRIPT -> EXE -> SHELLCODE -> MAPPED EXE -> IAT REBUILD) This is the full analysis of a multi-stage malware.Sample hashes:
MD5: A3BF316D225604AF6C74CCF6E2E34F41 SHA1: D20981637B1D9E99115BF6537226265502D3E716SHA256:
00476789D901461F61BDF74020382F851765AFCD7622B54687CDA70425A91F86 This is the code I wrote for JavaScript deobfuscation. Make sure to insert the base64 encoded javascript payload before running it.// first stage
var a = ;
(function(c, d)
{
var e = function(f)
{
while (--f)
{
c(c());
}
};
e(++d);
}(a, 0x9d));
var b = function(c, d){
c = c - 0x0;
var e = a;
if (b === undefined){
(function()
{
var f = function()
{
var g;
try
{
g = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');')();}
catch (h)
{
g = window;
}
return g;
};
var i = f();
var j =
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='; i || (i = function(k){
var l = String(k)(/=+$/, ''); for (var m = 0x0, n, o, p = 0x0, q = ''; o = l(p++);~o && (n = m % 0x4 ? n * 0x40 + o : o, m++ % 0x4) ? q += String(0xff & n >> (-0x2 * m & 0x6)) : 0x0){
o = j(o);
}
return q;
});
}());
b = function(r)
{
var s = atob(r);
var t = ;
for (var u = 0x0, v = s; u < v; u++){
t += '%' + ('00' +
s(u)(0x10))(-0x2);
}
return decodeURIComponent(t);};
b = {};
b = !! ;
}
var w = b;
if (w === undefined){
e = b(e);
b = e;
}
else
{
e = w;
}
return e;
};
var script = "BASE64_JAVASCRIPT_PAYLOAD"; script = atob(script);var clean = "";
var i = 0, last = 0; while ((i = script.indexOf("b('", i)) != -1){
clean += script.substring(last, i); e = script.indexOf("')", i) deobf = b(script.substring(i + 3, e)); clean += "'" + deobf.replace("'", "\\'") + "'";// next
i = e + 2;
last = i
}
clean += script.substring(last, script.length); // remove b function i = clean.indexOf("var dy = function()") clean = clean.substring(i, clean.length);script = clean;
// second stage: remove initial dictionariesdo
{
found = false;
clean = "";
i = 0;
last = 0;
while ((i = script.indexOf("var", i)) != -1){
if (script != '{' || script == '}'){
i++;
continue;
}
found = true;
clean += script.substring(last, i); varname = script.substring(i + 4, i + 6); e = script.indexOf("};", i + 9); arstr = script.substring(i + 9, e + 2);print(arstr);
eval("ar = " + arstr);j = e + 2;
last = j;
while ((j = script.indexOf(varname + "", j) idx = script.substring(j + 4, je)print(idx);
deobf = ar;
if (typeof(deobf) == "string") clean += "'" + deobf.replace("'", "\\'") + "'"; else // it's a method clean += "(" + deobf.toString() + ")";j = je + 2;
last = j;
}
clean += script.substring(last, script.length);// next
script = clean;
break;
}
} while (found);
// third stage: remove fake functions script = script.replace(/\s*/g, "true") script = script.replace(/\s*/g, "false") var prol = "function ";var arg = "{2}";
var sep = " "
var ret = " \\n\\s*return "; var epil = "\\n\\s+";var cap = "(+)";
var fin = "";
for (var i = 0; i < 5; i++){
script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " " + arg + epil + cap + sep + cap + fin, "g"), "$1 + $2"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " === " + arg + epil + cap + sep + cap + fin, "g"), "$1 === $2"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " !== " + arg + epil + cap + sep + cap + fin, "g"), "$1 !== $2"); script = script.replace(new RegExp(prol + arg + sep + arg + sep + arg + ret + arg + "" + arg + sep + arg + "" + epil + cap + sep + cap + sep + cap + fin, "g"), "$1($2, $3)"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + "" + arg + "" + epil + cap + sep + cap + fin, "g"), "$1($2)"); script = script.replace(new RegExp(prol + arg + ret + arg + "" + "" + epil + cap + fin, "g"), "$1()");}
