JD-GUI for decompiling .jar files

Simply follow:

[Blog links to another blog :D]

Leave a comment

Posted by on September 2, 2017 in Uncategorized


Basic Static Malware Analysis

I am taking Conficker executable as malware sample to do all the following steps:

1. Generate the hash and match with virus-total


C:\>md5deep c:\WINDOWS\system32\sol.exe

2. Search for strings

download the tool from:

cd to the place it is installed

strings <path of malware file to be searched>


3. Check if obfuscated

Packed programs are subset of obfuscated programs. When packed programs are run usually a wrapper runs along with it. Wrapper program unpacks the malicious program. PEiD is used to check which compiler or packer is used.

Download from:

If packer turns out to be UPX-0.89.6-1.02 <etc. etc.>

Download UPX: to unpack the exe

Now, one of the very important concepts to know if as following:

4. Exploring Dynamically Linked Functions with Dependency WalkerPortable Executable File Format

“The Portable Executable (PE) file format is used by Windows execut-
ables, object code, and DLLs. The PE file format is a data structure that
contains the information necessary for the Windows OS loader to manage
the wrapped executable code.

Several Microsoft Windows functions allow programmers to import
linked functions not listed in a program’s file header. Of these, the two most
commonly used are LoadLibrary and GetProcAddress . LdrGetProcAddress and
LdrLoadDll are also used. LoadLibrary and GetProcAddress allow a program to
access any function in any library on the system, which means that when
these functions are used, you can’t tell statically which functions are being
linked to by the suspect program.

The PE file header stores information about every library that will be
loaded and every function that will be used by the program. The libraries
used and functions called are often the most important parts of a program,
and identifying them is particularly important, because it allows us to guess
at what the program does.” (from book Practical _Malware_Anlysis by Michael Sikorski and Andrew Honig)

Sections of a PE File for a Windows Executable

.text  Contains the executable code
.rdata Holds read-only data that is globally accessible within the program
.data Stores global data accessed throughout the program
.idata Sometimes present and stores the import function information; if this section is
not present, the import function information is stored in the .rdata section
.edata Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section
.pdata Present only in 64-bit executables and stores exception-handling information
.rsrc Stores resources needed by the executable
.reloc Contains information for relocation of library files

Examining PE Files with PEview

Download from :


1. The first two parts of the PE header—the IMAGE_DOS_HEADER and MS-DOS
Stub Program do not offer much information of particular interest.

2. IMAGE_NT_HEADERS , shows the NT headers. The signature is always the same.

  • IMAGE_FILE_HEADER, Time Date Stamp : tells us when this executable was compiled, which can be very useful in malware analysis and incident response. An old compile time suggests that this is an older attack, and antivirus programs might
    contain signatures for the malware.


  • Note: All Delphi programs use a compile time of June 19, 1992.  So a compile time of June 19, 1992 means you won’t really know when it was compiled. Also, a malware writer can fake the compile time.
  • The IMAGE_OPTIONAL_HEADER section includes
    • The Subsystem description indicates whether this is a console or GUI program.
    • Console programs have the value IMAGE_SUBSYSTEM_WINDOWS_CUI and run inside a command window.
    • GUI programs have the value IMAGE_SUBSYSTEM_WINDOWS_GUI and run within the Windows system. Less common sub-systems such as Native or Xbox also are used.
    • PEView-subsystem-option-header


  • The most interesting information comes from the section headers, which
    are in IMAGE_SECTION_HEADER. They describe each section of a PE file.

    • The compiler generally creates and names the sections of an executable
    • As a result, the sections are usually consistent from executable to executable
      and any deviations may be suspicious.
  • Virtual Size tells us how much space is allocated for a section during the loading process. The Size of Raw Data tells how big the section is on disk. These two values should usually be equal, because data should take up just as much space on the disk as it does in memory. Small differences are normal ( due to alignment in memory and on disk.)
    • The section sizes can be useful in detecting packed executables. For
      example, if the Virtual Size is much larger than the Size of Raw Data, particularly if the .text section is larger in memory than on disk.
  •  Conficker malware findings: (packed malware)
  • In the images instead of .text, .rdata , .data we can just see UPX0, UPX1, UPX2. So for now let us just discuss the possibility of meaning of the differences in virtual space and raw data size
    • eg: The .UPX0 section has a Size of Raw Data value of 0, meaning that it takes up no space on disk, and its Virtual Size value is 7000, which means that space
      will be allocated for the .text segment. This tells us that a packer will unpack
      the executable code to the allocated .text section. PEView-UPX0
    • The .data section may seem suspicious because it has much larger virtual size than raw data size, but this is normal for the .data section in Windows programs. PEView-UPX2
    • if values are almost same it is fine.PEView-UPX1



