photog.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for your photos and banter. Photog first is our motto Please refer to the site rules before posting.

Administered by:

Server stats:

236
active users

#reversing

0 posts0 participants0 posts today
Continued thread

@REverseConf The slides for "Reconstructing Rust Types: A Practical Guide for Reverse Engineers" are also available! There is a convenient single-page HTML version if you want to use the material in the presentation as a reference, for your own reversing!

cxiao.net/posts/2025-02-28-rec
github.com/cxiao/reconstructin

Continued thread

Day 32 🗳️💨

Things are coming in thick and fast today, so I’ll try to summarise the major themes.

No Policies of the #Liberal, #LNP and #Coalition.

#AngusTaylor (Opposition Treasurer, Liberal) hands in his #Economics homework late, it’s got problems.

A 🎃 derivative that is toxic ☢️

“A Coalition government would drive the #budget deeper into #deficit over the coming two years, as the shadow finance minister, #JaneHume, insisted her party’s plan to save $17.2bn by #slashing the number of #Canberra-based #PublicServants by 41,000 through “natural attrition” was achievable.”

If returned to power, the Coalition would gut a long list of environment and clean energy programs, including #scrapping the #NetZero #Economy #Agency, reversing Labor’s #TaxBreaks for #ElectricVehicles, and redirecting money slated for the #HomeBatteries program.

#Reversing tax incentives for green hydrogen would save $1.5bn over four years, and not proceeding with Labor’s critical mineral production tax credits would save $1.2bn, the Coalition’s election policy costings show.”

#AusPol / #treasury / #costings / #economy / #future <theguardian.com/australia-news>

The Guardian · Coalition costings reveal larger deficit over coming two years with cuts to foreign aid and environment programsBy Patrick Commins

In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: volexity.com/blog/2025/04/01/g
 
#dfir #reversing #malwareanalysis

a discord guild i was in got some malspam (link to reddit post which linked to malware present on compromised wordpress site sexccessories.co[.]ke)

Funnily enough, there were supposedly both windows and mac samples present, except they fucked up with the mac one, a passworded zip containing a “dmg” which is actually the following text:

Build failed: failed to create DMG: exit status 64
Output: Creating disk image...
Mounting disk image...
Device name:     /dev/disk4
Searching for mounted interstitial disk image using /dev/disk4s... 
Mount dir:       /Volumes/dmg.kfA109
Copying background file '/tmp/8aAwS.png'...
Copying volume icon file '/Users/user/desktop/TradingView_3760.icns'...
Will sleep for 2 seconds to workaround occasions "Can't get disk (-1728)" issues...
Running AppleScript to make Finder stuff pretty: /usr/bin/osascript "/var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk" "dmg.kfA109"
/var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk:85:89: execution error: Finder got an error: Can’t get disk "dmg.kfA109". (-1728)
Failed running AppleScript
Unmounting disk image...
"disk4" ejected.

I predicted it would be a packed stealer of some description. I was right, unpacked binary is lumma stealer.

Been a while since I’ve done manual unpacking of a malware sample, this one was fun. The packer is the same as described here https://alertoverload.com/posts/2025/01/remcos-v5.3.0/

Original zipfile has the hash 85a2619c5bc5ae10d9ab3aab48c364b638d7b835d169f651b08c1f0282c39d58.

The original binary was ~800MB, padded with garbage. Removing that padding yields a binary with the hash d0e956e5fe825e8f2817ce660d3680294d790cf1baec0bdfdc540841e7202c80 - and manually unpacking that gives bbd1e2cc95f1907d4c8c92d66bc62f43aa3e5634af6bdb947dfd826023195253.

There’s also a bunch of additional stuff in the zip alongside the malware sample; copied straight from a windows installation, and the way it was copied in revealed the localisation installed on that system, which is unsurprisingly Russian (Russia) [ru-RU].

alertoverload.comRemcos v5.3.0

i have a #mobile #android #reversing question.

lets say i have an apk.
i want to fetch all the dns names in it that are being used for API calls.

Are there tools that make that easy, or are we still talking about 'decompile the apk and manually go through all the code by hand'?

