Wednesday, August 19, 2020

Beginner's Guide to DFIR/Threat Hunting with VirusTotal Video Series

VirusTotal intelligence allowes threat researchers to search VirusTotal's dataset for malware samples, URLs, domains and IP addresses according to binary properties, antivirus detection verdicts, static features, behavior patterns such as communication with specific hosts or IP addresses, submission metadata and many other notions. Pinpoint files similar to your suspect being studied. Samples matching search criteria can be downloaded for further study.

In this video tutorial series I tried to explain how virus total can be used effectively to hunt threats from wild. This tutorial has following chapters.

  • An Introduction to VirusTotal
  • Introduction to VT Intelligence
  • VT Tags & AND OR NOT Search Operators 
  • Behaviour Based Search Modifiers
  • Live/Realtime Threat Hunting with Yara Rules
  • Basics of Incident Correlation with VT Graph

The full playlist can be found here

Tuesday, August 4, 2020

IDA Pro Video Tutorial Series for Vulnerability Researchers & Reverse Engineers[Beginners]

IDA Pro is a disassembler. A disassembler like IDA Pro is capable of creating maps of their execution to show the binary instructions that are actually executed by the processor in a symbolic representation called assembly language. 

Reverse Engineering Malware, Part 3: IDA Pro Introduction

I recently started a new video tutorial series on IDA Pro for beginner reverse engineers and vulnerability researchers in specific. 

So far the i've covered follwing topics: The entire playlist can be found here.

  • Reverse Engineering Tutorial with IDA Pro – An Introduction
  • Reverse Engineering with IDA Pro – Fixing/Rebuilding Structure/Structs (Pseudocode)
  • C++ Reverse Engineering with IDA Pro – Rebuilding virtual function table (vftable)
  • Reverse Engineering with IDA Pro – Function Cross Reference & Proximity Browser 
  • Reverse Engineering IDA Pro – How to do Binary Diffing - Patch Analysis
  • Reverse Engineering IDA Pro- Code Coverage Measurement with Dynamo Rio & Lighthouse

Just because I make a video guides, doesn't mean I know everything, please feel free to correct me if I'm wrong at any point :-) I will be more than happy to learn from you :)

Monday, July 20, 2020

[Video]Virtual Machine Detection using JavaScript | Malware | Browser Exploit

Virtual Machine / Security sandbox detection is not new in Malware Technology. For virtual machine detection usually, malware needs to have some sort of system level access / should be able to execute certain machine instruction. Is it possible for malicious web page to understand if you are opening the page in any security sandbox? The answer is Yes! In this short video I explain how browser based malware such as browser exploits can use JavaScript to reliably detect whether they are being executed / run inside a security sand box , virtual machine.

Friday, July 17, 2020

[Video]Reflective Dll Injection Explained in 10 Minutes Malware Techniques

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process.


Monday, July 13, 2020

Dll Injection Explained in 10 Minutes | Video Tutorial | Basic Malware Techniques Simplified

In computer programming, DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend. For example, the injected code could hook system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way. A program used to inject arbitrary code into arbitrary processes is called a DLL injector. In this short white board video I tried to explain how malwares inject dll files into trusted remote process to execute malicious code.

Friday, July 3, 2020

My First $15,000 Microsoft Windows Insider Preview Bug Bounty | How to Get Started

This video blog explains how can you get started with Windows Inside Preview Bug Bounty Program and Win Big Bounty.

Saturday, June 27, 2020

Dynamic Binary Instrumentation(DBI)Tutorial with Intel PIN for Reverse Engineering Video

Pin is a platform for creating analysis tools. A pin tool comprises instrumentation, analysis and callback routines. Instrumentation routines are called when code that has not yet been recompiled is about to be run, and enable the insertion of analysis routines.

In this video live workshop we discussed various featues of Intel PIN Tool. The playlist is available here

Monday, June 22, 2020

Fixing Windbg Broken Stack Trace using Fake Debugging Symbol Exported From IDA Pro.

