SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

A few Ghidra tips for IDA users, part 2 - strings and parameters

Continuing with my preliminary exploration of Ghidra. If we continue with the call to RegOpenKeyExA from last time (yes, I know this code is unreachable as we discussed last time, but let's keep going anyway). Continue reading A few Ghidra tips for IDA users, part 2 - strings and parameters


A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code

As I continue to explore NSA's new reversing tool, Ghidra, one of the features that I heard about and was excited to see in action was the decompiler. So, in this entry in the series, I'll start to delve into that some. In particular, I'll look at one particular option that turned out to be more useful than I originally thought, though I'm still not entirely certain how I'll use it going forward. I've long been a user of the Hex-Rays decompiler at $dayjob and I really like it, but I can't afford it for use in my personal/Storm Center research and we don't use it in FOR610, so I was really looking forward to giving the Ghidra one a try. I have to say, so far, I'm pretty impressed. As I explain to my FOR610 students, decompiling is a hard problem. A lot of context is lost during optimization, so except for very simple programs you shouldn't expect the decompiler to give you C code that looks like the original source. Having said that, for someone like me who has been programming on-and-off for a very long time, I can usually grasp the purpose of a function much more quickly in a (pseudo-)high level language than I can in assembler. One place decompiling is extremely useful for, is showing the parameters to function calls (especially Windows API calls) in a way that isn't as tedious (and potentially error prone) as scrolling up and counting the PUSH instructions (cdecl or stdcall) or trying to trace the contents of certain registers (fastcall). More on that in my next installment. Continue reading A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code


A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters

If you haven't been living under a rock, you probably heard that the NSA released its reverse-engineering tool, Ghidra, at RSA last month. I've been an IDA user for years (it's the primary disassembler we use when I teach FOR610), but I've been trying out Ghidra over the last few days since it is free and other malware analysts have been talking about it. This is the first of several diaries I plan to write with suggestions on how to get Ghidra to do things I've come to rely on in IDA. And, being a good computer scientist, I start counting a 0, hence part 0.

Let me state, right up front, I have only spent a couple of hours using Ghidra, so this is very preliminary. On first glance, one feature I missed from IDA was the comments where IDA gave me the names of parameters for Windows API calls (e.g., the first parameter to RegOpenKeyExA in MSDN is listed as hKey with a type HKEY). It turns out Ghidra can do this to. It requires changing one of the defaults in the AutoAnalysis settings (you see this when you first open a file for analysis or when you choose AutoAnalysis from the Analysis menu). The option WindowsPE x86 Propagate External Parameters is disabled by default, if you enable this option then you get the comments you expect. Continue reading A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters


SANS Threat Hunting and Incident Response Summit 2019 Call for Speakers - Deadline 5/6

Summit Dates: September 30 & October 1, 2019 Call for Presentations Closes on Monday, May 6, 2019 at 5 p.m. CST Submit your presentation here The Threat Hunting & Incident Response Summit will focus on specific hunting and incident response technique and capabilities that can be used to identify, contain, and eliminate adversaries targeting your … Continue reading SANS Threat Hunting and Incident Response Summit 2019 Call for Speakers - Deadline 5/6


Investigating WMI Attacks

WMI as an attack vector is not new. It has been used to aid attacks within Microsoft networks since its invention. However, it has been increasingly weaponized in recent years, largely due to its small forensic footprint. In a world of greater enterprise visibility and advanced endpoint protection, blending in using native tools is … Continue reading Investigating WMI Attacks