News – NTCore

Windows Memory Analysis

Erik Pistelli — Tue, 25 Mar 2025 10:37:04 +0000

If, just like me, you’re fascinated by memory forensics, you might be interested in the new Memory Analysis package for Cerbero Suite developed by my company. The package supports analyzing memory dumps from Windows XP up to Windows 11, on both x86 and x64 systems, and is designed to make complex forensic tasks simpler and more intuitive.

I’ve always been intrigued by the possibility of visually exploring an entire system, from the complete overview down to its mapped executables in memory. As Cerbero Suite’s functionality evolved, it is now capable of offering an unparalleled experience in this regard.

If you or your organization are involved in memory analysis, you might want to check it out.

Cerbero Journal

Erik Pistelli — Mon, 20 Jun 2022 08:45:21 +0000

Since I’m a nostalgic, my company now has an official e-zine.

If, like me, you’re old enough, it will perhaps remind you of the golden era of e-zines.

NTCore revamped

Erik Pistelli — Mon, 09 Jul 2018 22:04:45 +0000

After over a decade, I finally took two afternoons to revamp this personal web-page and to merge the content of the old NTCore page with the content of its blog (rcecafe.net). All the URLs of the old web-page and blog have been preserved in the process. The people who voted for this on Twitter are … Continue reading

Preparing a bugfix version of CFF Explorer

Erik Pistelli — Thu, 25 Oct 2012 08:32:44 +0000

It has been many years since the last update of what had started as a hobby side-project when I was 19. I’m sorry that I haven’t updated the CFF for such a long time, given that thousands of people use it every day. A few months ago I stopped working for Hex-Rays to fully dedicate myself to my own company and thus I have decided that I have now the time and the energy (barely) to finally update the CFF.

Over the years I’ve received several bugfix requests, but couldn’t oblige because of the lack of time. If you’re interested that a particular fix goes into the upcoming release, please leave a comment under this blog post or drop me an email to ntcore@gmail.com (feel free to repeat the request, as it might have been lost during the years).

Please don’t include radical changes or improvements, we’ll leave that for later maybe. If your company needs professional PE inspection (not editing), I’d advice you to check out my current commercial product at cerbero.io/profiler, which doesn’t cover ‘just’ the Portable Executable format.

UPDATE: Uploaded new version with the following improvements:

– Dropped Itanium version
– Added ENCLog and ENCMap .NET tables
– Modify resources of system files (MUI limitation)
– Fixed resource loop bug
– Fixed MDTables string overflow bug
– Fixed command line scripting bug
– Fixed ‘Select All’ bug in hex editor
– Fixed missing offset check in .NET tables
– Fixed missing reloc size check
– Fixed scripting handles bug
– Use FTs when OFTs are invalid
– Updated UPX

You can continue to leave comments or send me emails. As soon as there are enough new bug reports, I’ll upload a new version. In time, maybe, some small improvements could be included apart from bug fixes.

A malware with my name

Erik Pistelli — Thu, 09 Sep 2010 10:43:01 +0000

There’s a malware circulating that contains my name in its version information. I’m, of course, not the author (putting one’s own name in the version info would be brilliant). I’m clarifying, as three people already contacted me about it since yesterday.

It was probably done on purpose and it’s not the result of a random generation of different version info, as I suspect. What the author/s of this malware ignore, is that they made me stumble on an additional technique against malware, that’ll probably damage their business and force them to work more.

Given my very limited amount of spare time, it’s too soon to discuss this.

PDF Insider Demo

Erik Pistelli — Tue, 25 May 2010 00:58:16 +0000

A small, on the fly video presentation of my new utility.

The emphasis of this application stands on parsing correctly the PDF format, if it can’t because the PDF is malformed (very common among malicious PDFs), then it provides the tools to read the objects nonetheless. I tested it on many PDF (also malicious ones) and it handles all of them very well.

As I have written this application in five days, there are still some small features I’d like to add, but most of the code is already there. I started the development of it quite some time ago on a weekend while I was sick at home and have found only now the time to finish it.