// fourth stage: remove switch statements // do twice to get rid of nested switches for (xx = 0; xx < 2; xx++){
clean = "";
i = 0;
last = 0;
while ((i = script.indexOf("('|')", i)) != -1){
e = script.lastIndexOf("var ", i);var ls = e - 1;
while (ls > 0)
{
if (script != " ")
break;
--ls;
}
indent = script.substring(ls + 1, e); swe = script.indexOf("\n" + indent + " }", e) clean += script.substring(last, e); arstr = script.substring(e + 9, i); eval("ar = " + arstr + ";");ar = ar.split("|");
for (var j = 0; j < ar.length; j++){
idx = "\n" + indent + " case '" + ar + "':"; k = script.indexOf(idx, i); ke = script.indexOf("\n" + indent + " case '", k + idx.length) if (ke == -1 || ke > swe)ke = swe;
v = script.substring(k + idx.length, ke + 1).trim(); if (v.substring(v.length - 9, v.length) === "continue;") v = v.substring(0, v.length - 9).trim();//print(v);
if (j != 0)
clean += indent;
clean += v + "\n";
}
// next
i = script.indexOf("\n" + indent + " break;", ke); i = script.indexOf("}", i);last = i + 1
}
clean += script.substring(last, script.length);script = clean;
}
// fifth stage: remove some string variablesclean = "";
// first collect the variables and removed them from the scripti = 0;
last = 0;
vars = ;
while ((i = script.indexOf("\nvar ", i)) != -1){
if (script != "'")
{
i += 1;
continue;
}
clean += script.substring(last, i); varname = script.substring(i + 5, i + 7); e = script.indexOf("';", i + 11); v = script.substring(i + 10, e + 1);vars.push();
// next
i = e + 2;
last = i;
}
clean += script.substring(last, script.length);script = clean;
// replace them
for (var k = 0; k < vars.length; k++){
varname = vars;
value = vars;
script = script.replace(new RegExp('\\b' + varname + '\\b', "g"),value);
}
script
// first stage var a = ; (function(c, d) { var e = function(f) { while (--f) { c(c()); } }; e(++d); }(a, 0x9d)); var b = function(c, d) { c = c - 0x0; var e = a; if (b === undefined) { (function() { var f = function() { var g; try { g = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');')(); } catch (h) { g = window; } return g; }; var i = f(); var j = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='; i || (i = function(k) { var l = String(k)(/=+$/, ''); for (var m = 0x0, n, o, p = 0x0, q = ''; o = l(p++);~o && (n = m % 0x4 ? n * 0x40 + o : o, m++ % 0x4) ? q += String(0xff & n >> (-0x2 * m & 0x6)) : 0x0) { o = j(o); } return q; }); }()); b = function(r) { var s = atob(r); var t = ; for (var u = 0x0, v = s; u < v; u++) { t += '%' + ('00' + s(u)(0x10))(-0x2); } return decodeURIComponent(t); }; b = {}; b = !! ; } var w = b; if (w === undefined) { e = b(e); b = e; } else { e = w; } return e; }; var script = "BASE64_JAVASCRIPT_PAYLOAD"; script = atob(script); var clean = ""; var i = 0, last = 0; while ((i = script.indexOf("b('", i)) != -1) { clean += script.substring(last, i); e = script.indexOf("')", i) deobf = b(script.substring(i + 3, e)); clean += "'" + deobf.replace("'", "\\'") + "'"; // next i = e + 2; last = i } clean += script.substring(last, script.length); // remove b function i = clean.indexOf("var dy = function()") clean = clean.substring(i, clean.length); script = clean; // second stage: remove initial dictionaries