Monday 15 December 2008
+Bypassing windows hook engines which if the LoaderLock is held not executes the hook handler: bypass_easyhook.rar
More information :
- http://www.openrce.org/blog/view/1328/Bypassing_windows_hook_engines_which_if
_the_LoaderLock_is_held_not_executes_the
_ https://www.rootkit.com/blog.php?user=Dreg
+Bypassing DLL injection method based in thread injection or based in code injection in any thread diferent to main (in this case): bypass_dllinj_wbti.rar
More information :
- http://www.openrce.org/blog/view/1329/Bypassing_DLL_injection
_method_based_in_thread_injection_or_based_in_code_injection_
in_any_thread_diferent_to_main_(in_this_case)
_ https://www.rootkit.com/blog.php?user=Dreg
Friday 12 December 2008
+Here my reversing of the Auxiliary Windows API Library (x86 and x86_64), Release 1.0 (MIT License) This library is useful to avoid deadlocks and other stuff: AuxLib.zip
More information :
- http://www.openrce.org/blog/view/1326/AuxLib_-_Reverse_engineering_of_Auxiliary_Windows_API_Library_(x86_and_x86_64)
- https://www.rootkit.com/blog.php?user=Dreg
Friday 14 November 2008
+Recommended Reading: APPLYING USER-MODE MEMORY SCANNING ON WINDOWS NT,
Eric Uday Kumar (Anti-Malware Research). http://ericuday.googlepages.com/EricUdayKumar-VB2008.pdf (VIRUS BULLETIN CONFERENCE OCTOBER 2008).
PD: Eric Uday Kumar referenced in the paper the phook project :-):
Friday 18 July 2008
+NetSearch 9 Call For Papers published, the ezine has reborn with a new staff and new web: http://www.netsearch-ezine.org/
Monday 9 June 2008
+phook 1.0.1 released! with SP3 support for ph_ker32.dll and others things.
Monday 19 May 2008
+ Translation to french (UTF-8) language of phook article - The PEB Hooker. Translated by _cb^ in arsouyes - http://arsouyes.org/, available at the papers section.
Wednesday 7 May 2008
+ Published presentation phook & BuggyBoss (engine http://www.phrack.org/ Issue 65) and automatic analyser malware), the presentation was given by ENISE I (I Spanish Security Industry National Encounter), have also further been published demos and video.
Tuesday 29 April 2008
+ Translation to russian (UTF-8) language of phook article - The PEB Hooker. Published at the forum CULT OF RUSSIAN UNDERGROUND by Izg0y - http://coru.in/, available at the papers section.
Monday 14 April 2008
+ Phrack 65 is out, inside you will find a paper written by Juan Carlos Montes Senra (aka [Shearer]) and me (David Reguera Garcia aka Dreg). I've dropped a copy of the article in the papers section, also I've uploaded the spanish translation of the article. the paper talks about a method for 'hooking' Windows DLLs using PEB and other tools.
Wednesday 27 February 2008
+ English version published of the document reversing of the Spyware (web-mediaplayer)
Thursday 21 February 2008
+ New advisory and POC "exploit" in advisories / exploits
Advisory: GNU objdump 2.15 [FreeBSD] 2004-05-23 shows:
BFD: BFD 2.15 [FreeBSD] 2004-05-23 internal error, aborting at
/usr/src/gnu/usr.bin/binutils/libbfd/../../../../contrib/binutils/bfd/
elfcode.h line 188 in bfd_elf32_swap_symbol_in
BFD: Please report this bug.
While analyzing crafted ELF.
Note: this bug (in my opinion) is irrelevant, the exception is captured by the library
exception handler. I am reporting it because of the message:
BFD: Please report this bug.
Affected Version:
- GNU objdump 2.15 [FreeBSD] 2004-05-23 [TESTED & FOUND]
- Maybe others.
Affected OS:
- FreeBSD 6.3 [TESTED & FOUND]
- FreeBSD 6.2 [TESTED & FOUND]
- Maybe others.
Discovered By : INTECO-CERT, David Reguera Garcia, david.reguera@inteco.es
POC exploit by : INTECO-CERT, David Reguera Garcia, david.reguera@inteco.es
Remote : NO
Execution of code : NO
Privilege scalation : NO
Report: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/120946
Tuesday 13 February 2008
+ A new section called advisories / exploits has been created, were reverse
advisories and/or exploits have been added .i.e advisory and exploit of ELFdump:
Software : elfdump
Version : 1.12.8.2 2006/01/28 18:40:55
Author : Jake Burkholder <jake@FreeBSD.org>
Remote : NO
Execution of code : NO
Privilege scalation : NO
Discovered by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Exploit by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Description : When elfdump analyzes an "evil" elf, the application crashes
and causes a Segmentation fault: 11
Affected OS:
- FreeBSD:
- 5.5 - TESTED AND FOUND
- 6.2 - TESTED AND FOUND
- 6.3 - TESTED AND FOUND
- Maybe others, the elfdump utility first appeared in FreeBSD 5.0
Report: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/120562
Friday 8 February 2008
+ A dinamic analysis has been done and a small reversing to very specific areas, of an
spyware that installed itself in the web-mediaplayer, the spyware wich we are talking about
was hidding the files that was creating, hidding the process etc..., the report can be found at
the reversing section, also with the tools. The malware study, the report and tools have
been made at INTECO-CERT http://cert.inteco.es. The english version of the report is in
process.
Wednesday 23 January 2008
+ All the enyelkm blog has been translated by delcoyote.
+ Links fixed at the projects section in the english version of the web.
Sunday 20 January 2008
+ The whole website has been translated to english by delcoyote, many thanks. And many
thanks again for translating into english the troyan analysis BZub.CX
Wednesday 5 December 2007
+ The site has been restructured, overlapping the ppt and demo sections in one : .ppt
Tuesday 4 December 2007
+ A new section called reversing has been created, were reverse engineering reports
have been added .i.e analysis of BZub.CX troyan. Some addons have been attached to
the file: tools to decipher the web pages were phishing is being executed in the registry,
etc. The troyan has been analyzed and BHO wich enters ( iexplorer browser extension)
and it captures everything sent with GET or POST methods. It also sends information
about the infected computer. Also inyects fields in the HTML, which asks
necessary information to rob bank account details and also does phishing plus other
things (screenshots ...).
Tuesday 23 October 2007
+ This year the I National Encounter of the Security Industry in Spain will be allocated
at (Enise), at Leon. It has been designed to be an annual event, the website of this event
is : https://1enise.inteco.es/ ,just to mention that i will attend the event as
presenter, presenting an engine that I created with juan Carlos Montes (aka [Shearer])
and its application to make an automated analysis of malware. There will be
comparisons with some of the freeware alternatives. Technological tendencies in
malware detection. https://1enise.inteco.es/david-reguera-garcia
+ I will also send an article for Netsearch 9 (NS9). We are preparing the NS9: kenshin, oyzzo, sha0, Raise ... and myself. All the best of luck to all the people that participate (obviously not all the contributions will be published). http://www.netsearch-ezine.org/
+Added to the Curriculum Vitae the made papers and the next ones.
Monday 24 September 2007
+Curriculum Vitae section about has been modifidied and the PDF version has been added.
Sunday 12 August 2007
+ Jointrooter added in the projects section. This tool is to pen-test routers through
the TELNET protocol and SSH soon (i.e. linksys); to do all this it uses dictionaries and
a f |