Adam Kramer

Cyber security specialist

SANS, Cyber Security Challenge, ex-Microsoft, ex-Law Enforcement.

Adam Kramer

Actively working in cyber security, I'm completely obsessed with all things InfoSec and malware!

This site contains some of my personal projects and I very much welcome feedback on anything you find here. In addition, I deliver malware analysis courses for the SANS institute, please reach out with any questions!

Contact Details

  • Adam Kramer
  • hello@adamkramer.uk
  • @CyberKramer
  • adamkramer.uk

Hindering Exploitation by Analysing Process Launches

Malware can do some nasty things to your system, but it needs to get on there first. Thankfully, users have become more suspicious of files named FunnyJokes.doc.exe and so malware authors have had to become more innovative, using a mix of social engineering and the constant stream of 0-day browser exploits to land evil code … [continue reading]

Detecting Shellcode Hidden in Malicious Files

A challenge both reverse engineers and automated sandboxes have in common is identifying whether a particular file is malicious or not. This is especially true if the malicious aspects are obfuscated and only triggered under very specific circumstances. There are a number of techniques available to try and identify embedded shellcode, for example searching for … [continue reading]

Identifying and Disrupting Crypto-Ransomware (and Destructive Malware)

In recent years, malware has become very personal. Crypto-ransomware threats, including CryptoLocker, CryptoWall and TorrentLocker (pdf), have infected home users, businesses and even police departments, all of whom have had their personal data and hard work held hostage. When we think of precious family photos or an academic thesis being wiped by pure greed, it … [continue reading]

Detecting DLL Hijacking on Windows

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which … [continue reading]

Just-In-Time VirusTotal Hash Checking

Hardly a day goes by without me hearing the phrase 'Threat Intelligence' being used in the context of big budget enterprise protection, but recently I have been giving some thought to what this means to the home user and small business. Most computers have (or at least, should have!) up-to-date antivirus software installed which provides … [continue reading]

Examining Shellcode in a Debugger through Control of the Instruction Pointer

During the analysis of malicious documents designed to exploit vulnerabilities in the programs which load them (thereby allowing the running of arbitrary code), it is often desirable to review any identified shellcode in a debugger. This allows an increased level of control and flexibility during the discovery of it's capabilities and how it implements the … [continue reading]

attack_surface_monitor

Monitor common attack surface processes (Microsoft Word for macros, web browsers etc) for suspicious child processes which indicate potential exploitation
Source Code

check_first

Just-in-time VirusTotal checker. Before opening/running any file, it can be pushed through this program to see whether any of the AV engines on VT show it as a threat (either by HASH or by uploading the file for a scan)
Documentation | Source Code | Binary

create_mutex

This program will create one or more mutex as specified by the passed arguments and keep them active as long as the program keeps running.
Documentation | Source Code | Binary

dll_hijack_detect

Detects DLL hijacking in running processes on Windows systems
Documentation | Source Code | Binary

handle_monitor

Identifying and Disrupting Crypto-Ransomware (and Destructive Malware) using handle heurustics
Documentation | Source Code | Binary

handleinheritor

This process is designed to launch a process which inherits (and therefore includes) a handle to a specified file
Documentation | Source Code | Binary

jmp2it

Transfer EIP control to shellcode during malware analysis investigation
Documentation | Source Code | Binary

rapid_env

Rapid deployment of Windows environment (files, registry keys, mutex etc) to facilitate malware analysis
Documentation | Source Code | Binary

Cyber Security Challenge Masterclass 2014: Cabinet War Rooms

Designed and coded two challenges for the finale, crypto-ransomware malware analysis and industrial control system vulnerability research.
[News Article]

Cyber Security Challenge 2015: First Challenge ('Opening Lines')

Designed and coded malware analysis challenge. Candidates were required to analyse and report on unknown binary.
[News Article] | [Solution Video]

Cyber Security Challenge Masterclass 2015: HMS Belfast

Designed and coded vulnerability research challenge, involving simulated gunnary control system onboard royal navy warship.
[News Article]

Cyber Security Challenge Masterclass 2015 - #2

Designed and coded Raspberry Pi challenge - candidates were presented with an unknown hardware device, and were required to conduct vulnerability research to extract flags.

Contact Me

Anything you're keen to discuss?

Say
Hello

Adam Kramer

hello@adamkramer.uk