Parsia's Den

Because no one wants to be the other guy from Wham!

Nov 15, 2017 - 9 minute read - Comments - winappdbg reverse engineering CTF

WinAppDbg - Part 4 - Bruteforcing FlareOn 2017 - Challenge 3

Previous parts:

We have learned some good stuff. In this part I am going to talk about the original problem that led me to learning WinAppDbg. This is my writeup for challenge 3 “Greek to me” of FlareOn 2017. This is a bruteforce challenge and is rather easy but instead of bruteforcing it the conventional (and straightforward way), I will show how I traversed arbitrary Assembly blobs using WinAppDbg.

I will (hopefully) mostly talk about solving the challenge and not a lot of recon or other places I was stuck at.

Code is in my clone:

Nov 15, 2017 - 17 minute read - Comments - winappdbg reverse engineering

WinAppDbg - Part 3 - Manipulating Function Calls

Previously on WinAppDbg-TV:

As usual, code is in my clone on Github. Download that directory to your VM and follow along:

In part two we learned how to hook functions by hooking IE and Firefox to see pre-TLS traffic. Just looking at function calls is fun but often not enough. We need to be able to modify function parameters and return values.

In this part we will learn how to do that (and a few other things). We will start with something simple and then move on to more complex examples.

Nov 11, 2017 - 23 minute read - Comments - winappdbg reverse engineering

WinAppDbg - Part 2 - Function Hooking and Others

In part one we talked about the basics of WinAppDbg. In this part we are going to learn a few new things:

  • I wrote a simple python module to simplify my use of WinAppDbg. It will most likely be modified later, but I have included a version that works with the tutorials at:
  • DLL enumeration: We’re going to implement one of procmon’s features.
  • Process/Thread tracing: Another procmon feature.
  • Function Hooking: It’s very easy in WinAppDbg and we will learn how to do it a couple of different ways.
    • We will hook pre-TLS encryption data for Internet Explorer and Firefox to hack the Gibson.

Copy this directory https://github.com/parsiya/Parsia-Clone/tree/master/code/winappdbg to your VM and let’s go.

Nov 9, 2017 - 12 minute read - Comments - winappdbg reverse engineering

WinAppDbg - Part 1 - Basics

WinAppDbg by Mario Vilas is perhaps one of the most underrated instrumentation frameworks for Windows. In this day and age where everyone write JavaScript code to hook functions (I am looking at you Frida), writing Python code feels great. Just kidding, Frida is pretty cool too.

Going around the web searching for tutorials did not give me many results. The docs are great, they are some of the most practical docs I have seen. But apart from that, I could not find much. There are some random code here and there where people have documented using it but there were no guides to get me started apart from the docs.

Here’s the result of my learning. I am sharing it to fill the gap that I encountered while getting started with the tool. We’re going to learn as we go using real-world applications and will write code. We will start from the basics, expanding our code-base as we learn more.

Code is in my clone at:

Oct 26, 2017 - 2 minute read - Comments - Windows

Silly Attack Using Run Line

Previously we saw how Windows Run Line searches in App Paths registry keys before PATH. We can perform a silly attack and create a registry key for an application in path and point it to another command.

This is a silly attack because we need to be admin to create/edit those keys. But if you ever find yourself in the unlikely situation, you can use this to become delayed admin (i.e. wait for admin to run the app via Run Line).

Oct 23, 2017 - 5 minute read - Comments - Windows

Run Line vs. cmd vs. PowerShell

Note about the differences between search paths when running stuff via the Windows Run Line (win+r), command line and PowerShell.

We can type iexplore in Run Line to open up Internet Explorer but doing the same in a cmd or PowerShell is not successful.

tl;dr
Run Line looks in the following registry location then PATH. Credit Vic Laurie at commandwindows.com.

  • HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths

Search order

  • cmd searches first in local directory and then in PATH.
  • PowerShell searches first in PATH and then in local directory.
  • Run Line searches in App Paths first.

Usual blabbering and needless digging follows.