Haq's Security Blog

  Spoiler — It’s cheaper than buying one I was looking to buy a write blocker to do data recovery/forensics tasks but I quickly noticed that I was window shopping write blockers due to their cost. Some starting at £300, others that cost less were no longer being built or sold, maybe you could find a 2nd hand one with or without the wires. Most of these write blockers were industry standard, used by law enforcement but was it necessary for me to buy such an expensive write blocker….or is it possible to build my own….. So th e  research began, reading through articles, publications, and so on, and with the information gained, I felt that I could build my own write blocker. So what do I need: A Raspberry Pi A Linux distro. HDD/SSD to test the write blocker And to put the information I gained into practice Building the write blocker So, I brought a Raspberry Pi 4 Model B that came with a power supply, HDMI cables, 32GB SD card, a case, and some extras. ( https://www.okdo.com/c/pi-...

  Debugging In this write-up, I want to bypass some checks our binary does. I’ll be using x32dbg…..Well…let’s just dive straight in. Debugging a bitcoin miner From the previous analysis, we know we need to concentrate on bypassing the following 2 conditions: So let’s load the binary into x32dbg and set 2 breaks points, one at each condition: but I will skip the first condition by filling the condition with NOPs: This way, we can bypass the size check. Just before the call to “strstr”, we can see that “haystack” and “needle” being passed in, which is something I covered in the last writeup. A s  I tried to continue to see what will happen (before changing the passed arguments), I recevied an “expection_access_violation” — After a bit of researching and going through each instruction step by step, I found that the instruction causing the issue: test ecx,3 — and the problem was that ecx held no value which looks to have caused the violation. This will be due to the Malware gettin...

  More static code analysis In this write up I wanted to concentrate on some of the activities we saw the Malware perform in our dynamic analysis, the first being the HTTP calls to certain websites and why it was in a loop. .RU So, it was not too hard to find the location of the call being made. By checking the strings tab in IDA and finding it in the .data section, we can do a XREF (cross-reference) to find where it’s used: and it takes us to: The “sub_40DA E 0” function takes 3 parameters, just before it we see 3 push instructions. ESI holds the stafftest. ru string and then we see previously a declared pointer variables being set. Note I won’t be delving into the subroutines you see because that will be time-consuming. Further down, we can see InternetOpenA being called and on success: Thanks to IDA, we can see the following string “http://%s/test.html?%d and from our dynamic analysis, we know that it will replace %s with a new host and %d will keep incrementing IF a certain con...

  Static code analysis In this write-up, we’ll load the binary file into IDA (free version) to disassemble it and do a static code analysis. And where to being then… Start Ok, I’ve loaded the binary file into IDA: So we can see it calls a subroutine (aka function) sub_401000: ; Input SHA256 : 807126CBAE47C03C99590D081B82D5761E0B9C57A92736FC8516CF41BC564A7D ; Input MD5 : ABA2D86ED17F587EB6D57E6C75F64F05 ; Input CRC32 : 7944603F Format : Portable executable for 80386 (PE) ; Imagebase : 400000 ; Timestamp : 56B664A6 (Sat Feb 06 21:24:54 2016) ; Section 1. (virtual address 00001000) ; Virtual size : 000137D0 ( 79824.) ; Section size in file : 00013800 ( 79872.) ; Offset to raw data for section: 00000400 ; Flags 60500060: Text Data Executable Readable ; Alignment : 16 bytes .text:00401000 sub_401000 proc near .text:00401000 .text:00401000 lpTopLevelExceptionFilter= dword ptr -3Ch .text:00401000 var_38= dword ptr -38h .text:00401000 var_34= dword ptr -34h .text:00401000 var_30= dword ptr...

  Dynamic analysis So in the last write up, I did a static analysis of a “Bitcoin miner”, so the next step in our analysis process is to do dynamic analysis. In the dynamic analysis, we’ll execute the malware within a safe environment and monitor it’s process, file system, registry, and network activity. Environment Set up It goes without saying but we’ll need to ensure we have a safe environment set up before we execute the malware and have all the monitoring tools ready before execution. I’m using Oracle VirtualBox and I’ve set up 2 VMs in host-only mode. A Linux VM which is running Ubuntu 20.10 and a static IP of 192.168.1.100 assigned. The Linux VM will have Wireshark listening on the “enp03s” interface and INETSIM running to simulate internet services. A Windows 10 VM and a static IP of 192.168.1.50 assigned. The Windows VM will have process hacker and Noriben with Procmon running before I execute the malware. We could run more tools, also (like Regshot) but for now, I just w...