KrknSec

@[email protected]
35 Followers
37 Following
56 Posts
Malware Analysis | DFIR | Reverse Engineer
KrknSecApr 30, 2024
Writing rootkits is fun and you should do it. The only unfun part is the constant BSODs and the slow kernel debugging to find out why RAX is returning 0 when it shouldn't be. Also here's an obligatory AI generated image of a "rootkit"
KrknSecSep 7, 2023
#malware is using #AES encryption but the key that you found just won't work? The key itself might be encrypted and brute-force decrypted during runtime. Look for the key being passed into an additional function with an XOR loop and having a comparison with a hint byte.
KrknSecSep 6, 2023
Analyzing a piece of #malware that's executing shellcode but not calling something like CreateRemoteThread? It could be using one of the many APIs available that can execute shellcode via a callback such as EnumCalendarInfoA(). Keep an eye out for the ptr being included as an arg
KrknSecSep 5, 2023
To fellow reverse engineers, if you aren't following OALabs in any form, you're missing out on fantastic technical knowledge, guidance, and tools for the world of #reverseengineering and #malwareanalysis.
KrknSecAug 29, 2023
Wrote my first static #malware unpacker in python today. I've written many config extractors but writing automated unpackers always hurt my head. But today I can check that off my early RE career goals.
KrknSecAug 23, 2023

Microsoft has stated the embedded Python won't run locally. Instead it will be executed on Azure containers so it won't have access to a potential victim's local files or systems. So maybe we won't see embedded Python solely being used to download and execute payloads. However, I think this will lead to very interesting additional obfuscation layers. At least until someone figures out an exploit to let the Python run local.

https://www.bleepingcomputer.com/news/microsoft/microsoft-excel-to-let-you-run-python-scripts-as-formulas/

Microsoft Excel to let you run Python scripts as formulas

Microsoft is adding the Python programming language to Microsoft Excel, allowing users to create powerful functions for analyzing and manipulating data.

BleepingComputer
KrknSecAug 23, 2023
So I was trying to figure out for like an hour why my implant was serving a STATUS_ACCESS_DENIED error. It turns out I forgot to include GENERIC_WRITE in my CreateFile()...
KrknSecAug 23, 2023
AI editing is pretty wild. I don't even own sunglasses.
KrknSecMay 14, 2023

Here's my final project for the Sektor7's Maldev Intermediate Course. It's a 3-stage attack that uses sRDI to inject into VeraCrypt and hooks WideCharToMultiByte() to sniff passwords for encrypted containers.

#malware #infosec #redteam #proofofconcept #hooking #hacking #srdi #injection

https://github.com/Krkn-Sec/VeraCrypt-Sniff

GitHub - Krkn-Sec/VeraCrypt-Sniff: PoC project for hooking practice to sniff VeraCrypt passwords.

PoC project for hooking practice to sniff VeraCrypt passwords. - GitHub - Krkn-Sec/VeraCrypt-Sniff: PoC project for hooking practice to sniff VeraCrypt passwords.

GitHub
KrknSecNov 18, 2022

Shoutout to @hackNpatch who hooked me up with an old #quasar decryptor. I was able to modify it to also work for the newest version.

https://github.com/Krkn-Sec/QuasarRAT-Decryptor

GitHub - Krkn-Sec/QuasarRAT-Decryptor: Decrypts the version and C2 servers from QuasarRAT versions 1.3.0 and 1.4.0

Decrypts the version and C2 servers from QuasarRAT versions 1.3.0 and 1.4.0 - GitHub - Krkn-Sec/QuasarRAT-Decryptor: Decrypts the version and C2 servers from QuasarRAT versions 1.3.0 and 1.4.0

GitHub