❌

Reading view

There are new articles available, click to refresh the page.

Patch Tuesday Diffing: CVE-2024-20696 - Windows Libarchive RCE

TL;DR This post will teach you how to patch diff CVE-2024-20696 (and indirectly CVE-2024-20697) from the January 2024 Patch Tuesday. This security patch was interesting as it wasn’t fixing native Microsoft software per se, rather patching an open-source library libarchive used by Windows to support compression and decompression functionality. Patch diffing is a powerful technique for unde...

Ghidriff: Ghidra Binary Diffing Engine

TL;DR As seen in most security blog posts today, binary diffing tools are essential for reverse engineering, vulnerability research, and malware analysis. Patch diffing is a technique widely used to identify changes across versions of binaries as related to security patches. By diffing two binaries, a security researcher can dig deeper into the latest CVEs and patched vulnerabilities to underst...

Decompilation Debugging

TL;DR - Debugging an application can provide the insight to understanding strange runtime application behaviour or help troubleshoot a subtle bug in your software. Normally, when debugging, you have source code and data type information (aka symbols) to help navigate your application. In the world of Reverse Engineering closed source applications, you won’t have the needed information to debu...

Desuperpacking Meta Superpacked APKs

TL;DR Superpacking is a method of optimal binary compression developed by Meta to help reduce the size of their Android APKs. This compression for APKs makes sense for reducing network traffic required for distribution, but becomes an issue when trying to recover the original native ARM binaries for analysis. This post walks through the process of β€œdesuperpacking” (decompressing) Meta Superpack...

Callgraphs with Ghidra, Pyhidra, and Jpype

TLDR; This post will teach you how to leverage Ghidra’s FlatProgramAPI and Python 3 to generate function call graphs. Ghidra scripting with Python 3, powered by Pyhidra (via Jpype), provides robust access to Ghidra’s SRE toolset for binary analysis. To follow along, clone the repo at ghidra-pyhidra-callgraphs. Ghidra, Pyhidra (via Jpype), and Callgraphs Oh My! Ghidra continues to impress me w...

Ghidra Python Paleontology

TL;DR - This post will walk through the process of creating a Headless Ghidra Python VScode template. This is not recommended as the official language for Ghidra is Java and the supported IDE is Eclipse, but we will give it a go. The process involved β€œdigging up” the Ghidra Python Scripting landscape and understanding what was possible. The lessons learned are capture in the VScode template ghi...

Introducing CVE North Stars

TL;DR - CVE North Stars is a tutorial that introduces a method to kickstart vulnerability research by treating CVEs as North Stars in vulnerability discovery and comprehension. Background This post introduces CVE North Stars, a tutorial I started writing back in 2020 (v1.0.0) when attempting to learn methods of vulnerability research. At the time, I observed several examples of others usi...

From NtObjectManager to PetitPotam

TL;DR - Windows RPC enumeration, discovery, and auditing via NtObjectManager. We will audit the vulnerable RPC interfaces that lead to PetitPotam, discover how they have changed over the past year, and overcome some common RPC auditing pitfalls. I was inspired by From RpcView to PetitPotam from @itm4n, an excellent post that taught me how to use RpcView to discover the RPC interfaces and in pa...

A Survey of Windows RPC Discovery Tools

TL;DR A survey of Windows Remote Procedure Call discovery tools and an attempt to understand how open source tools discover RPC servers, interfaces, and procedures. Windows RPC has been a black box for me for some time. This post is an attempt to leverage analysis of open source RPC tools to pry open that box. I started by reading MSDN, getting bored and then bouncing between several detailed ...

Mining Google Chrome CVE data

TL;DR - The Google Chrome Releases blog provides CVE data one liners containing all the information needed to create a rich CVE data source. Google Chrome CVEs are plentiful and provide information for understanding Google Chrome security trends. Using the information available, I was able to create an enriched CVE data source to enhance the CVE Markdown Charts Github project. CVE Data Sou...

Introducing CVE Markdown Charts - Part 1

TL;DR - CVE Markdown Charts - Your InfoSec reports will now write themselves… After writing several InfoSec reports and researching CVEs, I discovered a means to create dynamic charts that help readers and myself understand various CVE relationships and their implications. Say hello to CVE Markdown Charts, or at least its first iteration (v0.1.0). CVE, as in Common Vulnerabilities and Expo...
❌