If you ever debuged/reversed software for which debugging symbols are not availble using windbg, You might have had hard time understanding broken stack trace. Recently i tried to do some experiment with a tool. In this video I showed how can you export fake debugging symbol from IDA prob. and add them in windbg to fix broken stack trace.

Frida Video Tutorial Series for Reverse Engineers

I decided to create a video tutorial series about basics of Frida and how it can help you automate lot of your reverse engineering effort.

The playlist is availble here 
  1. Frida Tutorial for Reverse Engineers 1 of 10: Installing Frida on Windows
  2. Frida Tutorial for Reverse Engineers 2 of 10: Instrumenting Your First Windows API with frida-trace
  3. Frida Tutorial for Reverse Engineers 3 of 10: Setting up Frida on Android for Instrumentation
  4. Frida Tutorial for Reverse Engineers 4 of 10: Getting Your hands Dirty with Frida's Python Binding
  5. Frida Tutorial for Reverse Engineers 5 of 10: Measuring Code Coverage of a Binary
  6. Frida Tutorial for Reverse Engineers 6 of 10: Instrument Unexported Functions using Debugging Symbol

Video Tutorial Series on Python Winappdbg for Reverse Engineers

In past I've created a few open source projects related to vulnerability research and reversing using python winappdbg module. Sometimes I receive queries/doubts over DM. So I decided to create a video tutorial series about basics of winappdbg and how it can help you automate lot of your reverse engineering effort- to kind of better use of this lock down :)

The playlist is available here 

  1. Python Winappdbg Tutorial for Reverse Engineers 1 of 20: : Installing Winappdbg on Windows Platform
  2. Python Winappdbg Tutorial for Reverse Engineers 2 of 20: Launching Your First App under Debugger
  3. Python Winappdbg Tutorial for Reverse Engineers 3 of 20: Attaching to Existing Process
  4. Python Winappdbg Tutorial for Reverse Engineers 4 of 20: Handling Debug Events
  5. Python Winappdbg Tutorial for Reverse Engineers 5 of 20: Setting Breakpoints
  6. Python Winappdbg Tutorial for Reverse Engineers 6 of 20: Accessing Registers
  7. Python Winappdbg Tutorial for Reverse Engineers 7 of 20: Reading Writing Process Memory
  8. Python Winappdbg Tutorial for Reverse Engineers 8 of 20: Enumerating Process Thread & Loaded Module
  9. Python Winappdbg Tutorial for Reverse Engineers 9 of 20: Hooking Windows API
  10. Python Winappdbg Tutorial for Reverse Engineers 10 of 20: Exception (Crash)Handling within Debuggee
  11. Python Winappdbg Tutorial for Reverse Engineers 11 of 20: Writing Your First Mutation Fuzzer - I
  12. Python Winappdbg Tutorial for Reverse Engineers 12 of 20: Writing Your First Mutation Fuzzer - II

There will be around 20 videos in this series , I've uploaded first 12 of it. If you find it helpful, you can show some support by subscribing to this channel.

Wednesday, August 8, 2018

Ranked #32 in Microsoft’s Top 100 Security Researchers - BlackHat USA 2018

To appreciate researcher's work and partnership, each year at BlackHat USA, Microsoft Security Response Center highlights contributions of security researchers through a list of “Top 100” security researchers worldwide.

In 2018 I ranked #32 for reporting issues is Microsoft Edge and Office

Friday, March 9, 2018

The Art of Large Scale Cumulative Binary Diffing

I've been performing patch diffing on various windows based softwares for past couple of years now. Patch diffing is a process of comparing two binary builds of the same code – a known vulnerable one and the one containing the security fix for a vulnerability. Bindiff is very popular among security researchers because it is generally used to gather information about patched security vulnerabilities, find root causes and vectors.

In 2017 December I've delivered a talk at BlackHat Europe where I've showcased many patched vulnerabilities in VMWare workstation, mostly identified using binary patch diffing different releases of VMWare workstation.

