A while ago, I released HInvoke, a project showcasing API hashing for managed functions. The initial release was rather basic and lacked desirable features like support for non-static methods. NixI...
Analysing A Sample Of Arechclient2
In this post, I will be going over my process of analyzing a sample of ArechClient2. Including initial analysis, deobfuscation and unpacking of the loader. Followed by the analysis of the .NET payl...
Unpacking RedLine Stealer
In this post, we are going to take a look at Redline Stealer, a well-known .NET based credential stealer. I will focus on unpacking the managed payload and extracting it’s config, for a more detail...
String Obfuscation The Malware Way
Malware authors like to use string obfuscation to make their code harder to analyze and detect. One obfuscation technique is to insert special characters into a string, and then use some code to re...
Encrypting strings in .NET
Implementing custom string encryption for .NET binaries utilizing an XOR-based cipher and AsmResolver. Encrypting strings is a common practice to slow down static analysis or evade automatic analys...
Unpacking OriginLogger Builder
Unpacking OriginLogger Builder OriginLogger is a keylogger that shares a lot of similarities with the well-known Agent Tesla malware. Today I will take a look at their builder and unpack it. A lit...
HInvoke and avoiding PInvoke
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically reso...
Some thoughts on making a crackme
In the last few weeks, I’ve been taking a closer look at crackmes, especially beginner focused ones. And noticed a few things that I think many new developers get wrong. Therefore this is a little ...
Taking a look at AntiDumps
After developing a runtime packer in the last post, I tinkered with anti dumping techniques using PE Header manipulation. In this post I will talk about different approaches and take a look at the ...
Writing a Packer
Taking a detailed look at my .net executable packer Origami, specifically about the runtime and how it works. Also giving some general overview about packing executables. Basic knowledge of C# and ...