do { found = false; clean = ""; i = 0; last = 0; while ((i = script.indexOf("var", i)) != -1) { if (script != '{' || script == '}') { i++; continue; } found = true; clean += script.substring(last, i); varname = script.substring(i + 4, i + 6); e = script.indexOf("};", i + 9); arstr = script.substring(i + 9, e + 2); print(arstr); eval("ar = " + arstr); j = e + 2; last = j; while ((j = script.indexOf(varname + "", j) idx = script.substring(j + 4, je) print(idx); deobf = ar; if (typeof(deobf) == "string") clean += "'" + deobf.replace("'", "\\'") + "'"; else // it's a method clean += "(" + deobf.toString() + ")"; j = je + 2; last = j; } clean += script.substring(last, script.length); // next script = clean; break; } } while (found); // third stage: remove fake functions script = script.replace(/\s*/g, "true") script = script.replace(/\s*/g, "false") var prol = "function "; var arg = "{2}"; var sep = " " var ret = " \\n\\s*return "; var epil = "\\n\\s+"; var cap = "(+)"; var fin = ""; for (var i = 0; i < 5; i++) { script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " " + arg + epil + cap + sep + cap + fin, "g"), "$1 + $2"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " === " + arg + epil + cap + sep + cap + fin, "g"), "$1 === $2"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " !== " + arg + epil + cap + sep + cap + fin, "g"), "$1 !== $2"); script = script.replace(new RegExp(prol + arg + sep + arg + sep + arg + ret + arg + "" + arg + sep + arg + "" + epil + cap + sep + cap + sep + cap + fin, "g"), "$1($2, $3)"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + "" + arg + "" + epil + cap + sep + cap + fin, "g"), "$1($2)"); script = script.replace(new RegExp(prol + arg + ret + arg + "" + "" + epil + cap + fin, "g"), "$1()"); } // fourth stage: remove switch statements // do twice to get rid of nested switches for (xx = 0; xx < 2; xx++) { clean = ""; i = 0; last = 0; while ((i = script.indexOf("('|')", i)) != -1) { e = script.lastIndexOf("var ", i); var ls = e - 1; while (ls > 0) { if (script != " ") break; --ls; } indent = script.substring(ls + 1, e); swe = script.indexOf("\n" + indent + " }", e) clean += script.substring(last, e); arstr = script.substring(e + 9, i); eval("ar = " + arstr + ";"); ar = ar.split("|"); for (var j = 0; j < ar.length; j++) { idx = "\n" + indent + " case '" + ar + "':"; k = script.indexOf(idx, i); ke = script.indexOf("\n" + indent + " case '", k + idx.length) if (ke == -1 || ke > swe) ke = swe; v = script.substring(k + idx.length, ke + 1).trim(); if (v.substring(v.length - 9, v.length) === "continue;") v = v.substring(0, v.length - 9).trim(); //print(v); if (j != 0) clean += indent; clean += v + "\n"; } // next i = script.indexOf("\n" + indent + " break;", ke); i = script.indexOf("}", i); last = i + 1 } clean += script.substring(last, script.length); script = clean; } // fifth stage: remove some string variables clean = ""; // first collect the variables and removed them from the script i = 0; last = 0; vars = ; while ((i = script.indexOf("\nvar ", i)) != -1) { if (script != "'") { i += 1; continue; } clean += script.substring(last, i); varname = script.substring(i + 5, i + 7); e = script.indexOf("';", i + 11); v = script.substring(i + 10, e + 1); vars.push(); // next i = e + 2; last = i; } clean += script.substring(last, script.length); script = clean; // replace them for (var k = 0; k < vars.length; k++) { varname = vars; value = vars; script = script.replace(new RegExp('\\b' + varname + '\\b', "g"), value); }script