Performing BinDiffing on a huge software is very challenging specially when affected components are not known. Let's take the example of VMWare workstation. If we unpack VMWare workstation installer we find nearly 300 binary files. Among these huge number of binary files, finding the components on which security fixes were applied is very difficult and time consuming. Especially for my VMWare research I had to do this on a cumulative basis because I had to analyze each and every released security patches of last one year. Following screenshots lists out VMWare workstation releases and their version details.

To be able to identify the components modified in each workstation release and to understand the modification logic, we had to perform binary diffing like this

Performing binary diffing on each and every patch released by vmware for last one year was indeed very tedious. So I thought of automating the whole process. In this blog post I'm going briefly explain the way it was done and also release the source code of the python library I've written to automate this. The same code can be re-used (with little modification) to perform cumulative binary diffing on any windows based software.

Manually Unpacking The Installer

There were some manual efforts involved initially. Manually unpacking the installer files was the first step. For vmware workstation it can be done using following command 

VMware-workstation-full-xxxx-xxxx.exe /extract "folder path"

For other softwares files can be directly taken from "Program Files" folder.

After the installer files are unpacked they are kept in an organized way in same directory. Point to be noted here directory structure of all the unpacked file should be same like this because these paths would be accessed the the Mass binary diffing program.


Introducing MassDiffer

MassDiffer is small python program developed to automate the tedious process of cumulative binary diffing. This script has few dependencies 
  1. IDA Pro idaq.exe & idaq64.exe
  2. Zynamics Binexport
  3. BinDiff  - differ.exe & differ64.exe

This is exactly how the MassDiffer works,

1. Path of two directories containing unpacked installer files (old release and new release) are passed to the program for example C:\MassDiffing\VMware-workstation-full-12.5.0.exe\ and C:\MassDiffing\VMware-workstation-full-12.5.1.exe\

2. The program traverses two directories, tries to find out files which can have binary code and create a mapping between the old version and new version of the file.

3. After the mapping is created it checks if the binary image version has changed in the new release or not. If binary images are identical in both the releases nothing will be done to those files.

4. Next, if it finds any change in binary image file version it process them. First it generates set of IDB files for both old and new version.

5. From the IDB file it generates BinExport file with help of zynamics binexport.

6. From BinExport files it generates BinDiff file. Point to be noted here BinDiff files are nothing but a sqlite database, where all the diffing results are stored. Simple sqlite query can be made to extract information from the BinDiff file about the modified function in two binary files.

7. Next step, BinDiff database file is parsed and modified function details and addresses are extracted from BinDiff database.

8. Once these information are gathered a MS Excel report is prepared which gives a visual representation of the modified components. Following screenshot shows a sample MassDiff output for VMware-workstation version 12.5.1 and 12.5.2 release. As it can be easily pointed out that in this release VMWare had only applied fix to two binary files they are vmware-vmx.exe and vmwarebase.dll and only few functions in these binary files were modified. This reduces a lot of repetitive work.

Source Code :

Source code is available at
The program was developed and tested on IDA Pro Version 6.5 + Bindiff version 4.2.

Thanks for reading. Hope you've enjoyed :) 

Sunday, December 10, 2017

My BlackHat Europe 2017 Talk: THE GREAT ESCAPES OF VMWARE

This December 2017 Me & my colleague Yakun Zhang delivered a talk at Blackhat Europe 2017 Briefings on VMWare escapes. Blackhat Europe is an annual information security conference, scheduled on December 4 2017 to December 7, 2017, in the ExCeL London, located at 1 Western Gateway, London E16 1XL.We have talked about reverse engineering of vmware, attacking hypervisor isolation and some virtual machine escape attacks against vmware.

Talk Abstract

Virtual machine escape is the process of breaking out of the virtual machine and interacting with the host operating system. VMWare recently fixed several bugs in their products that were allowing malicious code to escape sandbox. Some of these issues were exploited and reported during exploitation contest and while others reported individually by researchers. For very obvious reason details of this bugs are undisclosed. This paper presents a case study of VMWare VM escape vulnerabilities based on the analysis of different patches released by VMWare in recent past. 

