Category: Tutorial


Belajar Memory Forensic Dengan Volatility

Filed under: Coding, Tutorial, Windows5 Comments
January 12, 2012

Mau nulis dikit ah tentang volatility,

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

lengkap tentang volatility anda bisa lansung buka di websitenya :
https://www.volatilesystems.com/default/volatility
atau project googlenya di :
http://code.google.com/p/volatility/
Atau Blognya di :
http://volatility.tumblr.com

View full article »

Tags: , , , , , , , ,
Read More & Comment

[Delphi] Method for Detect AntiVirus Emulator

Filed under: Coding, Delphi, Snippet, Tutorial, Windows7 Comments
December 12, 2011

Emulator adalah ruang virtual pada antivirus yang digunakan untuk mengeksekusi malware. Gunanya adalah agar antivirus dapat mengetahui behavior dari virus tampa harus menginfeksi real system. Selain itu emulator juga digunakan sebagai generic unpacking bagi malware – malware yang diproteksi program pelindung seperti crypter/packer. Sangat critical fungsi dari emulator ini, bahkan sudah menjadi keharusan suatu antivirus mempunyai engine emulator didalamnya. Kalau saja antivirus buatan anda tidak ada emulatornya saya sih cuman bilang bershowerlah* (ikutan kata pocoong).  Meski demikian membuat emulator tidaklah mudah, tantangan terberat adalah bagaimana membuat ruang virtual ini tampak bagai real system bagi virus. Nah pada tulisan ini saya menshare methode dan snippet code yang bisa digunakan untuk mendeteksi emulator dari AV.

View full article »

Tags: , , , , , , , , , ,
Read More & Comment

[Delphi] Native File Read And Write Example

Filed under: Delphi, Snippet, Tutorial, WindowsLeave a comment
November 5, 2011

Just two litle snippet:

AnsiToFile: function for write ansistring value to file use native api
FileToAnsi: function for read file to ansistring use native api

View full article »

Tags: , , , , , , , ,
Read More & Comment

[Delphi] GetProcAddress x32-x64

Filed under: Coding, Delphi, Portable Executable, SnippetLeave a comment
October 3, 2011

Lagi test2 xe2 delphi yang mana sudah mendukung compile 64bit.. btw sekalian share nih alternative getprocaddress, support 32 and 64bit pe.

(method walking the export directory table for function address)

type
  PUInt32 = ^UInt32;
  UInt32 = LongWord;
  PUInt64 = ^UInt64;
  UInt64 = System.UInt64;

  PSizeT = ^TSizeT;
  TSizeT = {$IFDEF CPUX64} UInt64 {$ELSE} UInt32 {$ENDIF};

const
  // PE header constants
  IMAGE_NT_OPTIONAL_HDR32_MAGIC = $10b;  // 32bit PE file
  IMAGE_NT_OPTIONAL_HDR64_MAGIC = $20b;  // 64bit PE file

Function xGetProcAddress(Module: TSizeT; ProcName: String):Pointer;
var
  pIDH: PImageDosHeader absolute Module;
  pINH : PImageNtHeaders32;
  pIDD: PImageDataDirectory;
  pIED: PImageExportDirectory;
  pdwFuncs1,
  pdwFuncs,
  pdwNames: PULONG;
  pdwOrdinals: PWORD;
  dwOrd1, i, k: cardinal;
  apiname:PAnsiChar;
begin
  result := nil;
  if (Module=0) then exit;

  if (pIDH^.e_magic <> IMAGE_DOS_SIGNATURE) then exit;
  pINH := Pointer(Pbyte(pIDH) + pIDH^._lfanew);
  if (pINH^.Signature <> IMAGE_NT_SIGNATURE) then exit;

  if pINH^.OptionalHeader.Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC then
    pIDD := @PImageOptionalHeader64(@pINH^.OptionalHeader).DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
  else
    pIDD := @pINH^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];

  pIED := Pointer(Pbyte(pIDH) + pIDD^.VirtualAddress);
  if (pIED=nil) then exit;

  pdwFuncs := PULONG(Pbyte(pIDH) + Cardinal(pIED^.AddressOfFunctions));
  pdwNames := PULONG(Pbyte(pIDH) + Cardinal(pIED^.AddressOfNames));
  pdwOrdinals := PWORD(Pbyte(pIDH) + Cardinal(pIED^.AddressOfNameOrdinals));
  pdwFuncs1 := pdwFuncs;
  for I := 0 to pIED^.NumberOfFunctions do begin

    dwOrd1 := pdwOrdinals^;
    k := 0;
    pdwFuncs := pdwFuncs1;
    while (k < dwOrd1) do begin
      inc(pdwFuncs);
      inc(k);
    end;

    if (pdwFuncs^ < pIDD^.VirtualAddress) or (pdwFuncs^ >= pIDD^.VirtualAddress + pIDD^.Size) then begin
      apiname := PAnsiChar(Pbyte(pIDH) + pdwNames^);
      if (AnsiStrComp(apiname, Pansichar(AnsiString(ProcName))) = 0) then begin
        result := Pointer(Pbyte(pIDH) + pdwFuncs^);
        exit;
      end;
    end;

    inc(pdwOrdinals);
    inc(pdwNames);
  end;
end;

Tags: , , , ,
Comment
Follow

Get every new post delivered to your Inbox.