// first stage
var a = ;
(function(c, d)
{
var e = function(f){
while (--f)
{
c(c());
}
};
e(++d);
}(a, 0x9d));
var b = function(c, d){
c = c - 0x0;
var e = a;
if (b === undefined){
(function()
{
var f = function(){
var g;
try
{
g = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');')();}
catch (h)
{
g = window;
}
return g;
};
var i = f();
var j = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='; i || (i = function(k){
var l = String(k)(/=+$/, ''); for (var m = 0x0, n, o, p = 0x0, q = ''; o = l(p++);~o && (n = m % 0x4 ? n * 0x40 + o : o, m++ % 0x4) ? q += String(0xff & n >> (-0x2 * m & 0x6)) : 0x0){
o = j(o);
}
return q;
});
}());
b = function(r)
{
var s = atob(r);
var t = ;
for (var u = 0x0, v = s; u < v; u++){
t += '%' + ('00' + s(u)(0x10))(-0x2);}
return decodeURIComponent(t);};
b = {};
b = !! ;
}
var w = b;
if (w === undefined){
e = b(e);
b = e;
}
else
{
e = w;
}
return e;
};
var script = "BASE64_JAVASCRIPT_PAYLOAD"; script = atob(script);var clean = "";
var i = 0, last = 0; while ((i = script.indexOf("b('", i)) != -1){
clean += script.substring(last, i); e = script.indexOf("')", i) deobf = b(script.substring(i + 3, e)); clean += "'" + deobf.replace("'", "\\'") + "'";// next
i = e + 2;
last = i
}
clean += script.substring(last, script.length); // remove b function i = clean.indexOf("var dy = function()") clean = clean.substring(i, clean.length);script = clean;
// second stage: remove initial dictionariesdo
{
found = false;
clean = "";
i = 0;
last = 0;
while ((i = script.indexOf("var", i)) != -1){
if (script != '{' || script == '}'){
i++;
continue;
}
found = true;
clean += script.substring(last, i); varname = script.substring(i + 4, i + 6); e = script.indexOf("};", i + 9); arstr = script.substring(i + 9, e + 2);print(arstr);
eval("ar = " + arstr);j = e + 2;
last = j;
while ((j = script.indexOf(varname + "", j) idx = script.substring(j + 4, je)print(idx);
deobf = ar;
if (typeof(deobf) == "string") clean += "'" + deobf.replace("'", "\\'") + "'"; else // it's a method clean += "(" + deobf.toString() + ")";j = je + 2;
last = j;
}
clean += script.substring(last, script.length);// next
script = clean;
break;
}
} while (found);
// third stage: remove fake functions script = script.replace(/\s*/g, "true") script = script.replace(/\s*/g, "false") var prol = "function ";var arg = "{2}";
var sep = " "
var ret = " \\n\\s*return "; var epil = "\\n\\s+";var cap = "(+)";
var fin = "";
for (var i = 0; i < 5; i++){
script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " " + arg + epil + cap + sep + cap + fin, "g"), "$1 + $2"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " === " + arg + epil + cap + sep + cap + fin, "g"), "$1 === $2"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + " !== " + arg + epil + cap + sep + cap + fin, "g"), "$1 !== $2"); script = script.replace(new RegExp(prol + arg + sep + arg + sep + arg + ret + arg + "" + arg + sep + arg + "" + epil + cap + sep + cap + sep + cap + fin, "g"), "$1($2, $3)"); script = script.replace(new RegExp(prol + arg + sep + arg + ret + arg + "" + arg + "" + epil + cap + sep + cap + fin, "g"), "$1($2)"); script = script.replace(new RegExp(prol + arg + ret + arg + "" + "" + epil + cap + fin, "g"), "$1()");}
// fourth stage: remove switch statements // do twice to get rid of nested switches for (xx = 0; xx < 2; xx++){
