Monthly Archives: May 2013

Custom filters: Lua and misc/basic

Last year filters have been introduced and among them them the very useful ‘misc/basic‘. The upcoming 0.9.5 version of the Profiler improves this filter introducing the condition parameter. For instance, let’s take the following filter: <flts><f name=’misc/basic’ operation=’xor’ check=’!=’ bits=’8′ … Continue reading

Posted in Filters, Profiler | Tagged , | Comments Off on Custom filters: Lua and misc/basic

CVE-2012-0158: RTF/OLE/CFBF/PE

Since support for the RTF file format has been added very recently with the version 0.9.4 of the Profiler, it’s a good idea to test it against real malware. I downloaded a pack of RTFs from contagiodump.blogspot.com and as I … Continue reading

Posted in CFBF, PE, Profiler, RTF | Tagged , | Comments Off on CVE-2012-0158: RTF/OLE/CFBF/PE

CVE-2010-0188: PDF/Form/TIFF

Given the good reception of the last post, I’ve decided to dedicate more time posting use cases for the Profiler. Today we’re going to analyze a PDF exploiting CVE-2010-0188. Quite old as the name can tell, but it doesn’t really … Continue reading

Posted in PDF, Profiler, Use case | Tagged , , | Comments Off on CVE-2010-0188: PDF/Form/TIFF

BlueBox Android Challenge

Some weeks (? I don’t even remember the time frame) ago I was made aware by a friend of this challenge. Basically injection of Dalvik code through native code. I found some minutes this morning to look into it and … Continue reading

Posted in DEX, Profiler, Zip | Tagged , , | Comments Off on BlueBox Android Challenge

News for version 0.9.4

The new version is out with the following news: – added RTF support including OLE extraction and raw text preview – added file times support and extraction in Zip archives – added disasm options to several engines – added support … Continue reading

Posted in Profiler | Tagged | Comments Off on News for version 0.9.4

Android Binary XML support

The upcoming version 0.9.4 of the Profiler adds support for Android’s binary XML format (such as that used by AndroidManifest.xml). Let’s take the sample output of the aapt tool in the Android SDK: N: android=http://schemas.android.com/apk/res/android E: manifest (line=22) A: package="com.example.android.notepad" … Continue reading

Posted in AXML, Profiler | Tagged , , , | Comments Off on Android Binary XML support

Disasm options & filters

The upcoming version 0.9.4 of the Profiler introduces improvements to several disasm engines: ActionScript3, Dalvik, Java, MSIL. In particular it adds options, so that the user can decide whether to include file offsets and opcodes in the output. The code … Continue reading

Posted in Filters, Profiler, Python, SDK | Tagged , , , , , , | Comments Off on Disasm options & filters