Looking at the advisories published by VMWare in the last few months, reveals that there are many surfaces, that are being targeted by security researchers. To summarize, the attack surfaces would be as follows: 

A) RPC Request handler.
B) Virtual Printer.
C) VMWare Graphics Implementation.

Talking about vulnerabilities fixed in VMWare RPC layer, we see several CVEs (CVE-2017-4901, CVE-2016-7461 etc.) fixing security issues in RPC layers. This talk will cover end to end RPC implementation in VMWare workstation. It will cover everything from VMWare Backdoor in guest OS to different RPC command handler in host OS. We will uncover some of these fixed bugs in VMWare RPC layer by performing binary diffing on VMWare Workstation binaries. This talk will also showcase some of the PoCs developed from different VMware workstation patches.

VMWare's EMF file handler is one of most popular attack surfaces, when it comes to guest to host escape. VMSA-2016-0014 fixed several security issues in EMF file handling mechanism. EMF format is composed of many EMR data structures. TPView.dll parses every EMR structure in EMF file. In VMware, COM1 port is used by Guest to interact with Host printing proxy. EMF files are spool file format used in printing by windows. When a printing EMF file request comes from Guest, in host TPView.dll render the printing page. The TPView.dll holds the actual code which parses the EMF file structures. In our talk, we will be diving deep into this attack surface & uncover some of the vulnerabilities fixed in this area recently by performing binary diffing on VMWare work station binaries.

VMSA-2017-0006 resolved several security vulnerabilities in Workstation, Fusion graphics implementation which allows Guest to Host Escape. These vulnerabilities were mostly present in VMWare SVGA implementation. In this section of our talk we will cover implementation of VMWare virtual GPU through reverse engineering different guest components (vmx_fb.dll - VMware SVGA II Display Driver, vmx_svga.sys - VMware SVGA II Miniport) as well as host component (vmware-vmx.exe) where virtualize GPU code exist. The VMware virtual GPU provides several memory ranges which is used by Guest OS to communicate with the emulated device. These memory ranges are 2D frame buffer and FIFO Memory Queue. In FIFO memory queue, we write command that we want our GPU to process. The way VMWare handles and process these commands is error prone. This talk will uncover some of these bugs in SVGA command processing code and try to understand anatomy of issues by bin-diffing through VMWare binaries.




Sunday, October 8, 2017

My BruCON'17 Talk: Browser Exploits? Grab ’em by the Collar!

This year in October I have delivered a talk about reliable detection of Browser Exploit at Brucon 2017. BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops.

Talk Abstract:

APT has become a hot topic in enterprise IT today. One of the softwares that we see becomes victim of APT attack more often is web browsers and the attack surface is becoming bigger and bigger every day.

TCP Live Stream Injection ( is a technique that we have seen, is being abused by various Internet Service Providers, Router vendors for decades. We have seen in the past, using this technique ISPs, router vendors intercepts HTTP traffic and inject arbitrary data silently into HTTP responses. This is usually done by injecting arbitrary JavaScript code into actual HTTP response body in real time. When the injected JavaScript code reaches client browser it performs various operations such as loading advertisements, information gathering etc.

This paper presents a generic browser exploit detection technique that uses the same Live Network Stream Code Injection technique to reliably catch browser exploits. The detection system can be considered as completely agent less and capable of detecting various techniques, used in modern browser exploitation. Unlike any other Host Based Intrusion Prevention Systems, to be able to generically detect and block browser exploits, no OS API hooking, dll injection or code injection is required in browser process.

Slides & Video Demos:

Talk Video:



Saturday, May 20, 2017

OpenXMolar - A MS OpenXML Format Fuzzing Framework

i) OpenXMolar v 1.0

alt text
OpenXMolar is a Microsoft Open XML file format fuzzing framework, written in Python.

ii) Motivation Behind OpenXMolar

MS OpenXML office files are widely used and the attack surface is huge, due to complexity of the softwares that supports OpenXML format. Office Open XML files are zipped, XML-based file format. I could not find any easy to use OpenXML auditing tools/framework available on the internet which provides software security auditors a easy to use platform using which auditors can write their own test cases and tweak internal structure of Open XML files and run fuzz test (Example : Microsoft Office).