clean = "";
i = 0;
last = 0;
while ((i = script.indexOf("('|')", i)) != -1){
e = script.lastIndexOf("var ", i); var ls = e - 1;while (ls > 0)
{
if (script != " ")break;
--ls;
}
indent = script.substring(ls + 1, e); swe = script.indexOf("\n" + indent + " }", e) clean += script.substring(last, e); arstr = script.substring(e + 9, i); eval("ar = " + arstr + ";"); ar = ar.split("|"); for (var j = 0; j < ar.length; j++){
idx = "\n" + indent + " case '" + ar + "':"; k = script.indexOf(idx, i); ke = script.indexOf("\n" + indent + " case '", k + idx.length) if (ke == -1 || ke > swe)ke = swe;
v = script.substring(k + idx.length, ke + 1).trim(); if (v.substring(v.length - 9, v.length) === "continue;") v = v.substring(0, v.length - 9).trim();//print(v);
if (j != 0)
clean += indent;
clean += v + "\n";}
// next
i = script.indexOf("\n" + indent + " break;", ke); i = script.indexOf("}", i);last = i + 1
}
clean += script.substring(last, script.length);script = clean;
}
// fifth stage: remove some string variablesclean = "";
// first collect the variables and removed them from the scripti = 0;
last = 0;
vars = ;
while ((i = script.indexOf("\nvar ", i)) != -1){
if (script != "'"){
i += 1;
continue;
}
clean += script.substring(last, i); varname = script.substring(i + 5, i + 7); e = script.indexOf("';", i + 11); v = script.substring(i + 10, e + 1);vars.push();
// next
i = e + 2;
last = i;
}
clean += script.substring(last, script.length);script = clean;
// replace them
for (var k = 0; k < vars.length; k++){
varname = vars;
value = vars;
script = script.replace(new RegExp('\\b' + varname + '\\b', "g"), value);}
script
Author Erik Pistelli Posted on October 6, 2019October 17, 2020 Categories Video 2 Comments on Video: Analysis of a multi-stage malware (doc -> vba -> jscript -> exe -> shellcode -> mapped exe -> iat rebuild) VIDEO: SOLVING VM-BASED CHALLENGES USING CERBERO How to solve VM-based challenges with the help of Cerbero. This is the template code: from Pro.Core import * from Pro.UI import * from Pro.ccast import sbyteimport os, struct
REG_COUNT = 16
def regName(id):
return "R" + str(id) def disassemble(code, regs):return "instr"
STEP_VIEW_ID = 1
DISASM_VIEW_ID = 2
MEMORY_VIEW_ID = 3
REGISTERS_VIEW_ID = 4STACK_VIEW_ID = 5
# the dump directory should have files with increasing number as name # e.g.: 0, 1, 2, etc. DBGDIR = r"path/to/state/dumps"BPX = -1
# logic to extract the instruction pointer from the dumps # we use that as text in the Trace table and to go to a break point def loadStepDescr(ud, steps):stepsdescr =
bpx_pos = -1
for step in steps:
with open(os.path.join(DBGDIR, str(step)), "rb") as f: f.seek((REG_COUNT - 1) * 2) ip = struct.unpack_from(">H", f.read(2), 0) if bpx_pos == -1 and ip == BPX: bpx_pos = len(stepsdescr) stepsdescr.append("%04X" % (ip,))ud = stepsdescr
if bpx_pos != -1:
ud = bpx_pos
def loadStep(cv, step, ud): #with open(os.path.join(DBGDIR, str(step)), "rb") as f:# dump = f.read()
dump = b"\x00\x01" * REG_COUNT regs = struct.unpack_from("<" + ("H" * REG_COUNT), dump, 0)ud = regs
# set up regs table
t = cv.getView(REGISTERS_VIEW_ID) labels = NTStringList() labels.append("Register") labels.append("Value")t.setColumnCount(2)
t.setRowCount(REG_COUNT) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) t.setColumnCWidth(1, 20)# set up memory
