noch lab

1. Overview This article describes the following topics. ・Commandline rewriting technique ・Applying new command line to reflective loaded PE file's context My goal was to develop loader that load PE file from URL and launch PE file in memory with new commandline context. This is stealth since it leaves no final payload on filesystem. Since this is a topic that has been described exhaustively, this post does not describe downloading PE file and reflective load. This article does not show the full code to prevent abuse. 2. Commandline rewriting When this loader starts, loader's commandline is "loader.exe [c2url] [newcommand]". This loader needs to load the PE file into memory and patch memory so that [newcommand] is handled as the first argument. The commandline is included in RTL_USER_PROCESS_PARAMETERS structure, which is pointed to by ProcessParameters member of PEB structure. PEB is very important structure in the process. I believe it will work

1. Overview JavaScript is one of the most used programming languages, and Node.js is also used widely as execution environment. However, Node.js applications cannot be run without Node.js runime, so using them as malware requires a little effort. For this reason, pkg project that convert NodeJS applications to EXE file or other executable formats can be the attractive tool for attackers. This article describes tips for analyzing Node.js malware created by pkg project. 2. Sample Node Stealer SHA256: d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374 3. pkg project pkg project packs js files and runtime into a single file. This executable file created is structured as follows. The custom runtime has the capability to execute js files stored in the virtual file system and downloaded from following repositories. Repositories URL : https://github.com/vercel/pkg-fetch The pkg project adds virtual files and index to the back of the runtime. Furthermore, the ru

1. Overview I found a site that distributes curious PDF converter. The executable file distributed at this site appears to be malicious and have several interesting features. ・ .NET Anti-Analysis ・ Execution of external JavaScript payload with WebView2 ・ .NET object manipulation from JavaScript code This post will mention these techniques. The execution flow of this executable is shown below. 2. .NET Anti-Analysis PdfConverters.exe analyzed in this article was created with .NET Core. .NET Core allows developer to embed runtime and libraries into a single executable file. This executable also contains a number of files, which are extracted at execution time into a folder under %TEMP%\PdfConverters. A good way to know the role of these files is to look at [AppName].deps.json. app.deps.json reveals that main functionality of this executable exists in app.dll. [app.deps.json] ... "app/1.0.0": { "dependencies": { "Microsoft.