Alessandro Gario

Linux 7.0 changed the way kallsyms is stored in the kernel image, and mquire reads that data to rebuild the symbol table from a memory dump. This post describes the three changes I had to make to support it: the new PC-relative symbol offsets, and two smaller problems caused by the section alignment going from eight bytes to four. [Read More]

mquire is a Linux memory forensics tool that can analyze kernel memory snapshots without relying on external debug symbols, by using BTF type data and kallsyms information already embedded inside the kernel itself. [Read More]

A short post on how the BTF type format was born, why I wrote a small parser library for it and where to find it. [Read More]

I’ve released two new BPF tools written in C++ with LLVM: ebpfault (a system call fault injector) and ebpfpub (a system call tracer). [Read More]

The diary of a small expedition my old friend Raspberry and I have undertaken, exploring the ARM challenge called ‘disarming’ from the BSides San Francisco CTF 2017. [Read More]

A tour in the depths of the SmokeStack level of the third Flare On Challenge from FireEye. The article also covers the internals of the virtual machine used by the binary, presenting a simple command line disassembler written in C++. [Read More]

This is the writeup for another challenge from the VolgaCTF 2016 Quals; the task consists in analyzing a binary executable that encrypts files and find a way to recover the clear text from an encoded file. The article also includes a working implementation for a compatible encoder and decoder written in C++. [Read More]

This is a writeup for the Broken challenge from VolgaCTF 2016 Quals. The first part of the article will explain how to remove the anti-debugging protection and restore the opcodes that have been removed. The second part will make use of radare2 to patch the program and repair the logic of the locks used to synchronize the threads. [Read More]