I have no plans about how and when to release it yet, but some friends of mine will start using it in real world scenarios.

P.S. Thanks to Alessandro Gario for the throughout testing.

Filter Monitor 1.0.1

Erik Pistelli — Sat, 17 Oct 2009 14:44:16 +0000

This week, after months of development of bigger projects, I found some time to windbg “ntoskrnl.exe” and write a utility. It is called Filter Monitor and shows some key filters installed by kernel mode components.

“As you probably all know the Service Descriptor Table has been a playground on x86 for all sorts of things: rootkits, anti-viruses, system monitors etc. On x64 modifying the Service Descriptor Table is no longer possible, at least not without subverting the Patch Guard technology.

Thus, programs have now to rely on the filtering/notification technologies provided by Microsoft. And that’s why I wrote this little utility which monitors some key filters.

Since I haven’t signed the driver of my utility, you have to press F8 at boot time and then select the “Disable Driver Signature Enforcement” option. If you have a multiple boot screen like myself, then you can take your time. Otherwise you have to press F8 frenetically to not miss right moment.

A disclaimer: the boot process can be a bit annoying, but the utility should be used on virtualized systems anyway, as I haven’t fully tested it yet. I doubt that it will crash your system, I guess the worst scenario is that it won’t list some filters. It should work on any Windows system starting from Vista RTM and I have provided an x86 version and an x64 version. But the truth is that I have tested only the x64 version on Windows 7 RTM. Last but not least, I can’t guarantee that this utility will work on future versions of Windows, it relies heavily on system internals.

Now, let’s run it. The supported filters/notifications at the time are these: Registry, Create Process, Create Thread and Load Image. “Registry” stands for CmRegisterCallback filters. “Create Process” for PsSetCreateProcessNotifyRoutine callbacks. “Create Thread” for PsSetCreateThreadNotifyRoutine callbacks. And “Load Image” for PsSetLoadImageNotifyRoutine callbacks.

The “Additional Info” in the list view provides internal information like the address of the callback function.

There are some default filters registered by system components, but, as you can notice, there are also Kaspersky components. That’s because some filters (like the registry filter) are not used by system components and I needed a tool which would make use of these filters for my little demonstration.

The version of Kaspersky I have installed is the latest one available on the internet which is: 9.0.0.463.

I created for this demonstration a little executable called “k-test” (what you see on the desktop are three copies of the same executable) which copies itself in a directory called “borda” in the “Roaming” directory of the operating system. It then creates a value in the Run key of the registry to execute itself at each start-up. Finally, it launches itself from the “Roaming” directory and ends.

This is a typical malware behavior. Beware that the signature of the application itself is not contained in the databases of Kaspersky as I have written it on the fly, but it detects the suspicious behavior, stops execution and deletes the file. And it does this every time I launch the test application.

Now let’s get to the part where I show an additional functionality of the Filter Monitor which is the ability to remove registered filters and see what happens if I remove the filters installed by klif.sys, which is the “Kaspersky Lab Interceptor and Filter” driver. As the name suggests, this driver intercepts and filters: it installs all four of typologies of filters listed by the Filter Monitor. On x86 instead of calling CmRegisterCallback it additionally hooks about 60 functions of the Service Descriptor Table (which is a lot), but that’s no longer possible on x64.

So, let’s remove the filters and re-launch k-test. It works now.

Final disclaimer: It is not my intent to comment on security features of anti-viruses, I just wanted to present my new tool and show its functionalities. I was already familiar with the internals of Kaspersky before writing this utility.

I hope you enjoyed the presentation.”

P.S. A huge thanks goes to Alessandro Gario for providing me with all the different versions of ntoskrnl.exe.

Native Blocks Pre-Alpha

Erik Pistelli — Tue, 30 Jun 2009 22:45:48 +0000

Here’s a presentation of my new tool. I called it Native Blocks. It’s a re-assembler basically. Since a written presentation would take me too much time I prepared a video presentation.