h = cv.getView(MEMORY_VIEW_ID) curoffs = h.getCurrentOffset() cursoroffs = h.getCursorOffset()#mem = dump
mem = b"dummy memory"ud = mem
h.setBytes(mem)
h.setCursorOffset(cursoroffs) h.setCurrentOffset(curoffs) # set up stack table stack = (0x1000, 0x2000, 0x3000)ud = 0x6000
ud = stack
t = cv.getView(STACK_VIEW_ID) labels = NTStringList() labels.append("Stack address") labels.append("Value")t.setColumnCount(2)
t.setRowCount(len(stack)) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) t.setColumnCWidth(1, 20)# set up disasm
t = cv.getView(DISASM_VIEW_ID) disasm = disassemble(mem, regs)t.setText(disasm)
def tracerCallback(cv, ud, code, view, data):if code == pvnInit:
# get steps
steps = os.listdir(dbgdir)steps =
steps = sorted(steps)ud = steps
loadStepDescr(ud, steps)# set up steps
t = cv.getView(STEP_VIEW_ID) labels = NTStringList() labels.append("Trace")t.setColumnCount(1)
t.setRowCount(len(steps)) t.setColumnLabels(labels) t.setColumnCWidth(0, 10)# go to bpx if any
if "bpxpos" in ud:
bpxpos = ud
t.setSelectedRow(bpxpos)return 1
elif code == pvnGetTableRow:vid = view.id()
if vid == STEP_VIEW_ID: data.setText(0, str(ud)) elif vid == REGISTERS_VIEW_ID: data.setText(0, regName(data.row))v = ud
data.setText(1, "%d (0x%X)" % (v, v))if data.row >= 13:
data.setBgColor(0, ProColor_Special) data.setBgColor(1, ProColor_Special) elif vid == STACK_VIEW_ID: spaddr = ud + (data.row * 2) data.setText(0, "0x%04X" % (spaddr,))v = ud
data.setText(1, "%d (0x%X)" % (v, v)) elif code == pvnRowSelected:vid = view.id()
if vid == STEP_VIEW_ID: loadStep(cv, ud, ud)return 0
def tracerDlg():
ctx = proContext()
v = ctx.createView(ProView.Type_Custom, "Tracer Demo")user_data = {}
v.setup("dlg.show()
tracerDlg()
from Pro.Core import * from Pro.UI import * from Pro.ccast import sbyte import os, struct REG_COUNT = 16 def regName(id): return "R" + str(id) def disassemble(code, regs): return "instr" STEP_VIEW_ID = 1 DISASM_VIEW_ID = 2 MEMORY_VIEW_ID = 3 REGISTERS_VIEW_ID = 4 STACK_VIEW_ID = 5 # the dump directory should have files with increasing number as name # e.g.: 0, 1, 2, etc. DBGDIR = r"path/to/state/dumps" BPX = -1 # logic to extract the instruction pointer from the dumps # we use that as text in the Trace table and to go to a break point def loadStepDescr(ud, steps): stepsdescr = bpx_pos = -1 for step in steps: with open(os.path.join(DBGDIR, str(step)), "rb") as f: f.seek((REG_COUNT - 1) * 2) ip = struct.unpack_from(">H", f.read(2), 0) if bpx_pos == -1 and ip == BPX: bpx_pos = len(stepsdescr) stepsdescr.append("%04X" % (ip,)) ud = stepsdescr if bpx_pos != -1: ud = bpx_pos def loadStep(cv, step, ud): #with open(os.path.join(DBGDIR, str(step)), "rb") as f: # dump = f.read() dump = b"\x00\x01" * REG_COUNT regs = struct.unpack_from("<" + ("H" * REG_COUNT), dump, 0) ud = regs # set up regs table t = cv.getView(REGISTERS_VIEW_ID) labels = NTStringList() labels.append("Register") labels.append("Value") t.setColumnCount(2) t.setRowCount(REG_COUNT) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) t.setColumnCWidth(1, 20) # set up memory h = cv.getView(MEMORY_VIEW_ID) curoffs = h.getCurrentOffset() cursoroffs = h.getCursorOffset() #mem = dump mem = b"dummy memory" ud = mem h.setBytes(mem) h.setCursorOffset(cursoroffs) h.setCurrentOffset(curoffs) # set up stack table stack = (0x1000, 0x2000, 0x3000) ud = 0x6000 ud = stack t = cv.getView(STACK_VIEW_ID) labels = NTStringList() labels.append("Stack