cxiao

@cxiao@infosec.exchange

professional strings(1) operator

This profile is from a federated server and may be incomplete. Browse more on the original instance.

cxiao, to rust

🦀 Hi, Rust malware reverse engineering fans: I made a diagram about how to find the main function in Rust binaries compiled for Windows. It illustrates functions that are called in both the Windows C runtime and the Rust Runtime, and also shows you some "landmarks" which you can look for in binaries, to orient yourself as you're searching for the main function.

It can be confusing finding the entry point of a Rust binary the first time you encounter one, since Rust has its own language runtime, and it's very easy to end up accidentally reversing the runtime code rather than the Rust developer's actual code.

This diagram is intended for reverse engineers who know little to no Rust, so I have included a small legend for some of the Rust syntax, and some details have been omitted for clarity. This also is only for Windows Rust binaries which use the MSVC runtime; Windows Rust binaries which use the MinGW runtime will still have the same Rust runtime code, though.

I learned most of what's in this diagram from @mgattozzi 's excellent article about the Rust runtime: https://ductile.systems/rusts-runtime/. I would really recommend giving that article a read if you are interested in the details of the Rust runtime, as well as what that runtime looks like for MacOS and Linux rust binaries.

I would also like to shout out @0x1c , who taught me the tip about using the main strings in the thread setup code as landmarks!! It's a super useful way to quickly identify the runtime code (again demonstrating that strings is the best reverse engineering tool).

Finally, please let me know if there are errors in this diagram, as well as any feedback you have that could make it more useful for you. I am working on a blog post that expands on this subject, and I am always looking for better ways to explain this.

#rust #rustlang #ReverseEngineering #reversing #MalwareAnalysis #malware

cxiao, to ReverseEngineering

🦀 Have you been noticing that over the past two years, there seems to be more and more malware written in Rust? Have you ever wished there was one page that collected all these malware families and samples in one place, so that you could practice your Rust reverse engineering?

Here is that place! The Rust Malware Sample Gallery: https://github.com/cxiao/rust-malware-gallery

I have collected information about every Rust malware family that I could find, and scoured public malware repositories to find at least one public sample that is available for each family. Download links are provided for each sample to MalShare or Malware Bazaar, neither of which require an account for you to download the samples.

I hope that this can help reversers get a better understanding of Rust binaries, and improve the state of the art in Rust malware reversing. We have a long way to go 😅

Please send a pull request if you notice something is incorrect or missing! Happy reversing!

#MalwareAnalysis #malware #ReverseEngineering #ThreatIntel #cybersecurity #rust #rustlang #infosec

mammoth, to random
@mammoth@moth.social avatar

Introducing our new /cybersecurity Smart List curated by Kyle Roddoch! 📝
"Mammoth is spearheading the way to the future of the Fediverse & shaping what social-media is going to look like in the years to come. The idea of Smart Lists, curated lists that app users can easily follow to get relevant content instantly, is a game changer for Mastodon apps. I am honored to be working with the Mammoth team to bring the /cybersecurity List to Mammoth." - @kylewritescode, Blog @ kylereddoch.me.

cxiao,

@mammoth @kylewritescode Is there a way to see the list of accounts that make up the smart list? I'm in the Mammoth app right now, and I couldn't find an obvious way to see this.

cxiao,

@birdinfire @kylewritescode @mammoth Yep I also can't see any option to view the members that make up each list. Like Michael, I can also only see options to add a list, or to browse the list of smart lists.

Here's screenshots of the flow I would take to add a new smart list/browse through the list of smart lists. I can't see any option in any of these screenshots that would allow me to view list members.

Screenshot of an iOS pop up dialogue that says: Add list Browse community created Smart Lists or create a regular list? With the options: Browse Smart Lists Create List Cancel
Screenshot of a menu with the title Smart Lists, with the entries: /illustration pxl Discover incredible illustrators on Mastodon. /cybersecurity Kyle :heart_cyber: :terminal: Cybersecurity news and professionals. /activists Tim Chambers Prominent activists on Mastodon. /apple Deborag90 Apple news and fan accounts. All have a Subscribe button, except the cybersecurity entry, which has an Unsubscribe button.
Screenshot of the cybersecurity Smart List in Mammoth, with two posts by Zak Kaufman.

cxiao, to threads

I did the requisite responsible reading about Threads federating, and I decided to domain block them after thinking about it.