  • Conficker malware findings: (unpacked malware)
    • Download UPX to unpack the exe

5. Exploring Dynamically Linked Functions with Dependency Walker

If a function is not listed in Appendix A,search for it on MSDN online.


About some common DLLs


The imports from Kernel32.dll tell us that this software can
open and manipulate processes (such as OpenProcess , GetCurrentProcess , and
GetProcessHeap ) and files (such as ReadFile , CreateFile , and WriteFile ).

FindNextFile are particularly interesting ones that
we can use to search through directories.


The function SetWindowsHookEx is commonly used in spyware and is the
most popular way that keyloggers receive keyboard inputs. This function has
some legitimate uses, but if you suspect malware and you see this function,
you are probably looking at keylogging functionality.

The function RegisterHotKey is also interesting. It registers a hotkey (such
as CTRL – SHIFT -P) so that whenever the user presses that hotkey combination,
the application is notified. No matter which application is currently active, a
hotkey will bring the user to this application.


The imports from Advapi32.dll tell us that this program uses the registry,
which in turn tells us that we should search for strings that look like registry
keys. Registry strings look a lot like directories. In this case, we found the
string Software\Microsoft\Windows\CurrentVersion\Run , which is a registry key
(commonly used by malware) that controls which programs are automati-
cally run when Windows starts up.

(dint find string Software\Microsoft\Windows\CurrentVersion\Run in my malware sample)

6. Viewing the Resource Section with Resource Hacker

Resource Hacker tool at to browse the .rsrc


 The .rsrc section includes the resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings. I could only see a dump of raw byte data as shown in the attachment as shown above may be because a packed version of malware is used here.
(will be continued in next post)
Leave a comment

Posted by on July 9, 2017 in Uncategorized


Install Gnuplot

Basics of  how to install gnuplot and draw a basic graph with


-x and y axis labelled


-giving color to the line

– drawing multi-lined graph


On ubuntu 14.04

1. $ sudo apt-get update

2. $sudo apt-get install gnuplot

3. $sudo apt-get install gnuplot-x11

Run gnuplot


Draw a simple graph. Eg. A .txt file with two columns. First column having x-axis values. Second column having y-axis values.

$ plot ‘<filename.txt>’ with line

Few settings

Few of the following setting can be done to provide title, x-axis and y-axis labelling and to provide legends. once you have typed $gnuplot on your terminal and got a gnu prompt do the following according to your need.

set title “Title goes here” font “,14” textcolor rgbcolor “someColor”
set timefmt “%y/%m/%d”
set xlabel “time”
set ylabel “sales”
set pointsize 1
Now plot the graph. Say the file name is plot.dat. Type the following command.
>plot “plot.dat” using 1:2 with lines
to draw more then one graph in one plot do the following
>plot ‘<path to file1>’ with lines, ‘<path to second file2>’ with lines
That’s about it for now!
Leave a comment

Posted by on April 8, 2017 in Uncategorized


Spoofing DNS packets using raw sockets:

The environment needed to let the code do its job is something which I am going to discuss in the following section. The following steps are just for testing purpose. C code for packet sniffing and spoofing can be found at my github repository or any online site or yeah code it out 🙂 (You have ample online help)

For sniffing and spoofing packets of another system:

Install a virtual box or VMware. Set up two VM on this. I have installed Ubuntu 14.04 on both the VMs.

Run the VMware from host in root mode to allow certain permissions as following:

$ sudo vmware

Let us call our two VMs as Alice and Bob. Here Alice will play the role of server which will sniff all the packets in its network in promiscuous mode and then spoof them. Bob will act as the victim machine.