Again, this is a pre-alpha. This tool will soon support other technologies such as java, actionscript and maybe even x86. Right now it only supports .NET (and even .NET support will be hugely improved, like for instance supporting the direct modification of assemblies without having to use Rebel.NET).

The development of this tool depends mainly on the interest of people.

As I can be considered a student from now on, I would like to earn some extra money by writing tools such as this one. I have still my job as consultant, but it’s a very limited partime, because I just became a student.

This tool is in my opinion pretty good, it is not only good for deobfuscation purposes but also patching and assembling on the fly.

If this tool can be sold, then the support of technologies will depend on requests. I think I’ll add Java immediately and after that maybe x86/x64. Again it depends.

Suggestions and comments are welcome.

.NET MetaData Tables Reports

Erik Pistelli — Fri, 29 May 2009 23:54:38 +0000

I updated the scripting language of the old CFF Explorer which now provides a function to automatically create reports of .NET metadata tables. The function is called LogPrintStruct and is to be used along with the logging functions the scripting provides. Here’s a small script you can find in the “Scripts” directory of the CFF Explorer which creates a report of all .NET tables contained in an assembly:

[cc lang=”lua”]– this script generates a report of a PE’s .NET metadata tables.

filename = GetOpenFile(“Open…”, “All\n*.*\nexe\n*.exe\ndll\n*.dll\n”)

if filename == null then
return
end

hPE = OpenFile(filename)

if hPE == null then
return
end

if GetOffset(hPE, PE_DotNETDirectory) == null then
MsgBox(“The current is not a valid .NET assembly.”, “Error”, MB_ICONEXCLAMATION)
end

repname = GetSaveFile(“Save Report As..”, “Text File\n*.txt\n”)

if repname == null then
return
end

hReport = CreateLog(repname)

if hReport == null then
return
end

fieldsToLog = {
PE_MetaDataTable_Module,
PE_MetaDataTable_TypeRef,
PE_MetaDataTable_TypeDef,
PE_MetaDataTable_Field,
PE_MetaDataTable_Method,
PE_MetaDataTable_Param,
PE_MetaDataTable_InterfaceImpl,
PE_MetaDataTable_MemberRef,
PE_MetaDataTable_Constant,
PE_MetaDataTable_CustomAttribute,
PE_MetaDataTable_FieldMarshal,
PE_MetaDataTable_DeclSecurity,
PE_MetaDataTable_ClassLayout,
PE_MetaDataTable_FieldLayout,
PE_MetaDataTable_StandAloneSig,
PE_MetaDataTable_EventMap,
PE_MetaDataTable_Event,
PE_MetaDataTable_PropertyMap,
PE_MetaDataTable_Property,
PE_MetaDataTable_MethodSemantics,
PE_MetaDataTable_MethodImpl,
PE_MetaDataTable_ModuleRef,
PE_MetaDataTable_TypeSpec,
PE_MetaDataTable_ImplMap,
PE_MetaDataTable_FieldRVA,
PE_MetaDataTable_Assembly,
PE_MetaDataTable_AssemblyProcessor,
PE_MetaDataTable_AssemblyOS,
PE_MetaDataTable_AssemblyRef,
PE_MetaDataTable_AssemblyRefProcessor,
PE_MetaDataTable_AssemblyRefOS,
PE_MetaDataTable_File,
PE_MetaDataTable_ExportedType,
PE_MetaDataTable_ManifestResource,
PE_MetaDataTable_NestedClass,
PE_MetaDataTable_GenericParam,
PE_MetaDataTable_MethodSpec,
PE_MetaDataTable_GenericParamConstraint
}