  1. Anybody who wants to view my public posts can still view them.

  2. This is mostly an infosec account, and there's AFAIK zero infosec community presence on Threads.

  3. I'm not really interested in helping Threads grow an infosec community presence.

  4. I don't think there's any Mastodon admin ready for the network effects of several million users suddenly joining the network. There is shockingly little discussion about problems like coordinated inauthentic activity, which are going to come at that scale. I'm REALLY not interested in seeing or interacting in any way with chinese state disinformation campaigns lol

  5. Mastodon servers and clients are held together by duct tape and prayers by people in their spare time. Threads is held together by people paid full time salaries at a large multinational corporation. Threads can make a better fediverse app and a better fediverse server than anything that currently exists. I think any future where people start downloading the Threads app as their default client to interact with the fediverse, and where people start using threads.net as their default server, is one that is very dangerous for the existence of the fediverse as a set of interoperable clients and servers built on open standards. I'm doing my part to make this as unappealing and as high friction as possible 🫡

  6. fuck libs of tiktok, and fuck threads which is currently platforming them. The impact of accounts like Libs of TikTok on rolling back LGBTQ rights in the real world is a very good example of why network effects, discoverability, and social media amplification are dangerous.

Thanks to @jerry for letting people on this instance make this choice themselves. Having this kind of choice is a welcome change from other social networks.

#threads #fediverse #fedimeta

cxiao,

@jerry @shellsharks
Threads having an infosec community presence is definitely news to me.

I think that the reason I thought they didn't exist is because:

a) I don't see anyone putting their Threads handles in the slides of their conference talks in the real world, while there are plenty of people doing that with their Mastodon handles.

b) I haven't seen anyone share links to interesting infosec posts that were originally published on Threads. Maybe this is a consequence of them not having a web interface until fairly recently, but I haven't even seen people share screenshots of Threads posts. And this isn't just a consequence of Mastodon being Threads haters, I think - I don't see infosec Threads posts being shared on other social media or in news articles either, while I do see that with Mastodon posts.

c) Infosec-adjacent organizations and vendors are here, and active - DEFCON, CCC, lots of B-sides conferences, Sophos X-Ops, Virus Bulletin, The DFIR Report, Bishop Fox, DomainTools, Vector35, etc. Many of them are also still on Twitter, but they are not on Threads.

For my interests - threat intelligence, malware analysis, and reverse engineering - I've found plenty of reasons to be active here. :ablobcatbongo:

#infosec #threads

cxiao,

@jerry @Baconbits Also Baconbits I saw you tooted this from Ivory (which I also use): you'll have to follow Jerry's instructions from the web interface, Ivory doesn't expose this domain block option.

shellsharks, to random

For #followfriday, I want to share a few #infosec -related accounts I’ve discovered recently that are great!

@h4sh
@scalefree
@still
@rcvalle
@jbn
@cxiao
@segiddins
@bouncyhat
@Jrod
@dale_nunns

cxiao,

@shellsharks Thank you very much shellsharks 🙏

simplenomad, to blogging
@simplenomad@rigor-mortis.nmrc.org avatar

GitLab is hiring for a position, the position is somewhat unique in that experience, , and even speaking would help land this job. Feel free to boost to get many eyes on it. And if we know each other I could put in a good word for you.

https://boards.greenhouse.io/gitlab/jobs/7056513002

cxiao,

@simplenomad Hey @dismantl maybe this job is up your alley

cxiao, to ReverseEngineering

IDA please label calling conventions with their proper names I am begging you

(meme is organic handcrafted original content made on my phone with low res screenshots of the imgflip meme generator page :ida: 😎 )

#reverseengineering

cxiao, to rust

🦀 🧵 Rust reversing thread: Let's use panic metadata embedded inside Rust binaries to help us reverse engineer!

If you've ever looked inside the strings of a Rust binary, you may have noticed that many of these strings are paths to Rust source files (.rs extension). These are used when printing diagnostic messages when the program panics, such as the following message:

thread 'main' panicked at 'oh no!', srcmain.rs:314:5<br></br>

The above message includes both a source file path srcmain.rs, as well as the exact line and column in the source code where the panic occurred. All of this information is embedded in Rust binaries by default, and is recoverable statically!

Examining these can be useful in separating user from library code, as well as in understanding functionality. This is especially nice because Rust's standard library and the majority of third-party Rust libraries are open-source, so you can use the panic strings to find the relevant location in the source code, and use that to aid in reversing.

#rust #rustlang #ReverseEngineering #MalwareAnalysis

cxiao, to rust

🦀 Small Rust reversing tip: The Rust standard library documentation hides a lot of fields and items by default. For example, the documentation for the struct std::vec::Vec does not show you what a Vec's internal fields are. This can be annoying if you're looking for the implementation details of a certain type - I found that I kept having to click the "source" button on every single struct I wanted to get more information about, to look at the source code directly.

The site https://stdrs.dev/ hosts a version of the Rust standard library documentation which shows internal fields. Here's its documentation for std::vec::Vec, with the internal fields.

pub struct Vec<T, A = Global> where A: Allocator,<br></br>{<br></br>    buf: RawVec<T, A>,<br></br>    len: usize,<br></br>}<br></br>

This version of the documentation also documents some items which are hidden from the regular documentation (i.e. items marked as #[doc(hidden)]). One example is core::panic::panic_info::PanicInfo::internal_constructor, which is an implementation detail of core::panic::panic_info::PanicInfo.

