Explaining Malware Analysis – smart assembly trick (version 1.1)


Hello readers, how are you? Today I received a simple question from a student about the correct interpretation of the following assembly code:

  1. 00405035:    EB 03        JMP SHORT 0040503A
  2. 00405037:    5E        POP ESI
  3. 00405038:    EB 05        JMP SHORT 0040503F
  4. 0040503A:    E8 F8FFFFFF    CALL 00405037
  5. 0040503F:    83C6 07    ADD ESI, 7

Few comments follow:

  • Line 1 the code is executing a short jump to address 0x0040503A (Line 4). Please, you should note that EB is the opcode to “JMP SHORT” and 03 (argument) is the number of opcode-bytes until address 0x0040503A (Line 4). Indeed, three opcode-bytes (5E, EB and 05) exist until there.
  • Still at Line 1, we should remember that the EIP holds the address of next instruction that would be executed (0x00405037), so the sum confirms our explanation because 0x00405037 + 03 = 0x0040503A.
  • Due the previous JMP from Line 1, now we are at Line 4. The CALL instruction jumps to address 0x00405037 (Line 2). Before jumping, the CALL instruction saves the EIP (0x0040503F), which would be the next instruction to be executed, on the top of stack (ESP).
  • Still at Line 4, the opcode E8 F8FFFFFF
    is interesting because E8 means “CALL” and F8FFFFFF means “minus 8”. It makes sense. At line 4, EIP is equal to 0x0040503F (Line 5) and if we count the number of opcode-bytes (in reverse is E8 F8FFFFFF, EB 05, 5E) from address 0x0040503F until 0x00405037, so we have 8 opcode-bytes. At end, it works as a backward jump of 8 opcode-bytes.
  • At Line 2, the POP ESI instruction saves the value of top the stack (0x0040503F) into ESI.
  • At Line 3, the instruction JMP SHORT 0040503F takes the execution to Line 5.
  • At Line 5, the content of ESI register (0x0040503F) is added to 7 (0x00405046).

Honestly, I do not know from where comes this code above (probably from a malware), but it seems a nasty trick to get the EIP (0x00405046) to execute something such as either a shellcode or similar code.

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)

Training Information for 2016


Dear readers, how are you? Finally, I could publish some information about my courses that will be available in some moment in 2016:

https://alexandreborges.org/my-courses/

Few details about these courses:

  • They are intensive courses.
  • Almost all of them are very practical.
  • All these courses are for people who REALLY want to learn security.
  • My courses are far away from usual security courses (no names here) 🙂
  • I am an extremely technical instructor. Therefore, don’t expect an easy life.Fear, despair, suffering and darkness are expected during some courses.
  • If you either were my student or you have seen me speaking in conferences/universities, so you know what are waiting for you.

Honestly, I have a few goals with my trainings:

  • Bring additional security information for professionals who are looking for it.
  • Break the “course in a box” or “courses about products” culture.
  • Teach about information security without concerning with certifications.

At first moment, all courses are ILT (Instructor Leading Training). For now, there is not any plan for offering them online.

I hope you like them. Stay tuned for further updates.

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges and Twitter: @ale_sp_brazil)

MindTheSec 2015 Forum Brazil – GPU Malware presentation


Dear readers, how are you? It follows the slides of my simple presentation on MindTheSec 2015 Forum Brazil (http://mindthesec.com.br/alexandre-borges) about GPU Malwares:

https://alexandreborgesbrazil.files.wordpress.com/2015/09/2015-mindthesec-alexandre_borges1.pdf

Enjoy it!

I hope you have a nice day and feel free to comment about the slides.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)

Memory Acquisition for Forensic Memory Analysis on Windows and Linux systems


People, how are you? I wrote a document about Memory Acquisition on Windows and Linux systems, which will be a reference for next articles about the most impressive forensic memory analysis tool of the world: Volatility. Anyway, it follows the article:

https://alexandreborgesbrazil.files.wordpress.com/2014/06/memory-acquisition_win_linux1.pdf

Please, if you like this document let me know. It’s very important to know that I’ve helped someone.

Have a nice day and enjoy it!

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges)

 

 

Recover your files using Foremost


Hello people, how are you? What have you been up to? I’m sorry for the long time away, but I’m working so hard to finish my book about Oracle Solaris Advanced Administration. However, I got some time to write a short document about data carving:

http://tinyurl.com/pdz3ux9

Have a nice day and enjoy it!

Alexandre Borges.

(Linkedin: http://www.linkedin.com/in/aleborges)