fieldNames = {
“Module”,
“TypeRef”,
“TypeDef”,
“Field”,
“Method”,
“Param”,
“InterfaceImpl”,
“MemberRef”,
“Constant”,
“CustomAttribute”,
“FieldMarshal”,
“DeclSecurity”,
“ClassLayout”,
“FieldLayout”,
“StandAloneSig”,
“EventMap”,
“Event”,
“PropertyMap”,
“Property”,
“MethodSemantics”,
“MethodImpl”,
“ModuleRef”,
“TypeSpec”,
“ImplMap”,
“FieldRVA”,
“Assembly”,
“AssemblyProcessor”,
“AssemblyOS”,
“AssemblyRef”,
“AssemblyRefProcessor”,
“AssemblyRefOS”,
“File”,
“ExportedType”,
“ManifestResource”,
“NestedClass”,
“GenericParam”,
“MethodSpec”,
“GenericParamConstraint”
}

LogPrint(hReport, “.NET metadata tables report for \”” .. filename .. “\”\n\n”)
loggedTables = 0
for i = 0, #fieldsToLog – 1 do
if GetOffset(hPE, fieldsToLog[i]) != null then
if loggedTables > 0 then
LogPrint(hReport, “\n\n\n”)
end
LogPrint(hReport, fieldNames[i] .. ” Table\n”)
LogPrint(hReport, “———————————————\n\n”)
LogPrintStruct(hPE, hReport, fieldsToLog[i])
loggedTables = loggedTables + 1
end
end

— Open the report?

CloseLog(hReport)

nRet = MsgBox(“Open report file?”, “.NET Tables Report”, MB_ICONQUESTION | MB_YESNO)

if nRet == IDYES then
ExecuteAppAndWait(@”C:\Windows\System32\notepad.exe”, GetShortPathName(repname))
end[/cc]

A generated report file looks like this:

[cc lang=”asm”].NET metadata tables report for “K:\Explorer Suite\Setup\Signature Explorer.exe”

Module Table
———————————————

1.
Generation: 0
Name: 1 (Signature Explorer.exe)
Mvid: 1
EncId: 0
EncBaseId: 0

TypeRef Table
———————————————

1.
ResolutionScope: 6
Name: 18 (Control)
Namespace: 20 (System.Windows.Forms)

2.
ResolutionScope: A
Name: 35 (Enum)
Namespace: 3A (System)

3.
ResolutionScope: 6
Name: 41 (Button)
Namespace: 20 (System.Windows.Forms)

4.
ResolutionScope: 6
Name: 48 (Form)
Namespace: 20 (System.Windows.Forms)

5.
ResolutionScope: A
Name: 4D (Object)
Namespace: 3A (System)

6.
ResolutionScope: A
Name: 54 (ValueType)
Namespace: 3A (System)

etc.[/cc]

I included this new feature because many developers asked me to. Reading the generated report files is much easier than manually reading the raw .NET format. The current scripting system won’t be implemented in the newer CFF Explorer, I only inserted this new feature because it will take me much more time to release the newer CFF Explorer.

Thanks to CodeRipper for signalling a corrupted .NET assembly which caused the CFF Explorer to crash when opening it. I improved the integrity checks.

Kernel: 3rd edition

Erik Pistelli — Thu, 02 Apr 2009 13:23:28 +0000

I don’t want to show too much, this is just a small preview. Yes, it’s running on Ubuntu and it runs on OSX just as well.
I don’t know if I’m going to ship a Linux and an OSX version apart from the Windows one, maybe not immediately. It also depends on the number of requests for it.

Some insights into the new kernel:

– The kernel is now stream based, this means it can read files, memory, disks etc.
– Complete multithread support.
– A CFFStream can be shared among CFFObjects even if they’re owned by a different thread.
– The same CFFObject can be shared among threads.
– Complete endianess support: every file format has a default endianess but can be loaded with a different one. For instance: it is possible to load a PE file with all fields in big endian.
– Support for all most common string encodings.
– Support for integer types of infinite size.
– Support for multiple file formats.
– Easily exposable to scripting languages.

There is more and an impressive amount of work has still to be done, although the kernel is about to be finished. I won’t tell all the new features of the GUI, because it’s way too soon.