Using Windows Sandbox for Malware Analysis

malware-analysis, technology 2021-10-03
**Disclaimer:** If you are not running Windows on your host, you might not get anything out of this post. Sorry Tux. I am convinced that the Windows Sandbox is one of the best virtualization solutions to do dynamic malware analysis (for Windows malware, at least). The reason is quite simple: Distinguishing a Windows 10 Sandbox instance from the actual underlying Windows 10 install should be very difficult for malware. Specifically if the host is running on HyperV with Guarded Host enabled, my current understanding is that there are little to no differences between the two, but they are neatly isolated from one another. The configuration options are limited, but you can easily cook up a config that launches a WindowsSandbox instance that has all the tools you need for some basic unpacking & dynamic analysis. This is what my malware analysis sandbox looks like at launch: New Windows Sandbox I have successfully executed a number of samples that evade execution in other virtualized environments. That's a far cry from rigorous testing, so take my praise with a grain of salt. Still, it might be worth a try, the setup is really easy. Do you want to see my config?

FrOSCon 2021 Vortrag – Der Cyber-Bankraub von Bangladesch

technology 2021-08-21
(English-only readers can safely ignore this post) I'll be talking at FrOSCon this year again and try to take a stab at a topic that does not _only_ involve technical topics but will also tell the story of a bank heist. This heist wasn't supported by getaway cars and pistols but was solely carried out through cyber-means. The talk is in German though. * Source Code of LaTex Presentation: https://github.com/larsborn/FrOSCon2021-Ghidra-Bangladesh-Talk * Handout PDF: FrOSConTalk2021-Ghidra-Bangladesh * FrOSCon schedule entry: https://programm.froscon.de/2021/events/2670.html * Recording on media.ccc: https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch

Install Ghidra 10.0.1 on Ubuntu 20

technology 2021-07-17
I idly googled for the title and couldn't find code that I can insipidly paste into a console window. So I prepared it here for fellow travelers (and my future self): 
wget 'https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.0.1_build/ghidra_10.0.1_PUBLIC_20210708.zip'
unzip ghidra_10.0.1_PUBLIC_20210708.zip
sudo apt install default-jdk
./ghidra/ghidraRun

Prettier Struct Definitions for Python CTypes

code, technology 2021-06-20
I was writing some Python code that uses [ctypes][] for interfacing with the [Windows ToolHelp API](https://docs.microsoft.com/en-us/windows/win32/api/_toolhelp/). Specifically, I had to [define a Python equivalent][structs] for the [PROCESSENTRY32](https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ns-tlhelp32-processentry32) struct. Now, the [ctypes][] [struct definitions][structs] are a little annoying because they do not give you type hints. You can add the type hints _on top_ of the _fields_ attribute but that looks a little silly because you _literally_ [write everything twice][wet]. In Python 3.7+ ((Starting in Python 3.7, dictionaries keep the insertion order.)), you can solve this using a metaclass, and one stigma of metaclasses is that they have very few applications, so I decided to blog about this one: 
class FieldsFromTypeHints(type(ctypes.Structure)):
    def __new__(cls, name, bases, namespace):
        from typing import get_type_hints
        class AnnotationDummy:
            __annotations__ = namespace.get('__annotations__', {})
        annotations = get_type_hints(AnnotationDummy)
        namespace['_fields_'] = list(annotations.items())
        return type(ctypes.Structure).__new__(cls, name, bases, namespace)
and now you can write: 
class PROCESSENTRY32(ctypes.Structure, metaclass=FieldsFromTypeHints):
    dwSize              : ctypes.c_uint32
    cntUsage            : ctypes.c_uint32
    th32ProcessID       : ctypes.c_uint32
    th32DefaultHeapID   : ctypes.POINTER(ctypes.c_ulong)
    th32ModuleID        : ctypes.c_uint32
    cntThreads          : ctypes.c_uint32
    th32ParentProcessID : ctypes.c_uint32
    pcPriClassBase      : ctypes.c_long
    dwFlags             : ctypes.c_uint32
    szExeFile           : ctypes.c_char * 260
The metaclass simply deduces the _fields_ attribute of the new class for you before the class is _even created_. It might make sense to think of metaclasses as "class creation hooks", i.e. you get to modify what you have written before the class is actually being defined. The following bit is just to be compatible with [PEP-563](https://www.python.org/dev/peps/pep-0563/): 
        from typing import get_type_hints
        class AnnotationDummy:
            __annotations__ = namespace.get('__annotations__', {})
        annotations = get_type_hints(AnnotationDummy)
And then, the following is the actual magic line: 
        namespace['_fields_'] = list(annotations.items())
This adds the attribute _fields_ before the class is created. [ctypes]: https://docs.python.org/3/library/ctypes.html [structs]: https://docs.python.org/3/library/ctypes.html#structures-and-unions [wet]: https://en.wikipedia.org/wiki/Don%27t_repeat_yourself Do you want to know what I was coding?

