Tetrane's BLOG
CVE-2019-1347: When a mouse over a file is enough to crash your system
CVE-2019-1347 is a vulnerability disclosed in october 2019 by Mateusz @j00ru Jurczyk in the Windows relocation mechanism when parsing a PE file. By simply placing your mouse cursor over the Proof of Concept file, a Blue Screen Of Death is triggered. We thought the original description could be positively completed...
REVEN 2.2: Python API, Automatic Recording, and more
Tetrane is happy to announce the recent release of REVEN 2.2. REVEN is an automated Reverse Engineering Platform designed to go x10 faster & x10 deeper using Timeless Analysis. Technically, REVEN captures a time slice of a full system execution (CPU, Memory, Hardware events) to provide unique analysis features that...
Analysis of the Uroburos malware with REVEN
12 Jun 2019
by
Luc
and Mathieu
-
Technical
-
Reverse Engineering
Malware Analysis
Windows Kernel
Demo
Reven
In this post, we present how Timeless Analysis can be used to analyze a few mechanisms of a Uroburos recent version. We use REVEN and its integration with Volatility and IDA to detect indicators of compromise, analyze the dropping mechanisms and circumvent tricks the malware uses to hide itself. The...
Windows boot from UEFI to kernel
20 May 2019
by
Mathieu
-
Technical
-
Reverse Engineering
Windows Kernel
Windows boot
UEFI
Demo
Reven
Getting full visibility into the Windows 10 OS’ boot mechanisms is challenging. REVEN opens up a new world of possibilities with its timeless analysis technology! We used REVEN to record the Windows OS’ boot process, all the way from before the UEFI firmware transfers control to the boot process, to...
Full visibility of a Windows Kernel Bug with Timeless Analysis (CVE-2018-8410)
One of the situations where REVEN (aka Tetrane) really shines is digging into undocumented kernel mechanisms, especially in cases where WinDBG abstracts information away from the user. In the following video, we will analyze a reference counting bug in the Windows Kernel (CVE-2018-8410 published by Google Project Zero) and try...
Updated Analysis of PatchGuard on Microsoft Windows 10 RS4
Since Windows 64b, PatchGuard has been of great interest in Windows security. In this white-paper, you will access our research done using REVEN v2. For most iterations of its development, several people have analyzed its main mechanisms and internals which, many times, led to a functional bypass. Researchers seem to...
Analysis of VLC Exploit Arbitrary Code Execution (CVE-2018-11529)
This is the analysis of VLC Exploit Arbitrary Code Execution (CVE-2018-11529) done REVEN v2. It leverages our timeless analysis technology and several key features:
Data Tainting
Memory History
Backtrace
etc.
Analyzing CVE-2015-0350 with REVEN
In this article we will show how we analyzed and tamper the PoC for CVE-2015-0350, an Adobe Flash vulnerability located in the parsing of JPEG-XR images, with the help of timeless analysis. With REVEN v1.5.0, from an input file causing a crash, we analyze the vulnerability by instantly time-traveling to...
Reversing DirtyC0W
Everybody keeps in mind the Dirtyc0w Linux kernel bug. For those who don’t, take some time to refresh your memory here. The kernel race condition is triggered from user-space and can easily lead a random local user to write into any root owned file. In this article, we will demonstrate...
Unfolding obfuscated code with Reven (part 2)
Last time, by abstracting the runtime effect of the first virtual machine, we have reduced the challenge to a simpler but semantically equivalent program. Its control flow graph has a unique entry point as the basic block starting at 0x402048, whereas ones at 0x4023d4 and at 0x40266e are exit points...
Older Posts