Having the hosted https://stdrs.dev/ site is handy for quickly looking up certain standard library structs, but you can also generate the same information locally with rustdoc, via the --document-private-items and --document-hidden-items flags. The script used to generate the stdrs.dev site is here, and you can tweak the version of the standard library docs you want to generate as required (stdrs.dev has the nightly docs). There are some more details about the site from the author's initial Reddit post about it.

#rust #rustlang #ReverseEngineering #MalwareAnalysis

gpshead, to random

Every time I see anyone complain about YouTube or any other media site blocking Adblock users, I see entitled people who refuse to compensate their content creators and hosting providers. I wonder how many of you bother to fund your mastodon fediverse instances.

I often use an adblocker. I get it. I respect anyone who denies to serve me as a result. This is working as intended.

Netflix revenue and subscriber numbers went up after they got real about account sharing anti-freeloader enforcement. Clearly a lot of people admitted that value existed and they had been freeloaders just because they could.

cxiao,

@gpshead @brettcannon I have a hard time sympathizing with this, because adblocking is also a security feature. Online ads remain one of the most prevalent delivery vectors for malware. Often this takes the form of advertisement for software -> download site purportedly serving installer for said software -> installer executes malicious code.

For this reason, a lot of corporate IT environments push out adblock extensions to browser installations on endpoint machines, or do DNS-based blocking. Therefore, using an adblocker often isn't even the choice of the end user; it's something that's mandated by their IT department on their work computer.

CISA and NSA both have public advisories highlighting this issue, and recommending that organizations deploy adblockers. Note that in their advisories, they explicitly mention the ability of malicious actors to target advertisements towards specific groups of users or demographics when purchasing ads; this is of course a feature baked in to how modern online advertisements work.

See also: the #malvertising hashtag here.

https://www.cisa.gov/sites/default/files/publications/Capacity_Enhancement_Guide-Securing_Web_Browsers_and_Defending_Against_Malvertising_for_Federal_Agencies.pdf

https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-blocking-unnecessary-advertising-web-content.pdf?v=1

#malware #adblock

raptor, to windows

Bootloader Crimes — Disposable #Windows #VM Builder

https://bootloader-crimes.de/

cxiao,

@raptor The work of @oilheap :D

0xabad1dea, to random

Unclean data in action: oh, you’ve never met a Nushi? Me either. But this database claims it’s the second most common given name in the world — because it’s Chinese for Miss/Madam

It’s understandable if weird artifacts like this slip in at , but #2? When you subtract the number of “Nushis” from China, there’s only a few hundred people named Nushi in the world. This doesn’t pass the most basic data health check imaginable, but they published it, it ranks highly on google, and doubtless it’s getting cited all over the place.

(hat tip to Soron for helping me diagnose the source of the fake name) https://forebears.io/earth/forenames

cxiao,

@0xabad1dea lmao at the "Average 女士salary in the united states" statistic. It would be nice if it really was that high for women...

ZekuZelalem, to random
@ZekuZelalem@dair-community.social avatar

🧵 Hey all! This is a new account, I'm still Zecharias Zelalem, freelance journalist and aspiring OSINTer providing news and analysis on the Horn of Africa for a variety of international media outlets. For the past year or so, I posted via @zekuzelalem, but I've transitioned away from that instance. I'll be posting from this account from now on. After recent changes on the journa dot host instance, I had no choice but to set up elsewhere. Hope to continue exchanges and friendships here.

cxiao,

@ZekuZelalem Yeah that's really sketchy. The primary author/contributor of that page is currently also indefinitely banned from Wikipedia for being a promotional-only account. They were also the creator of the "W. Jeffrey Brown" article: https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/W._Jeffrey_Brown, https://en.wikipedia.org/wiki/Special:Log/ColumbianJourn

This kind of promotional editing on Wikipedia is really distasteful and is something that is IMO not ok for any kind of journalism related organization to do.

tweedge, to random
@tweedge@cybersecurity.theater avatar

Alright. Fuckit. What's the real benefit of serving #malware samples in an encrypted zip with a password of "infected" ?

Protecting morons from themselves: they'd unzip and run, and disable AV/un-quarantine files/etc. if blocked anyway

Protecting against misclicks: people are going to unzip/unpack, then same issue

Malware downloads a second stage from a sample website: decrypts it seamlessly

Evading firewalls/etc: people will have to disable their protections anyway ...

