msm

@[email protected]
40 Followers
9 Following
14 Posts
A random hacker. Likes minimalism.
msmJan 6, 2025
Ghidralib development continues: py3 support, binary/asm patching, and symbolic propagation: https://github.com/msm-code/ghidralib. I also write docs for people who want to try it. Newest chapter: emulation https://msm-code.github.io/ghidralib/emulator/
#ghidra #reverseengineering
GitHub - msm-code/ghidralib: A Pythonic Ghidra standard library

A Pythonic Ghidra standard library. Contribute to msm-code/ghidralib development by creating an account on GitHub.

GitHub
Show threadmsmDec 29, 2024

Actually, since the release a week ago, we already got a few new useful features, including:

* Even easier function emulation (`Function("Foo").emulate(1, 2, 3)` will correctly pass the parameters, emulate the call and return the result)
* Built-in patching, assembly, disassembly and searching for byte patterns
* And a parlor trick: instruction/function/things highlighting. `for i in Instruction.all(): if i.mnemonic == "CALL": i.highlight()`

msmDec 29, 2024

Sorry for the delay, but I'd like to share one of my recent updates:

Recently I open-sourced ghidralib - a library that makes #Ghidra scripts drastically shorter and easier to write. I've been using it daily for #reverseengineering and decided itโ€™s time to share. The source code is here: https://github.com/msm-code/ghidralib, and the docs are https://msm-code.github.io/ghidralib/

GitHub - msm-code/ghidralib: A Pythonic Ghidra standard library

A Pythonic Ghidra standard library. Contribute to msm-code/ghidralib development by creating an account on GitHub.

GitHub
msmOct 24, 2023

Another blag post about .NET malware (XWorm this time) if that's something you like: https://cert.pl/en/posts/2023/10/deworming-the-xworm/.

It's not a terribly interesting malware family (yet another .NET stealer), but I think reversing it is a good example of unpacking .NET malware automatically and then automating the process. Pretty useful if you want to batch analyse thousands+ samples/day ๐Ÿ™ƒ.

Malware stories: Deworming the XWorm

XWorm is a multi-purpose malware family, commonly used as RAT. This post contains a detailed analysis and walk-through the reverse-engineering process.

Show threadmsmFeb 3, 2023

Remember that the default account is *shared* and other users see your jobs. Consider registering a throwaway account (fake email ok).

Oh, and I'm posting this on mastodon before birdsite to ~~manage the load~~ help the fediverse.

Show threadmsmFeb 3, 2023
It can YARA-scan 22MM files in a minute (and sometimes more and sometimes it doesn't work at all). At least when used by 1 person. Running `yara -r` on the same data is like 10 hours. You can use https://github.com/Neo23x0/signature-base/tree/master/yara for tests.
msmFeb 3, 2023

Ok, I keep finding things to improve and shaving that yak. I should probably just go ahead and publish this, or this will take forever.

So officially, I've indexed the whole vxunderground's VirusShare collection and created a public service to search all that data: https://mquery.net. If malware is your thing, check it out.

mquery | CERT.PL>_

msmDec 23, 2022

...hello? Is this thing on? Let's try it.

I'm indexing whole vxunderground malware collection, and I'm planning to setup a public and free mquery instance with all the data for everyone to query. Current status: all small (<=1MB) files indexed, compacting the database and then I'll index medium (1<x<4MB) files. ETA for public release is early January.