address") labels.append("Value") t.setColumnCount(2) t.setRowCount(len(stack)) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) t.setColumnCWidth(1, 20) # set up disasm t = cv.getView(DISASM_VIEW_ID) disasm = disassemble(mem, regs) t.setText(disasm) def tracerCallback(cv, ud, code, view, data): if code == pvnInit: # get steps steps = os.listdir(dbgdir) steps = steps = sorted(steps) ud = steps loadStepDescr(ud, steps) # set up steps t = cv.getView(STEP_VIEW_ID) labels = NTStringList() labels.append("Trace") t.setColumnCount(1) t.setRowCount(len(steps)) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) # go to bpx if any if "bpxpos" in ud: bpxpos = ud t.setSelectedRow(bpxpos) return 1 elif code == pvnGetTableRow: vid = view.id() if vid == STEP_VIEW_ID: data.setText(0, str(ud)) elif vid == REGISTERS_VIEW_ID: data.setText(0, regName(data.row)) v = ud data.setText(1, "%d (0x%X)" % (v, v)) if data.row >= 13: data.setBgColor(0, ProColor_Special) data.setBgColor(1, ProColor_Special) elif vid == STACK_VIEW_ID: spaddr = ud + (data.row * 2) data.setText(0, "0x%04X" % (spaddr,)) v = ud data.setText(1, "%d (0x%X)" % (v, v)) elif code == pvnRowSelected: vid = view.id() if vid == STEP_VIEW_ID: loadStep(cv, ud, ud) return 0 def tracerDlg(): ctx = proContext() v = ctx.createView(ProView.Type_Custom, "Tracer Demo") user_data = {} v.setup("tracerDlg()
from Pro.Core import * from Pro.UI import * from Pro.ccast import sbyteimport os, struct
REG_COUNT = 16
def regName(id):
return "R" + str(id) def disassemble(code, regs):return "instr"
STEP_VIEW_ID = 1
DISASM_VIEW_ID = 2 MEMORY_VIEW_ID = 3 REGISTERS_VIEW_ID = 4STACK_VIEW_ID = 5
# the dump directory should have files with increasing number as name # e.g.: 0, 1, 2, etc. DBGDIR = r"path/to/state/dumps"BPX = -1
# logic to extract the instruction pointer from the dumps # we use that as text in the Trace table and to go to a break point def loadStepDescr(ud, steps):stepsdescr =
bpx_pos = -1
for step in steps: with open(os.path.join(DBGDIR, str(step)), "rb") as f: f.seek((REG_COUNT - 1) * 2) ip = struct.unpack_from(">H", f.read(2), 0) if bpx_pos == -1 and ip == BPX: bpx_pos = len(stepsdescr) stepsdescr.append("%04X" % (ip,))ud = stepsdescr
if bpx_pos != -1:ud = bpx_pos
def loadStep(cv, step, ud): #with open(os.path.join(DBGDIR, str(step)), "rb") as f: # dump = f.read() dump = b"\x00\x01" * REG_COUNT regs = struct.unpack_from("<" + ("H" * REG_COUNT), dump, 0)ud = regs
# set up regs table t = cv.getView(REGISTERS_VIEW_ID) labels = NTStringList() labels.append("Register") labels.append("Value")t.setColumnCount(2)
t.setRowCount(REG_COUNT) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) t.setColumnCWidth(1, 20)# set up memory
h = cv.getView(MEMORY_VIEW_ID) curoffs = h.getCurrentOffset() cursoroffs = h.getCursorOffset()#mem = dump
mem = b"dummy memory"ud = mem
h.setBytes(mem)
h.setCursorOffset(cursoroffs) h.setCurrentOffset(curoffs) # set up stack table stack = (0x1000, 0x2000, 0x3000)ud = 0x6000
ud = stack
t = cv.getView(STACK_VIEW_ID) labels = NTStringList() labels.append("Stack address") labels.append("Value")t.setColumnCount(2)
t.setRowCount(len(stack)) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) t.setColumnCWidth(1, 20)# set up disasm
t = cv.getView(DISASM_VIEW_ID) disasm = disassemble(mem, regs)t.setText(disasm)
def tracerCallback(cv, ud, code, view, data): if code == pvnInit:# get steps