Go to Alice machine. Change Alice in promiscuous mode by running the following command on terminal

$ sudo ip link set eth0 promisc on

Check if it is in promiscuous mode by typing following command:

1. $netstat -i

Kernel Interface table
eth0 1500 0 3687 0 0 0 2924 0 0 0 BMPRU
lo 65536 0 849 0 0 0 849 0 0 0 LRU

I have italicised and made letter ‘P’ bold in “BMPRU” to show that promiscuous mode is on. So now Alice can see all the traffic travelling through the virtual switch.

Now, just run the packet sniffing and spoofing code on Alice.

$gcc <filename> <actual-IP-searched> <spoofed-IP> or

$gcc <filename> <all[all-the-website-searched]> <spoofed-IP [all-website-search-will-result-in-this-IP]>


Switch to victim machine named Bob. Open a browser and google for some site. Hopefully if the code running at Alice is correct, the search done at Bob wont get you the correct webpage. Instead it will redirect it to a website Alice wants (if the code at Alice works that way.).

In case it takes way to long to load the redirected webpage which Alice’s code is intending to redirect to on Bob machine do following steps to check if the packet spoofing was successful:

1. Open terminal on Bob machine.

2. Type command $dig <the-website-searched>

3. If the I.P address Alice’s code is trying to redirect to is found towards the end of the result of the above command then that means packet spoofing has happened just that the browser is unable to load that particular site.


Leave a comment

Posted by on April 7, 2017 in Uncategorized


After Ubuntu 14.04 Installation

I have been playing around with my system quit a lot and have crashed it several times. Few basic software installations needed after installing ubuntu 14.04. Just a reference list to set your work environment quickly. (I know it is only for very few ‘amigos’. Just a reference list for me in short..)

1) Install VLC (keep the music in background and continue with the rest \m/)

2) Install chrome

Go to official site of chrome -> Downloads -> For Personal Computers -> [Download] For Linux (Debian/Ubuntu/Fedora/openSUSE) -> [check it if you have ubuntu  distribution] 64 bit .deb (For Debian/Ubuntu) -> Accept and Install

3) Install Peda

git clone ~/peda
echo "source ~/peda/" >> ~/.gdbinit

4) Install libc6-dev-i38

sudo apt-get update
sudo apt-get install libc6-dev-i386

5) Install ns2, version 2.34

Follow the steps in the following link and you will be done.

5) Install WireShark

You can simply use the software center to install it.

6) Install ghex

sudo apt-get update
sudo apt-get install ghex

7) Install ubuntu restricted packages for many others functionality for instance, flash-plugin. Please note it might not be legal in many countries (kindly keep a check).

sudo apt-get install ubuntu-restricted-extras

8) Latex

You can again use software center to install it.

Search for “latex” in the search bar. Click on “Texmaker”. Click on “Install”.

Later you might need to install other packages according to the type of document you will be creating in Latex. Anyways google is just a click away in that case.

9) Install your favourite text editor. Let’s install sublime:


sudo add-apt-repository -y ppa:webupd8team/sublime-text-3
sudo apt-get update; sudo apt-get install -y sublime-text-installer

10) Install  gufw firewall. Though ubuntu does not need antivirus. It is nice to keep some firewall and protect your system from attacks.

sudo apt-get install gufw

I will add more to the list as and how needed. For now these will do.

Leave a comment

Posted by on March 21, 2017 in Uncategorized


Buffer overflow: Get a shell!

Initial setup

ASLR : Address Space Layout Randomization

Ubuntu and several other Linux distributions use address space randomization to randomize the starting address of heap and stack. This makes guessing the exact return address difficult; guessing addresses is one of the critical steps of a buffer overflow attack. But as our purpose is to do buffer overflow for learning we will disable this protection layer and work. We can disable address randomization using the following commands:

#sysctl -w kernel.randomize_va_space=0

To check if randomized or not, run the following command as root

# cat /proc/sys/kernel/randomize_va_space

If it says 0, that means ASLR disabled else it is not disabled.

