SANS, Cyber Security Challenge, ex-Microsoft, ex-Law Enforcement.
Actively working in cyber security, I'm completely obsessed with all things InfoSec and malware!
This site contains some of my personal projects and I very much welcome feedback on anything you find here. In addition, I deliver malware analysis courses for the SANS institute, please reach out with any questions!
Malware can do some nasty things to your system, but it needs to get on there first. Thankfully, users have become more suspicious of files named FunnyJokes.doc.exe and so malware authors have had to become more innovative, using a mix of social engineering and the constant stream of 0-day browser exploits to land evil code … [continue reading]
A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances. There are a number of techniques available to try and identify embedded shellcode, for example searching for … [continue reading]
In recent years, malware has become very personal. Crypto-ransomware threats, including CryptoLocker, CryptoWall and TorrentLocker (pdf), have infected home users, businesses and even police departments, all of whom have had their personal data and hard work held hostage. When we think of precious family photos or an academic thesis being wiped by pure greed, it … [continue reading]
Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which … [continue reading]
Hardly a day goes by without me hearing the phrase 'Threat Intelligence' being used in the context of big budget enterprise protection, but recently I have been giving some thought to what this means to the home user and small business. Most computers have (or at least, should have!) up-to-date antivirus software installed which provides … [continue reading]
During the analysis of malicious documents designed to exploit vulnerabilities in the programs which load them (thereby allowing the running of arbitrary code), it is often desirable to review any identified shellcode in a debugger. This allows an increased level of control and flexibility during the discovery of it's capabilities and how it implements the … [continue reading]
Monitor common attack surface processes (Microsoft Word for macros, web browsers etc) for suspicious child processes which indicate potential exploitation
Source Code
Just-in-time VirusTotal checker. Before opening/running any file, it can be pushed through this program to see whether any of the AV engines on VT show it as a threat (either by HASH or by uploading the file for a scan)
Documentation | Source Code | Binary
This program will create one or more mutex as specified by the passed arguments and keep them active as long as the program keeps running.
Documentation | Source Code | Binary
Detects DLL hijacking in running processes on Windows systems
Documentation | Source Code | Binary
Identifying and Disrupting Crypto-Ransomware (and Destructive Malware) using handle heurustics
Documentation | Source Code | Binary
This process is designed to launch a process which inherits (and therefore includes) a handle to a specified file
Documentation | Source Code | Binary
Transfer EIP control to shellcode during malware analysis investigation
Documentation | Source Code | Binary
Rapid deployment of Windows environment (files, registry keys, mutex etc) to facilitate malware analysis
Documentation | Source Code | Binary
Designed and coded two challenges for the finale, crypto-ransomware malware analysis and industrial control system vulnerability research.
[News Article]
Designed and coded malware analysis challenge. Candidates were required to analyse and report on unknown binary.
[News Article] | [Solution Video]
Designed and coded vulnerability research challenge, involving simulated gunnary control system onboard royal navy warship.
[News Article]
Designed and coded Raspberry Pi challenge - candidates were presented with an unknown hardware device, and were required to conduct vulnerability research to extract flags.
Anything you're keen to discuss?