steps = os.listdir(dbgdir)steps =
steps = sorted(steps)ud = steps
loadStepDescr(ud, steps)# set up steps
t = cv.getView(STEP_VIEW_ID) labels = NTStringList() labels.append("Trace")t.setColumnCount(1)
t.setRowCount(len(steps)) t.setColumnLabels(labels) t.setColumnCWidth(0, 10) # go to bpx if any if "bpxpos" in ud:bpxpos = ud
t.setSelectedRow(bpxpos)return 1
elif code == pvnGetTableRow:vid = view.id()
if vid == STEP_VIEW_ID: data.setText(0, str(ud)) elif vid == REGISTERS_VIEW_ID: data.setText(0, regName(data.row))v = ud
data.setText(1, "%d (0x%X)" % (v, v)) if data.row >= 13: data.setBgColor(0, ProColor_Special) data.setBgColor(1, ProColor_Special) elif vid == STACK_VIEW_ID: spaddr = ud + (data.row * 2) data.setText(0, "0x%04X" % (spaddr,))v = ud
data.setText(1, "%d (0x%X)" % (v, v)) elif code == pvnRowSelected:vid = view.id()
if vid == STEP_VIEW_ID: loadStep(cv, ud, ud)return 0
def tracerDlg():
ctx = proContext() v = ctx.createView(ProView.Type_Custom, "Tracer Demo")user_data = {}
v.setup("dlg.show()
tracerDlg()
Author Erik Pistelli Posted on October 1, 2019October 17, 2020 Categories Video Leave a comment on Video: Solving VM-based challenges using Cerbero VIDEO: INTRODUCTION TO HEADERS IN CERBERO Hopefully a comprehensible introduction of how to use headers inCerbero Suite.
Author Erik Pistelli Posted on September 29, 2019 Categories VideoTags Cerbero
, Headers
Leave a comment on Video: Introduction to headers in CerberoPOSTS NAVIGATION
Page 1 Page 2 … Page 14Next page
POPULAR DOWNLOADS
Cerbero Suite
Explorer Suite
4GB Patch
Search for: Search
RECENT POSTS
* Video: Inspecting Windows Kernel Crash Dumps with Cerbero SuiteJuly 21, 2020
* Video: Inspecting Windows Crash Dumps with Cerbero SuiteJuly 20, 2020
* Video: Analysis of a multi-stage malware (doc -> vba -> jscript -> exe -> shellcode -> mapped exe -> iat rebuild)October 6, 2019
* Video: Solving VM-based challenges using CerberoOctober 1, 2019
* Video: Introduction to headers in CerberoSeptember 29, 2019
* Video: Using Cerbero for CTFsSeptember 1, 2019
* Video: Yet another PDF/XDP MalwareAugust 5, 2019
RECENT COMMENTS
* Erik Pistelli on Time Travel: Running Python 3.7 on XP * Adamski on Time Travel: Running Python 3.7 on XP * Erik Pistelli on Time Travel: Running Python 3.7 on XP * Maurice on Time Travel: Running Python 3.7 on XP * Erik Pistelli on Time Travel: Running Python 3.7 on XPARCHIVES
Archives Select Month July 2020 (2) October 2019 (2) September 2019 (2) August 2019 (1) July 2019 (2) June 2019 (3) February 2019 (1) August 2018 (1) July 2018 (2) November 2013 (1) October 2013 (2) November 2012 (1) October 2012 (1) December 2010 (1) September 2010 (1) August 2010 (2) July 2010 (1) May 2010 (1) April 2010 (1) February 2010 (1) December 2009 (1) November 2009 (1) October 2009 (3) September 2009 (2) August 2009 (1) June 2009 (1) May 2009 (1) April 2009 (2) February 2009 (1) January 2009 (2) December 2008 (2) November 2008 (1) July 2008 (2) June 2008 (1) April 2008 (4) March 2008 (2) February 2008 (1) January 2008 (2) December 2007 (2) November 2007 (1) September 2007 (1) July 2007 (1) June 2007 (1) January 2007 (1) November 2006 (1) October 2006 (2)CATEGORIES
* Article
* Internals
* News
* Programming
* Reversing
* Security
* Trivia
* Uncategorized
* Update
* Video
* Home
* Articles
* Download
* About
NTCore Proudly powered by WordPressDetails
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0