diff --git a/_posts/2024-01-10-re-pdfixers-writeup.md b/_posts/2024-01-10-re-pdfixers-writeup.md index c571996..8ffeea5 100644 --- a/_posts/2024-01-10-re-pdfixers-writeup.md +++ b/_posts/2024-01-10-re-pdfixers-writeup.md @@ -1,25 +1,25 @@ --- layout: post -title: "[RE] Reversing PDFixers writeup" +title: "[RE] Reversing PDFixers.exe writeup" categories: hacking writeup re js dotnet --- ## Introduction -I encountered PDFixers.exe because of some alerts from the IPS system tripping off because a user downloaded and ran this file. Checking on VirusTotal, the file appeared safe: non of the antivirus vendors marked it possitive, even the almighty Bkav Pro. Out of curiosity, I decided to take a look at it. And it surely was a fun journey. +I came across this file named PDFixers.exe because of some alerts from the IPS system tripping off since a user downloaded and ran this file. Upon doing a VirusTotal check, the file appeared safe: non of the antivirus vendors marked it possitive, even the almighty Bkav Pro. Out of curiosity, I decided to take a look at it. And it surely was a fun journey. ![virustotal](/assets/images/pdfixers/virustotal.png) ![bkav](/assets/images/pdfixers/bkav.png) ## From .NET binary -After a quick check, the file turned out to be a .NET binary file. Let's use [ILSpy](https://github.com/icsharpcode/ILSpy) to take a look at its source code. Although I like ILSpy as a tool, I prefer using my editor to browse the code. So I exported the disassembled code into a folder. +After a quick check, the file turned out to be a .NET binary file. So I used [ILSpy](https://github.com/icsharpcode/ILSpy) to take a look at its source code. Although I like ILSpy as a tool, I prefer using my editor to browse the code. So I exported the disassembled code into a folder. ![structure](/assets/images/pdfixers/code_structure.png) -Right off the bat, the source code is really small, the big thing that made up the 8.3MB binary is a resource file that contains a zip file of SumatraPDF (my favorite PDF reader btw). After checking the SumatraPDF.exe file, the file was safe and its hash matches the one downloaded from the official website. +Right off the bat, the source code was really small, the big thing that made up the 8.3MB binary was a resource file that contained a zip file of SumatraPDF (my favorite PDF reader btw). After checking the SumatraPDF.exe file, the file was safe and its hash matches the one downloaded from the official website. ![code](/assets/images/pdfixers/code.png) -I also see some suspicious functions here. The thing is, these functions have no references in the whole source code. So the binary is safe right? Not quite! +I also saw some suspicious functions here. The thing is, these functions had no references in the whole source code. So the binary must be safe right? Not quite! ```cs [DesignerGenerated] diff --git a/_posts/2024-01-11-re-fbnetflr-writeup.md b/_posts/2024-01-11-re-fbnetflr-writeup.md new file mode 100644 index 0000000..c3ff26d --- /dev/null +++ b/_posts/2024-01-11-re-fbnetflr-writeup.md @@ -0,0 +1,14 @@ +--- +layout: post +title: "[RE] Reversing FBNetFlt.sys writeup" +categories: hacking writeup re windows driver lenovo +--- + +## Introduction +FBNetFlt.sys is a kernel module part of the Lenovo Vanatage software. I don't know exactly what it does, but as the name suggests, it probably is a net filer. Recently it also caused a BSOD so I decided to take a look at it to see what's inside this driver. + +## Initial research +A quick search on Google to make sure that this haven't been done by anybody. + +## WFP basics +TBD diff --git a/_posts/2024-02-28-software-dts-toolbox.md b/_posts/2024-02-28-software-dts-toolbox.md new file mode 100644 index 0000000..ddf7f74 --- /dev/null +++ b/_posts/2024-02-28-software-dts-toolbox.md @@ -0,0 +1,42 @@ +--- +layout: post +title: "[Software] I wrote a small utility tool for automating boring SOC work" +categories: python soc software automation +--- + +## Introduction +SOC work is not always boring, but it involves lots of repetitive tasks. Looking at the logs, lookup IPs, hashes, URLs are things that we can do better. For that reason I spent some time to write a [small tool](https://github.com/l4rzy/toolbox) to automate those tasks. + +My idea was to write a tool that automatically looks up for patterns in my clipboard. If the pattern is known, it does the job for me. No more switching tabs or waiting for virustotal to load. + +This post is to share the troubles I had when developing it, as well as to introduce the tool. + +![toolbox](/assets/images/dtstoolbox/s1.png) + +## Connect to the internet +Almost all big corporate network uses some kind of proxy to inspect inbound and outbound network traffics of their employees. This acts as a layer of protection for antivirus/content analysis and url/ip filtering. One problem with it is it isn't always easy to connect to the internet for apps that are not proxy-aware. + +Furthermore, they usually have authentication on the proxy. This authentication is in most case against Active Directory. I don't know exactly how proxy-aware apps authenticate with the proxy but NTLM and Kerberos surely require extra steps. So I decided to choose Basic Authentication. + +Another problem remains, corporate's CA is not always working well with openssl. Since I am using Python, both `http.client` and `requests` use openssl bundled with Python. To overcome this, I decided to use pycurl, which is based on libcurl. Libcurl on Windows use SCHANNEL by default, so it makes everything easier. + +## Non-block UI +Since Tkinter doesn't have native support for asyncio, I achieved a non-block UI by using python theads and shared memory. When the program needs to connect to the internet, it spawns a thread with a pointer to the main UI as a parameter. When the network task is done, it calls back to the UI to render the result. + +## DNS problem +Another small problem is with the DNS lookup functionality. System DNS via `socket.gethostbyname` takes too long to resolve a non-existing domain/address. Somehow the timeout did not work at all, so for non-exsiting domain/ip, it took so long to wait for the result from socket. I then tried dnspython, which was a fantasic library but unfortunately had problem with DNS authentication. + +I reluctantly switched back to `socket` and tried to find a way to cancel the thread when timeout. But then I found one trick of Tkinter, which was `after` function. So I solve the probem without using any extra thread. It will return None when timed out, the `socket` thread is still running, but the result of it will be discard. + +## OCR +Another thing I noticed was team collaboration on call. Threat hunting on Teams calls involves copy and paste, or inspect IPs, URLs on the sharing screen. For that reason I added OCR functionality with tesseract library. Now when somebody's sharing something, I can just screenshot and paste to my toolbox. + +![ocr](/assets/images/dtstoolbox/ocr.png) + +And analyze the content too + +![ocr2](/assets/images/dtstoolbox/analyze.png) + + +## Conclusion +It was a fun journey. It's been quite some time since the last time I wrote something not trivial. Although my software is not perfect, I'm working on it in my free time to improve it even more. \ No newline at end of file diff --git a/assets/images/dtstoolbox/analyze.png b/assets/images/dtstoolbox/analyze.png new file mode 100644 index 0000000..21b42f2 Binary files /dev/null and b/assets/images/dtstoolbox/analyze.png differ diff --git a/assets/images/dtstoolbox/ocr.png b/assets/images/dtstoolbox/ocr.png new file mode 100644 index 0000000..c33ecf2 Binary files /dev/null and b/assets/images/dtstoolbox/ocr.png differ diff --git a/assets/images/dtstoolbox/s1.png b/assets/images/dtstoolbox/s1.png new file mode 100644 index 0000000..d9bc85e Binary files /dev/null and b/assets/images/dtstoolbox/s1.png differ