Writing rootkits is fun and you should do it. The only unfun part is the constant BSODs and the slow kernel debugging to find out why RAX is returning 0 when it shouldn't be. Also here's an obligatory AI generated image of a "rootkit"
KrknSec
- 35 Followers
- 37 Following
- 56 Posts
Malware Analysis | DFIR | Reverse Engineer
Analyzing a piece of #malware that's executing shellcode but not calling something like CreateRemoteThread? It could be using one of the many APIs available that can execute shellcode via a callback such as EnumCalendarInfoA(). Keep an eye out for the ptr being included as an arg
@hackNpatch Same. Emulation always hurt my head but they've been able to explain it very well. Specifically, how to use Unicorn.
To fellow reverse engineers, if you aren't following OALabs in any form, you're missing out on fantastic technical knowledge, guidance, and tools for the world of #reverseengineering and #malwareanalysis.
Wrote my first static #malware unpacker in python today. I've written many config extractors but writing automated unpackers always hurt my head. But today I can check that off my early RE career goals.
Microsoft has stated the embedded Python won't run locally. Instead it will be executed on Azure containers so it won't have access to a potential victim's local files or systems. So maybe we won't see embedded Python solely being used to download and execute payloads. However, I think this will lead to very interesting additional obfuscation layers. At least until someone figures out an exploit to let the Python run local.
So I was trying to figure out for like an hour why my implant was serving a STATUS_ACCESS_DENIED error. It turns out I forgot to include GENERIC_WRITE in my CreateFile()...
@graham does it give you the ability for an easy migration from OneNote? I'd rather not have to copy-paste all my notebooks manually 😂