As mentioned in my last blogpost, I had the pleasure to participate in this years DFRWS USA and present our paper. The paper and presentation can be freely viewed and downloaded here or here. Note that there is also an extended version of the paper, which can be downloaded here.

The keepassx, zsh and heap analysis plugins are now also part of the Rekall release candidate 1.7.0RC1, so it’s easier to get started.

The conference had some great talks and workshops, which I’m going to briefly sum up.
Continue reading “DFRWS USA 2017”

Continue reading

Release of Glibc Heap Analysis Plugins for Rekall

I’m happy to announce the release of several Glibc heap analysis plugins (for Linux), resp. plugins to gather information from keepassx and zsh, which are now included in the Rekall Memory Forensic Framework. This blogpost will demonstrate these plugins and explain how they can be used. More detailed information, including real world scenarios, will be released after the talk at this years DFRWS USA.

Continue reading “Release of Glibc Heap Analysis Plugins for Rekall”

Continue reading

A short Addendum on the Mirai Botnet Blog Post

While doing heap research on Linux processes (results are going to be published soon), I came across the bot from the Mirai Botnet. As already mentioned in the blog post by Brian, the Mirai bot uses obfuscated configuration data which contains e.g. the CnC server. When now confronted only with a bot (e.g. in the context of a running task or the ELF binary), but without the according source code, the decryption of this configuration data for e.g. incident analysis purposes might not be easily possible (with the python script from the blog post), if the key has been changed.
But in this case that is not a problem at all, because Continue reading “A short Addendum on the Mirai Botnet Blog Post”

Continue reading

Investigating Memory Analysis Tools – SSDT Hooking via Pointer Replacement

In this blogpost we will briefly explain a well known Syscall hooking technique (a more detailed explanation can be gathered from e.g. used by multiple malware samples (like the laqma trojan) and right after discuss how some memory analysis tools have trouble in the analysis and/or reporting of these.
Continue reading “Investigating Memory Analysis Tools – SSDT Hooking via Pointer Replacement”

Continue reading

tsakwaf 0.9.1 released

A few weeks ago, I released version 0.9 of a web application testing tool called tsakwaf (The Swiss Army Knife for Web Application Firewalls) together with an ERNW Newsletter about web application firewalls. tsakwaf is based on perl and supports fingerprinting of some supported WAFs and code generation methods to circumvent filter rules. Today, version 0.9.1 will be released, which adds SSL support for the WAF fingerprinting function (Big thanks to Simon Rich!) and a bug fix regarding the detection of WAF reactions which may lead to false positives. Additionally, I’m happy to announce that at least one talk at next year’s Troopers will cover attacks against WAFs (like this one from the 2009 edition) . So mark your calendar – Troopers12 will happen on 21st and 22nd March 2012, with the usual workshops before the conference and the round table sessions the day after – and enjoy playing with tsakwaf!

Download here.



Continue reading