Zabbix: Use Low-Level Discovery for Software Update Notifications

technology 2021-03-25
Assume you have an already running Zabbix instance that is able to send notifications – via e-Mail or Signal for example. The goal of this post is, to use such an instance to get notified whenever there is a new release for a software you may have installed on some of your machines. Do you want to know more?

WordPress Child Themes for the Working Human

technology 2021-02-20
Create a new directory in wp-content/themes — let's call it danktheme in this example. Create two files in that directory: style.css and functions.php with the following contents: 
/*
 Theme Name:   Your Themename
 description:  Your Description
 Author:       Your Name
 Template:     twentytwentyone
 Version:      1.0.0
*/
and 
<?php
add_action('wp_enqueue_scripts', 'my_theme_enqueue_styles', 11);
function my_theme_enqueue_styles()
{
    wp_enqueue_style('danktheme', get_stylesheet_uri());
}
That's it: now you can select "Your Themename" in the admin interface. If you don't want to use twentytwentyone as the parent theme — because it's not the most recent one when you read this, for example — replace it in the style.css. Yes, in the stylesheet, I'm not making this up, rules are rules.

3D Modeling for 3D Printing for Total Noobs

technology 2020-11-08
I was always fascinated with the idea of turning ideas into data within a computer and then turning this data into a physical object. With this, I'm probably not alone given that 3D printing is all the rage in nerd world. After some googeling around and buying a printer on Amazon Prime day, I devised the following plan to learn 3D printing as a skill: 1. print sample shape shipped with the printer 2. print model from the internet 3. modify existing model 4. create a model from scratch The intention behind this plan was to spread out different problems and technologies involves as much as possible. So it's never a daunting task. Show the steps!

Do Not Enforce Email Address During CTFd Registration

technology, web 2020-10-24
CTFd is a Python-based open-source Capture The Flag (CTF) web app. I wanted to use it in a context where I didn't want to collect email addresses of the registering users. To archive this, I decided to take the easy way and hack myself around the problem: just hide the email-field in the registration form and generate a random address for every registration. Show me the code!

Raspberry Pi Camera for Sourdough Monitoring

hardware, technology 2020-09-27
All right, the last step to complete the great Sourdough Monitoring Project (SMP): capturing actual footage. We don't need a real video but just a sequence of still images. The goal is to collect enough of those on disk to later be able to assemble them into a time-laps video of the dough growing. First I'll show you how to enable camera support in software, then how to attach the camera, and finally finally how to capture images to disk. As a bonus, I'll share a PHP script you can use to receive images on a server on the internet so you can look at your dough from the other side of the world. Take a peek.

Temperature Measurement on Raspberry Pi

hardware, technology
This is me again, having no idea about electronics and trying to get a Raspberry Pi to record the temperature of its surroundings in order to better control the environment of the previously mentioned sourdough. Get bakin'!

Switching Power on Raspberry Pi USB Ports

hardware, technology
I want to create a stop motion movie of sourdough growing over night. Don't ask. Since I'm very comfortable with the OS, I am using Raspberry Pi as the hardware platform. And since everyone will tell you that _Lighting_ is important for any kind of filmmaking I played around with ways to toggle power on the USB ports to control USB-powered lamps. You want to know more? !

Java Test Coverage and The Missing Path

code, technology 2020-09-20
I started learning JUnit 4 and encountered the message "1 of 4 branches missed." when testing a code fragment like x && y where x and y depend on each other in a particular way. Here is my journey and a "solution". You want to know more? !

Which Raspberry Pi do I have?

hardware, technology 2020-09-19
Run 
grep Revision /proc/cpuinfo
and look it up on https://elinux.org/RPi_HardwareHistory. For posterity I copied the table by the time of writing...!
Authors have copyrights. People say these things in footers.
All Hail the Great Yawgmoth, Father of Machines.