What am I missing?

cxiao,

@tweedge preventing my AV on my internet connected machine from nuking the file from orbit as soon as I download it

SwiftOnSecurity, to random

“Taylor, upon your shoulders fate has bestowed the greatest of burdens - to lead the kingdom of Man. Trial and sorrow prepares us for these moments. Your will has been worked to a tempered rapier in the flames. This is your birthright. Endeavor the blade and sit the throne.”

cxiao,

@SwiftOnSecurity MASTODON HAS MADE IT :elmo_fire:

dangoodin, (edited ) to random

This is awesome! Full text search has come to Mastodon, and it's being rolled out in a responsible way.

I know full text search is a hot-button issue. For journalists, researchers and many others, FTS is essential. Plenty of others have good reason to keep their content unsearchable.

If you're in the latter category, you don't need to take any action. Your toots will remain unsearchable just as they were before.

For the rest, please manually change the default so your toots will be searchable. This will address a major shortcoming that has kept a huge number of fedi holdouts from joining.

To do that, go to Preferences > Public Profile and select the Privacy and Reach tab. Then check the Include public posts in search results.

*** Edit: sorry, my initial post told y'all to click the wrong box. Fixed.

cxiao, (edited )

@dangoodin Hey Dan a minor correction: I think the new full text search checkbox is the one that says "Include public posts in search results", not the one that says "Include profile page in search engines" (which is the one you circled)

The option to have your posts be indexed by search engines like Google existed before the very recent native Mastodon full text search feature; I'm pretty sure this is the case because it's something I deliberately opted in to, several months ago. Here's a screenshot of my setting page, with my existing "Include profile page in search engines" opt in, and the new "Include public posts in search results", which I haven't opted into yet.

See also @jerry 's post about the new feature, which lists which box it is: https://infosec.exchange/@jerry/111088302355649743 (infosec.exchange-local post)

cxiao,

@gsuberland @jerry @dangoodin Ah didn't know that was a thing either! You didn't miss much from the post though, it was basically just confirmation of the correct box to check

cxiao, to rust

I recently glued together a very basic IDA plugin for demangling Rust function names: https://github.com/cxiao/ida-rust-untangler/.

When you have a Rust binary with symbols, it's very useful to be able to demangle those symbols :D

It's all Python and only has one dependency (which is the Python library it uses for the actual demangling logic, https://github.com/teambi0s/rust_demangler)

Happy reversing! :ida:​ 🦀

#ida #idapro #rust #rustlang #reversing #ReverseEngineering

JosephMenn, to random

Gift link: Russian military satellite communications provider knocked offline. https://wapo.st/3JE5tJx

cxiao,

@JosephMenn There's a verified @netblocks account here too, which isn't just the bird.makeup twitter mirror! https://mastodon.social/@netblocks/110635492603707306

0xabad1dea, to random

I found out about Tangut script recently and I can’t get over how it looks like an April Fool’s joke about the complexity of Chinese writing that got way, way out of hand

cxiao,

@0xabad1dea Also there's fun stuff like this:

maldr0id, to random

Two myths that I often see repeated:

  1. If a malware sample has 0 detections on VirusTotal it means it's undetectable by AVs.
  2. If a sample has X+ detections on VirusTotal it means it's a malware.
cxiao,

@maldr0id Every time a VirusTotal 0/58 screenshot is posted as evidence that a sample is "fully undetectable!!!!!!!!" i die a little inside

cxiao, to rust

In the new Rust Windows kernel GDI code, there is a new global allocator registered named gdi_alloc::Win32Allocator . It calls Win32AllocPool with a fun new pool tag name, "Rust"!

#rust #rustlang #windows #microsoft #reversing #reverseengineering

cxiao,

The Rust code in the new win32kbase_rs.sys in the Windows Kernel can also panic. What happens when it does?

There are several places where a panic is invoked in the code - they include bounds check failures (core::panicking::panic_bounds_check), indexing into a slice outside of the length of that slice (core::slice::index::slice_start_index_len_fail_rt), and assertion failures (core::panicking::assert_failed). These all eventually take a common code path through the following series of function calls:

core::panicking::panic_fmt::hd60a775b92204b91<br></br>-> rust_begin_unwind<br></br>--> seh_unwind::implementation::raise_exception::hc52a1220c03bdc19<br></br><br></br>

This calls into a custom panic handler, seh_unwind::implementation::raise_exception, which calls RtlRaiseException, imported from the main ntoskrnl binary!

#rust #rustlang #windows #microsoft #reversing #reverseengineering

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • everett
  • tacticalgear
  • magazineikmin
  • thenastyranch
  • rosin
  • tester
  • Youngstown
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • DreamBathrooms
  • provamag3
  • InstantRegret
  • osvaldo12
  • GTA5RPClips
  • ethstaker
  • normalnudes
  • Leos
  • cisconetworking
  • khanakhh
  • modclub
  • cubers
  • megavids
  • anitta
  • lostlight
  • All magazines
    •