Discover and read the best of Twitter Threads about #Ghidra

Most recents (8)

🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.

By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.

Thread
[1/11] 👇

#Malware #AgentTesla #Ghidra #Debugging ImageImageImage
[1.1/11]
Link to original sample: bazaar.abuse.ch/sample/7512be2…

Link to Full Blog: embee-research.ghost.io/agenttesla-ful…
[2/11] You first need to locate a function that resolves api hashes.

An example can be seen here - A giveaway is the same function is repeatedly called with hash-like values. An extra telltale sign is that each return value is cast as code (code *). Image
Read 12 tweets
Have you been interested in #reverseengineering but don't know where to begin or what tools to use? Are you still stuck in OllyDBG? Our researcher @pastaCLS recommends the coolest tools you'll see out there. Plus, our team uses them to defeat protection💙 Image
#Ghidra is useful for static analysis of binaries; it disassembles and decompiles to "C pseudo code." It supports a lot of architecture, has hundreds of plugins from the community and, last but not least, an active community.💪
ghidra-sre.org
@x64dbg is a debugger for Windows x86 and x64, perfect for analyzing the behavior of the program while running and freezing it in specific points to examine a feature.
x64dbg.com
Read 5 tweets
🧵 Everyone’s chatting about 🤖#ChatGPT. Here are 11 things it can do for #malware analysts, #security researchers, and #reverse engineers. A thread >>👇 🧵
1/13
🙋🏻‍♀️ Learn how to use reverse engineering tools more effectively. Use #openAI chat bot to get rapid interactive help on your reversing tools.
2/13
👾 Teach yourself #assembly language. Ask #ChatGPT to convert high-level code into assembly. #arm #intel little endian big endian #nasm #masm. It knows them all.

3/13
Read 13 tweets
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
🐲 Ghidra Tips🐲For Beginner/Intermediate analysts interested in RE.

These tips are aimed at making Ghidra more approachable and usable for beginners and intermediate analysts 😄

[1/9] 🧵

#Malware #RE #Ghidra
2/ The sample I'm using can be found here if you'd like to follow along. It is a cobalt strike DLL often found in Gootloader campaigns.

bazaar.abuse.ch/sample/a2513cc…
3/ Enable "Cursor Text Highlighting". 🖱️

This will automatically highlight areas of interest when using the Ghidra decompiler.

This is useful for quickly identifying where a value has or will be used.
Read 9 tweets
A quick demo of how to identify "real" exported functions from a #obfuscated #IcedID dll file.

I'll also briefly touch on some #Ghidra tips, and how to extract #shellcode using a debugger.

A moderate sized thread😃
[1/13]
[2/13] You can find the relevant files here. Special thanks to @malware_traffic.

First, download the .zip in the screenshot.👇

Then unzip and locate the "rarest.db" file in the "scabs" folder.

(Make sure to do this inside an isolated Virtual Machine)
malware-traffic-analysis.net/2022/09/23/ind…
[3/14] Drag the "rarest.db" file into Pe-Studio and navigate to the exports tab.

There are 11 exported functions here. 🧐

Most of them have junk names to throw off analysis.

One of them is "real", the rest are "decoys" which don't do anything if executed.
Read 14 tweets
Happy Friday! Looking to learn a little more about #ghidra or software RE? Here is a quick thread with some resources that I've put together over the years (1/6) 🐉
First, here is a free four-session that I put together with @hackaday, there are lectures on YouTube, and all of the materials are available on GitHub.

Blog Post: wrongbaud.github.io/posts/ghidra-t…

(2/6)
Setting up a Development Environment:

In this post, we review how to set up Ghidra for development, including eclipse integration and building Ghidra from scratch:

voidstarsec.com/blog//2021/12/…

(3/6)
Read 6 tweets
When I was working in the MSRC and SDL teams, I ran a series of contests. The goals were to encourage learning, foster a team culture around technical excellence, and have some fun. I wanted them to be accessible across program managers, vuln researchers, and engineers.
The first one was to calculate a Fibonacci number in assembly. I chose this because it’s a simple problem to learn more about assembly, which was relevant to vulnerability and exploit analysis. The contest part was to do it in the fewest number of clock cycles.
I wish I had known @BruceDawson0xB then because the most challenging aspect was measuring the winner! It seemed so simple at first. Call RDTSC (Read Timestamp Counter) before and after. Do it a few times in a loop to ensure consistency and done. Hardly.
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!