mquire: from injected code to hidden kernel hooks

Recent mquire releases add views for the questions that come up first when triaging a Linux memory dump: injected code, dynamic-linker hijacks, unexpected capabilities, processes under a tracer, and kernel hooks that belong to no module. This post shows each one with real output. [Read More]
Categories: Development  Tags: forensics 

mquire: keeping up with kallsyms on Linux 7.x

Linux 7.0 changed the way kallsyms is stored in the kernel image, and mquire reads that data to rebuild the symbol table from a memory dump. This post describes the three changes I had to make to support it: the new PC-relative symbol offsets, and two smaller problems caused by the section alignment going from eight bytes to four. [Read More]
Categories: Development  Tags: forensics 

Solving SmokeStack, from the third Flare-On Challenge

A tour in the depths of the SmokeStack level of the third Flare On Challenge from FireEye. The article also covers the internals of the virtual machine used by the binary, presenting a simple command line disassembler written in C++. [Read More]
Categories: CTF 

Writeup for the Transformer challenge from VolgaCTF 2016 Quals

This is the writeup for another challenge from the VolgaCTF 2016 Quals; the task consists in analyzing a binary executable that encrypts files and find a way to recover the clear text from an encoded file. The article also includes a working implementation for a compatible encoder and decoder written in C++. [Read More]
Categories: CTF 

Writeup for the Broken challenge from VolgaCTF 2016 Quals

This is a writeup for the Broken challenge from VolgaCTF 2016 Quals. The first part of the article will explain how to remove the anti-debugging protection and restore the opcodes that have been removed. The second part will make use of radare2 to patch the program and repair the logic of the locks used to synchronize the threads. [Read More]
Categories: CTF