Creating undetected malware for OS X
Date: 07/10/2013 Author: Daniel Pistelli
Misuse of the internal mechanism provided in OS X to load encrypted Apple executables to defeat static analysis of current anti-malware solutions. This article was originally published on cerbero-blog.com.
CFF Explorer’s Scripting Language V2
Date: 30/05/2009 Author: Daniel Pistelli
A small update to the scripting language of the old CFF Explorer. The main news is that it now offers the capability of creating reports of .NET metadata tables.
Dynamic C++ Proposal
Date: 18/12/2008 Author: Daniel Pistelli
A proposal of how to introduce dynamism into the C++ language. This proposal tries to cover every aspect, introducing, besides dynamic objects, also dynamic enumerators, namespaces and templates. The proposal also shows possible applications of the presented features. Although the paper is purely theoretical, it covers how dynamism can be implemented at low level. The reader of this paper ought to have a good knowledge of the C++ language. This article was released on codeproject.com and won the competition in the C++/MFC category for December, 2008.
Qt Internals & Reversing
Date: 28/11/2008 Author: Daniel Pistelli
The first part of this article shows the dynamic internals of the Qt framework, which enable the signals and slots mechanism. The second part focuses on how to retrieve the metadata information generated by the Qt moc from binary files with an IDAPython script and how to use this information to analyze the disassembled code.
.NET Internals and Native Compiling
Date: 25/05/2008 Author: Daniel Pistelli
The second of a two series of articles about the .NET framework internals and the protections available for .NET assemblies. In these articles the .NET internals are presented from the perspective of a reverser. In this article native compiling protections and all the methods to overcome them are analyzed in depth. Among other things it shows the inner workings of the JIT by introducing Native Injection. It also addresses the topic of .NET Virtual Machine Protections.
.NET Internals and Code Injection
Date: 09/05/2008 Author: Daniel Pistelli
The first of a two series of articles about the .NET framework internals and the protections available for .NET assemblies. In these articles the .NET internals are presented from the perspective of a reverser. In this article code injection protections and all the methods to overcome them are analyzed in depth. Among other things it introduces how to take complete control over the JIT.
DisasMSIL: a free MSIL disasm engine
Date: 30/04/2008 Author: Daniel Pistelli
DisasMSIL is a free/open disasm engine for the Microsoft Intermediate Language (MSIL). You can use it any context you wish. There are no license restrictions. The only thing I ask you to do is to send me your bug fixes (if any).
Rebel.NET Official Guide
Date: 25/04/2008 Author: Daniel Pistelli
The official Rebel.NET guide. Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams. It’s possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.
Microsoft’s Rich Signature (undocumented)
Date: 05/03/2008 Author: Daniel Pistelli
Documentation and reverse engineering of Microsoft’s Rich Signature: until now an undocumented subject. The article comes with several scripts: one to decrypt the Rich Signatures and one little script to rebuild a PE without the header garbage. This article offers an inisght into the library (and object) file format as well.
CFF Explorer’s Scripting Language V1
Date: 17/01/2008 Author: Daniel Pistelli
Documentation for the first version of the powerful scripting language embedded in the CFF Explorer (starting from version VII). The documentation contains a brief guide for Lua, the differences between standard Lua and the one implemented by the CFF Explorer, a brief how-to, code samples and the functions reference.
Powerful x86/x64 Mini Hook-Engine
Date: 20/11/2007 Author: Daniel Pistelli
Powerful x86/x64 hook-engine. This article is a part of a bigger project. This article was released on codeproject.com.
How to write an extension for the CFF Explorer
Date: 15/07/2007 Author: Daniel Pistelli
With the CFF Explorer VI (deployed with the Explorer Suite II) the possibility to write extensions has been introduced. Extension literally extend the functionalities of the CFF Explorer, integrating external software parts in its GUI. I wrote a little upx extension which I’m going to explain in this article.
Moving to Windows x64
Date: 01/01/2007 Author: Daniel Pistelli
Released one month before the official release of Windows Vista, this article is about all the news brought by Vista and the x64 technology. Some of the subjects are: x64 assembly, WOW, exception handling, UAC, ASLR, registry filtering, .NET 3.
Small Application Wizard
Date: 21/08/2006 Author: Daniel Pistelli
A wizard designed for Visual Studio .NET (2005) to build small applications with just a few clicks. The package includes a small libc. This article was released on codeproject.com.
Remotesoft’s Salamander 22.214.171.124 (Native Compiling)
Date: 28/06/2006 Author: Daniel Pistelli
A very brief essay about the .NET native compiling tecnique and the specific case of Salamander protected application. It’s the first essay about the .NET native compiling tecnique which relies upon the Global Assembly Cache (GAC).
Injective Code inside Import Table
Date: 06/06/2006 Author: Ashkbiz D.
An introduction to the injection of code into an Import Table of a Portable Executable file. This thing is called API redirection technique. This article was released on codeproject.com.
The .NET File Format
Date: 11/12/2005 Author: Daniel Pistelli
This article describes the internal .NET File Format. The standards of the .NET format are public, you can find them on Microsoft and in your .NET SDK (look after “Partition II Metadata.doc”), but they are intended to be a more like a reference, not really a guide. So this is what you need if you want a simple guide to understand this subject. This article was released on codeproject.com and won the competition in the C# category for January, 2006.
Inject your code to a Portable Executable file
Date: 01/12/2005 Author: Ashkbiz D.
This article demonstrates in five steps how to inject your code in a portable executable (exe, dll, ocx,…) file without recompiling the source code. This article was released on codeproject.com and won the first prize in the MFC category for December, 2005.
.NET Manifest Resources
Date: 28/10/2005 Author: Daniel Pistelli
This article is about the internal format of .NET Manifest Resources (or better the “.resources” files contained in it). I don’t know if the code can be useful to you or not (probably not), but I like to write about undocumented stuff. In fact, this article is nothing sensational, I just wrote it ’cause I haven’t found any documentation about this subject on the net, not even in the .NET MetaData specifics: Partition II MetaData.doc. This article was released on codeproject.com.
Date: 10/04/2005 Author: Daniel Pistelli
This article is just a general overview about protections who play with system structures like the SDT. It has nothing to do with reversing and no debugger or disassembler was used to write it. In addition TheMida will not implement a kernel-mode part in the near future. This is just a tool to bypass SDT hooking protections.
La Nuova Guida Al Cracking (.NET)
Date: 01/01/2005 Author: Daniel Pistelli
A general overview about .NET Software Security. The paragraphs are: MicroSoft Intermediate Language, Cracking, Debugging, Decompilers, Code Obfuscation, Protection Theory. It’s a quite complete introduction.
Windows File Protection: How To Disable It On The Fly
Date: 09/11/2004 Author: Daniel Pistelli
In this article it’s shown how to deactive the Windows File Protection without rebooting to safe mode or recovery console. The articles shows you how to change system files without the system noticing it and replacing the original files. This article was originally released on rootkit.com.
Tutto (o quasi) sul Portable Executable
Date: 20/08/2003 Author: Daniel Pistelli
The most accurate italian guide about the Portable Executable file format. It’s the most important source in Italy about this subject.
Introducing The Windows Driver Foundation
Date: no date Author: Daniel Pistelli
A little introduction to the Windows Driver Foundation before its actual release. This article was written when this technology was still in beta testing.