~/posts
Analyzing a Payload: Sandbox Evasion, EDR Hook Bypassing, and API Recovery
This analysis covers the unpacking and analysis of a malware payload that uses file padding to bypass sandboxes, self-modifying code, and EDR hook bypassing via trampolines. We also detail the process of dumping the final shellcode and automating the recovery of its API references in IDA Pro.
How to Convert EXEs to DLLs: PE Internals and Practical Steps
EXEs and DLLs share the PE format. By setting the DLL flag, redirecting the entry point to a DllMain stub, and adding an export directory inside a code cave, an EXE can be converted into a working DLL.
Low-Level Interception: A Guide to Windows NT API Hooking
Hooking the NT API allows for low-level monitoring of system calls. By injecting a custom DLL and using 14-byte absolute jumps with trampolines, we can intercept calls like NtCreateFile without breaking the original functionality.
calc (pwnable.tw)
The calc binary validates input length but mishandles expressions that start with an operator. By corrupting pool->cnt, we gain out-of-bounds writes on the stack and overwrite the saved return address with a ROP chain.
ACS 2024: A Silver Journey in Ha Long with KMA.Qrange
KMA.Qrange placed 2nd at ACS 2024 in Ha Long, winning $10,000. This post details our RE challenge solutions from Qualifier and Finals.