Hi everyone! Six more months passed since my last #introduction, so here is an updated one:

AKA: +mala, AiTTaLaM

Job: Doin’ trustworthy #AI @ moz://a.ai - more generally I love #teaching, no matter if to humans or machines :-)

Projects: 3564020356.org is the oldest (~22yrs 😅), #PicoGopher the most recent... Look around and find the rest! 😜

Interests: #bouldering #gopher #SelfHosting #opensource #reversing #fediverse #recsys #ML #solarpunk #CommunitiesOfExperience

Continued thread

Here's a live kernel dump of a Windows system with the win32kbase_rs module loaded, opened in WinDbg. We can use the !poolused command to get an idea of memory allocations made with this new RstG pool tag.

We can see that there have been a few allocations with the RstG pool tag, totaling 368 bytes.

Note that Microsoft describes this pool tag as "GDITAG_RUST_GLOBALS". If you've got a recent enough version of WinDbg / Debugging Tools for Windows, you can find this pool tag description in amd64\triage\pooltag.txt in your debugger install location.

Here's the new Rust-related pool tag descriptions in pooltag.txt:

Rust - win32kbase_rs.sys - GDITAG_RUST
RstG - win32kbase.sys - GDITAG_RUST_GLOBALS

You can find out more about the Rust pool tag in my other thread, which looks more specifically at the Rust code: infosec.exchange/@cxiao/110366

Continued thread

win32kbase uses yet another new pool tag when loading the Rust code: RstG.

In AllocateAndLoadBaseRustExports, the memory allocated with this pool tag is used for a struct of type BaseRustExportsStorage; this struct is used to hold the base of the loaded win32kbase_rs image, as well as a table of pointers to its exported functions.

Continued thread

You can find the ID of the Rust_GDI_REGION feature flag statically, by looking inside win32kbase.sys inside build 25357.1.

That contains a function called LoadAndConnectRustCode, which first calls Feature_Rust_GDI_REGION__private_IsEnabled to check the status of the feature flag. The Rust code in \SystemRoot\System32\win32kbase_rs.sys is only loaded if that function returns a nonzero value.

The Feature_Rust_GDI_REGION__private_IsEnabled function calls wil_details_FeatureStateCache_GetCachedFeatureEnabledState to get the status of the feature. It passes in a variable named Feature_Rust_GDI_REGION__private_descriptor to specify the feature it would like to query.

This struct has type wil_details_FeatureDescriptor; in its featureId field, you can see the 0x23a024a (37356106) feature ID value.

The same feature ID value is also visible as the second argument to the wil_details_FeatureReporting_ReportUsageToService call.

Continued thread

Here's win32kbase_rs.sys loaded on an actual system running Windows 11 Insider Preview 25357.1.

You'll have to enable the Rust_GDI_REGION Windows feature flag (ID 37356106) first. The easiest way to do this is via ViVeTool, which interacts with Windows' built-in A/B feature testing mechanism: github.com/thebookisclosed/ViV

vivetool.exe /enable /id:37356106

Shoutout again to Brent for finding the actual feature flag value, happy reversing out there 🫡

Replied in thread

The Rust Windows kernel GDI code also has symbols for fallible_vec::FallibleVec<T,A> , which looks like a non-panicking Vec implementation. try_extend, try_extend_from_slice, try_splice_in, and try_insert are all implemented.

In fact it looks suspiciously similar to the rust_fallible_vec crate, which Microsoft recently open-sourced: github.com/microsoft/rust_fall :thonking:
( @TehPenguin 👋 )

The methods are generic over the allocator type A; some of these FallibleVec method implementations use the registered global allocator gdi_alloc::Win32Allocator , and others use the gdi_alloc::TaggedAllocator with the GDI-specific pool tags.

Continued thread

For the specific GDI objects, there are still allocations made with the existing GDI-specific pool tags.

It looks like the rgncore::scan::ScanBuilder<gdi_alloc::TaggedAllocator<_>> object uses the existing GDI pool tag Gscn ( i.e. GDITAG_SCAN_ARRAY) for vector allocations. (Probably gdi_alloc::TaggedAllocator<_> requires specifying a pool tag)

I also see Gedg (i.e. GDITAG_EDGE) being used in gdi_rust::region::from_path::GlobalEdgeTable::add_edge, and gdi_rust::region::from_path::ActiveEdgeTable::new
, among other places.