Here’s a short list of things I’ve worked on recently:
-
WMI Forensics After encounter attackers using WMI for many phases of the attack lifecycle, my colleagues (Matt Graeber and Claudiu Teodorescu) and I reversed the WMI CIM database format. These files contains all the persistent information maintained by the WMI service. We’re now able to do true forensics on WMI artifacts, and we’ve released a few tools to make it easier. The whitepaper we wrote is available here.
-
vstruct In support of the WMI project, I’ve become familiar with the
vstructPython module. This is a great library for parsing binary data in a structured way. It is both Pythonic and declarative, which encourages the maintainability of parsing code (still not an easy feat). To help debug these parsers, I’ve developed thevstructuimodule for PyQt5 that displays an hex editor and interactive structure explorer, similar to the 010 Editor. Notably, its also pure-Python (beyond the PyQt dependency), which means its easy to invoke on all major operating systems. Here’s a screenshot of the widget in action:
-
SDB Forensics There are some really neat tricks attackers can play to hide executable code using the Application Compatibility Infrastructure. Sean Pierce, Jon Erickson, and others have presented great research on some of these techniques. A key strategy is to embed executable code within a “shim database” (.sdb file) that is subsequently loaded by the Windows PE loader. Since this file format was previously undocumented, I reverse-engineered it and published a pure-Python library.
-
vivisect is a pure Python library for binary analysis primarily developed by Invisig0th Kenshoto. I’ve recently used it extensively to develop IDAPython-like scripts that run on a headless Linux server. The library is well designed and very hackable, though its missing a bit of documentation. The emulation and symbolic analysis modules are also worthwhile.