The GCC compiler implements a security mechanism called Stack Guard to prevent buffer
overflows. In the presence of this protection, buffer overflow attacks will fail to work. You can disable this protection when you are compiling a program using the gcc option -fno-stack-

For example, to compile a program example.c with Stack Guard disabled, you can use the
following command:

# gcc -fno-stack-protector -o example example.c

Finally, Ubuntu uses NX protection to mark memory pages on the stack as non-executable.
Binaries must declare whether they require executable stacks or not as part of the ELF header. By default, gcc will mark all binaries as using non-executable stacks. To change this, add the following option to the command line in addition to the StackGuard disabling option above:

# gcc -z execstack -fno-stack-protector -o example example.c

To compile in base 32  flag “-m32 “. Flag “-g” is used for symbol tables while compiling.

# gcc -z execstack -g -m32 -fno-stack-protector -o call_shellcode call_shellcode.c

To change peda flavor to att (usually it is intel)

$nano ~/.gdbinit

after the file gets opened type:

# set att flavor in peda
set disassembly-flavor att



Before you start the attack, you need a shellcode. Shellcode is the code to launch a shell. It has to be loaded into the memory so that we can force the vulnerable program to jump to it. You may use your own shell code. Consider the following program:

#include &lt;stdio.h&gt;
int main( ) {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);

The shellcode that we use is just the assembly version of the above program. The following
program shows you how to launch a shell by executing a shellcode stored in a buffer.
Please compile and run the following code, and see whether a shell is obtained or not.

/* call_shellcode.c
/*A program that creates a file containing code for launching shell*/
#include &lt;stdlib.h&gt;
#include &lt;stdio.h&gt;
const char code[] =
int main(int argc, char **argv)
char buf[sizeof(code)];
strcpy(buf, code);
((void(*)( ))buf)( );

Compile above program

$gcc -z execstack -g -m32 -fno-stack-protector -o call_shellcode call_shellcode.c

run the above executable and you will get a shell:



Below is a modified version of the shell code. Compile the following program without the
additional flags as:

The program as you will see will infact give you a shell. Explain why this is so? What could be the reason why the following program didn’t require the execstack flag whereas the above one needed it?
/*A program that creates a file containing code for launching shell*/

#include &lt;stdlib.h&gt;
#include &lt;stdio.h&gt;
const char code[] =
int main(int argc, char **argv)
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
int (*ret)() = (int(*)())code;
return 0;

To compile above code:

# gcc call_shellcode-1.c -o shell -ggdb -m32


In first problem. The code is being copied to buffer. The code section is on stack. Thus to run the code we need to make it executable, execstack is required. Whereas in second problem, the code is in data segment.

  • data segment is usually write only and thus by default it is not executable. To make write only executable one need to use flags like “mprotect”
  • whereas if the data segment is read only it becomes executable and thus flag execstack is not required.

Once you run the code you will get shell code again. Please note if you do not use -m32 it will throw an error (segmentation fault)


Leave a comment

Posted by on March 15, 2017 in Uncategorized


Hello- world assembly

Hello world program in assembly language on a 64 bit x86 machine.

  1. Open a file named hello.asm
  2. Paste the following code
  3. SECTION .data
    msg: db “Hi World”,10
    len: equ $-msgSECTION .text
    global _start
    mov edx,len
    mov ecx,msg
    mov ebx,1
    mov eax,4
    int 0x80
    mov ebx,0
    mov eax,1
    int 0x80
  4. nasm -f elf64 hello.asm
  5. gcc -o hello hello.o -nostartfiles -nostdlib -nodefaultlibs
  6. ./hello


Wish to inject something in this binary?

Lets keep it simple!

I am going to use ghex to read or write on this binary file. System: 64 bit x86 and  OS: Ubuntu 14.04.

$sudo apt-get install ghex

Follow these steps:

1) ghex hello

2) Go to the place where you can find string “hello world”, replace it with “BUSTED”

3) You can add some signature to this file as well lets say string “ABCDEFGDIJK”. Place it in the file as well (may be three places away from “BUSTED”).

4) Remove everything following this signature string from the binary file.

5) $./hello

6) “BUSTED” You should be able to see this as output



Leave a comment

Posted by on January 23, 2017 in Uncategorized