Hence OpenXMolar was developed, using which software security auditors can focus, only on writing test cases for tweaking OpenXML internal (XML and other ) files and the framework takes care of rest of the things like unpacking, packing of OpenXML files, Error handling, etc.

iii) Dependencies

OpenXMolar is written and tested on Python v2.7. OpenXMolar uses following third party libraries

winappdbg / pydbg

Debugger is an immense part of any Fuzzer. Open X-Molar supports two python debugger, one is winappdbg and another is pydbg. Sometimes installing pydbg on windows environment can be painful, and pydbg code base is not well maintained hence winappdbg support added to Open X-Molar. Its recommended that user use winappdbg.


Since we feed random yet valid data into target application during fuzzing, target application reacts in many different ways. During fuzzing the target application may throw different errors through different pop-up windows. To continue the fuzzing process, the fuzzer must handle these pop-up error windows properly. OpenXMolar uses PyAutoIT to suppress different application pop-up windows. PyAutoIt is Python binding for AutoItX3.dll

crash_binning is part of sulley framework. is used only when you've selected pydbg as debugger. is used to dump crash information. This is only required when you are using pydbg as debugger.


This is not core part of the Open X-Molar. The XML String Mutation module (FileFormatHandlers\ was written using xmltodict library.

iv) Architecture:

On a high level, OpenXMolar can be divided into few components.

This is the core component of this Tool and responsible for doing many important stuffs like the main fuzzing loop.

This component mostly handles processing of OpenXML document such as packing, unpacking of openxml files, mapping them in memory, converting OpenXML document to python data structures etc. - PopUp/Error Message Handlers :

This component suppresses/kills unwanted pop-ups appeared during fuzzing.


An OpenXML file may contain various files like XML files, Binary files etc. FileFormatHandlers are basically a collection of mutation scripts, responsible for handling different files found inside an OpenXML document and mutate them. decompresses OpenXML files provided in folder "OpenXMolar\BaseOfficeDocs\OpenXMLFiles" and output a python list of files present in the OpenXML file. accepts comma separated file extensions. is useful when you are targeting any specific set of files present in any OpenXML document. summarizes crashes found during fuzzing process in tabular format. The output of should look like this:

alt text

v) Configuration File Walk through

The default configuration file '' is very well commented and explains all of its parameters really well. Please review the default file thoroughly before running the fuzzer to avoid unwanted errors.

vi) Writing your Open XML internal File Mutation Scripts:

As said earlier, an OpenXML file package may contain various files like XML files, Binary files etc. FileFormatHandlers are basically a collection of mutation scripts, responsible for handling different files found inside an OpenXML document and mutate them. Generating effective test cases is the most important step in any fuzz testing process.

The motive behind OpenXMolar was to provide security auditors an easy & flexible platform on which fuzz tester can write their own test cases very easily for OpenXML files. When it comes to effective OpenXML format fuzzing, the main part is how we mutate different files (*.xml, *.bin etc) present inside OpenXML package (zip alike). To give users an idea of how file format handlers are written, two file format handlers are provided with this fuzzer, however they are very dumb in nature and not very effective.

