Author Archives: Daniel Pistelli

Profiler 2.7

Profiler 2.7 is out with the following news: + added experimental support for Windows raw memory images + added support for EML files + added TOR-based URL download action – added JBIG2 decoder for PDFs – improved PDF parsing against … Continue reading

Posted in Uncategorized | Tagged | Comments Off on Profiler 2.7

URL Download Action (Tor)

In the upcoming version of Profiler Advanced we have introduced a new useful action, namely the URL Download action. Many times in previous posts we have analyzed some malware which at the end of its shellcode ended up downloading a … Continue reading

Posted in Action, Profiler Advanced, Security | Tagged , , | Comments Off on URL Download Action (Tor)

EML support

The upcoming 2.7 version of Profiler Advanced introduces support for the EML file format. Support for EML files had until now only been present as experimental hook to extract attachments. We have now introduced full-fledged EML support and have removed … Continue reading

Posted in Format, Profiler Advanced | Tagged , | Comments Off on EML support

Profiler Advanced

With the upcoming 2.7 version of Profiler, we will start releasing an Advanced edition alongside the Standard one. All our users who have bought a license until this point in time will automatically have their license work with the Advanced … Continue reading

Posted in Profiler Advanced | Tagged | Comments Off on Profiler Advanced

JBIG2 Encoded Malware in PDFs

The upcoming version of Profiler 2.7 adds support for JBIG2 encoding inside PDFs. Although JBIG2 isn’t intended to encode data other than images, it can be used to do so. Quoting the PDF documentation: The JBIG2Decode filter (PDF 1.4) decodes … Continue reading

Posted in PDF, Profiler | Tagged | 2 Comments

Yet another PDF/XDP Malware

Today we’re going to analyze yet another sample of PDF containing an XDP form. The difference between this sample and the one of my previous post is that this one will be less about JavaScript deobfuscation and more about anti-analysis … Continue reading

Posted in PDF, Profiler | Tagged , , , | Comments Off on Yet another PDF/XDP Malware

PDF/XDP Malware Reversing

Recently version 2.6 of Profiler has been released and among the improvements support for XDP has been introduced. For those of you who are unfamiliar with XPD, here’s the Wikipedia description: “XML Data Package (XDP) is an XML file format … Continue reading

Posted in PDF, Profiler | Tagged , , , | Comments Off on PDF/XDP Malware Reversing

Profiler 2.6

Profiler 2.6 is out with the following news: – added initial support for XML files – added support for XDP files (extraction of embedded PDFs) – exposed the ABC format – improved the parsing of malformed PDF streams – fixed … Continue reading

Posted in Profiler | Tagged | Comments Off on Profiler 2.6

Windows Memory Forensics

Let’s begin with an image: Yep. That’s an icon. In an executable. In a process address space. In a raw memory dump. And here is the video demonstration: This is just a proof-of-concept. We still haven’t decided whether to develop … Continue reading

Posted in Demo, Forensics, Profiler | Tagged , | 3 Comments

Profiler 2.5

Profiler 2.5 is out with the following news: – introduced scan provider extensions – added support for Torrent files – added the capability to display views as dialogs – exposed official Python bindings for capstone – added new controls to … Continue reading

Posted in Profiler | Tagged | Comments Off on Profiler 2.5