Any file format handler module should be of following structure

# Import whatever you want.
class Handler():# The class name should be always 'Handler'
 def __init__(self):
 def Fuzzit(self,actual_data_stream): 
  # A function called Fuzzit must be present in Handler class
  # and it should return fuzzed data/xml string/whatever.
  # Note: Data type of actual_data_stream and data_after_mutation should always be same.

  return data_after_mutation

Once your file format handler module is ready you need to place the *.py file in FileFormatHandlers// folder and add the handler entry and associated file extension in file like this :


vii)Adding More POPUP / Errors Windows Handler

The default file provided with Open X-Molar, is having few most occurred pop up / error windows handler for MS Word, MS Excel & Power Point. Using AutoIT Window Info tool ( you can add more POPUP / Errors Windows Handlers into ''. One example is given below.
alt text

So to be able to Handle the error pop up window shown in screen shot, following lines need to be added in :

if "PowerPoint found a problem with content"  in autoit.win_get_text('Microsoft PowerPoint'):
 autoit.control_click("[Class:#32770]", "Button1")

viii)The First Run

This fuzzer is well tested on 32 Bit and 64 Bit Windows Platforms (32 Bit Office Process). All the required libraries are distributed with this fuzzer in 'ExtDepLibs/' folder. Hence if you have installed python v2.7, you are good to go.

To verify everything is at right place, better to run Open X-Molar with Microsoft Default XPS Viewer first time(C:\Windows\System32\xpsrchvw.exe). Place any *.oxps file in '\BaseOfficeDocs\OpenXMLOfficeFiles' and run accepts one command line argument which is the configuration file.


[Warning] Pydbg was not found. Which is required to run this fuzzer. Install Pydbg First. Ignore if you have winappdbg installed.

   ____                    __   ____  __       _
  / __ \                   \ \ / /  \/  |     | |
 | |  | |_ __   ___ _ __    \ V /| \  / | ___ | | __ _ _ __
 | |  | | '_ \ / _ \ '_ \    > < | |\/| |/ _ \| |/ _` | '__|
 | |__| | |_) |  __/ | | |  / . \| |  | | (_) | | (_| | |
  \____/| .__/ \___|_| |_| /_/ \_\_|  |_|\___/|_|\__,_|_|
        | |
        An MS OpenXML File Format Fuzzing Framework.
        Author : Debasish Mandal (

[+] 2017:05:05::23:11:23 Using debugger :  winappdbg
[+] 2017:05:05::23:11:23 POP Up killer Thread started..
[+] 2017:05:05::23:11:24 Loading base files in memory from :  BaseOfficeDocs\UnpackedMSOpenXMLFormatFiles
[+] 2017:05:05::23:11:24 Loading File Format Handler for extension :  xml =>
[+] 2017:05:05::23:11:24 Loading File Format Handler for extension :  rels =>
[+] 2017:05:05::23:11:24 Loading File Format Handler Done !!
[+] 2017:05:05::23:11:24 Starting Fuzzing
[+] 2017:05:05::23:11:25 Temp cleaner started...
[+] 2017:05:05::23:11:25 Cleaning Temp Directory...

ix) Open X-Molar in Action

Here is a very short video on running fuzztest on MS Office Word:

x) Fuzzing Non-OpenXML Applications :

Due to the flexible structure of the fuzzer, this Fuzzer can also be used to fuzz other windows application. You just need do following :

  • In add the target application binary (exe) and extension in APP_LIST of
  • In change OpenXMLFormat to False
  • Write your own File format mutation handler and place it in FileFormatHandlers/ folder
  • Add the newly added FileFormatHandler in FILE_FORMAT_HANDLERS of
  • Provide some base files in folder OtherFileFormats/
  • Add custom error / popup windows handler in using Au3Info tool if required.And you're good to go.

xi) Few More Points about OpenXMolar:

Fuzzing Efficiency: To maximize fuzzing efficiency OpenXMolar doesn't read the provided base files again and from disk. While starting up, it loads all base files in memory and convert them into easy to manage python data structures and mutate them straight from memory.

Auto identification of internal files of OpenXML package : An Open XML file package may contain various files like XML files, Binary files etc. OpenXMolar has capability to identify internal file types and based that chooses mutation script and mutate them. Please refer to the default file (Param : AUTO_IDENTIFY_INTERNAL_FILE_FORAMT) for details.

xii) TODO

Improve Fuzzing Speed
New Feature / Bugs ->

xiii) License

This software is licensed under New BSD License although the following libraries are included with Open X-Molar and are licensed separately.

xiv) Source 

The source code is available here :