EIP=0x41414141

EIP=0x41414141 https://0x41414141.de/ Recent content on EIP=0x41414141 Hugo -- gohugo.io en-us Thu, 04 May 2023 17:09:27 +0200 Manage multiple Github accounts under the same user https://0x41414141.de/blog/2023-05-04-manage-multiple-github-accounts-under-the-same-user/ Thu, 04 May 2023 17:09:27 +0200 https://0x41414141.de/blog/2023-05-04-manage-multiple-github-accounts-under-the-same-user/ I recently got a github account from my employer. So now i do have two github account, my private one and my work account. Sometimes i do work on my work machine but want to update some source that is under my private github account. This does not work, at least not out of the box, since on my work machine also my github work account is configured. Github, off course, does not allow my work account to update a repository from my private account. Manuelles Einbinden von Windows Festplatten unter Linux https://0x41414141.de/blog/2022-01-03-manuelles-einbinden-von-windows-festplatten-unter-linux/ Mon, 03 Jan 2022 14:53:38 +0100 https://0x41414141.de/blog/2022-01-03-manuelles-einbinden-von-windows-festplatten-unter-linux/ Dieses Posting erklärt wie man eine Festplatte von Hand in Linux einbindet. Die richtige Festplatte finden Die erste Frage die sich stellt ist: Wie finde ich die Festplatte welche ich einbinden möchte. Dazu ist es zunächst ratsam den Befehl sudo fdisk -l auszuführen. Dieser Befehl listet alle am System angeschlossenen Festplatten auf. Wichtig hierbei ist dass die externe Festplatte NOCH NICHT an das System angeschlossen ist. Die Ausgabe sieht ähnlich wie im folgenden Beispiel aus. Vhdx on Desinfect https://0x41414141.de/blog/2021-12-31-vhdx-on-desinfect/ Fri, 31 Dec 2021 11:32:05 +0100 https://0x41414141.de/blog/2021-12-31-vhdx-on-desinfect/ I recently had the case that i wanted to scan a image of a virtualized domain controler (DC) with desinfect. I got the VHDX image of the virtualized DC on a NTFS formated harddrive. In this article i will explain how to use desinfect with VHDX Images for virtual hosts. install required software on desinfect There are two software packages that are required: qemu-utils and nbd-client. The first one is already present in desinfect, the second one needs to be installed manually. June is Pride Month - 2021 https://0x41414141.de/blog/2021-06-07-june-is-pride-month-2021/ Mon, 07 Jun 2021 10:23:15 +0200 https://0x41414141.de/blog/2021-06-07-june-is-pride-month-2021/ Out of solidarity with the LGBT community and those involved in the Stonewall riots on June 28th 1969, 0x41414141.de will change the site-banner in June accordingly. How to resume a scp transfer https://0x41414141.de/blog/2019-09-20-how-to-resume-a-scp-transfer/ Fri, 20 Sep 2019 09:30:47 +0000 https://0x41414141.de/blog/2019-09-20-how-to-resume-a-scp-transfer/ You may had the situation yourself, you have a huge file beeing transfered via scp and suddenly the connection drops. It would be cool if one could resume the transfer, so you do not have to transfer the whole file again but only what is missing on your end. You can do that with rsync. For example you did run the follwoing scp command: scp bob@aliceserver.org:/data/huge.tar.gz Then you can resume the transfer with rsync like this: unpack Office OpenXML files https://0x41414141.de/blog/2017-08-16-unpack-office-openxml-files/ Wed, 16 Aug 2017 11:54:56 +0000 https://0x41414141.de/blog/2017-08-16-unpack-office-openxml-files/ I often have to dig into Office OpenXML files (docx, xlsx, pptx). There is a bunch of reasons why i do not want to use unzip for this. For example: some unzip implementations require the file to have a ‘.zip’ extension. some unzip codebase is not maintained proper and has known but unfixed vulns. unzip does not write to a meaningful local directory without extra argument passed. Because of all the above and some more points i decided to write unzipOpenXML Mac Security Tools https://0x41414141.de/blog/2017-08-11-mac-security-tools/ Fri, 11 Aug 2017 10:45:49 +0000 https://0x41414141.de/blog/2017-08-11-mac-security-tools/ Patrick Wardle, Chief Security Researcher of R&D at Synack offers a bunch of usefull and easy to use security tools for macOS. Here i do present the ones i find most usefull, but there is more, check it out on https://objective-see.com/products.html. Oversight Have you ever asked yourself if the microphone and/or the webcam on your Mac is really off or if it is remote controlled by an attacker and spies on you? 10 process injection techniques https://0x41414141.de/blog/2017-07-20-10-process-injection-techniques/ Thu, 20 Jul 2017 16:59:39 +0000 https://0x41414141.de/blog/2017-07-20-10-process-injection-techniques/ Endgame published a very nice blog post describing 10 different techniques to do process injection. The blog post is at: Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques Invoice 622476180 https://0x41414141.de/blog/2017-05-17-invoice-622476180/ Wed, 17 May 2017 16:10:01 +0000 https://0x41414141.de/blog/2017-05-17-invoice-622476180/ Today i got an email with the subject Invoice 622476180 05/17/2017 that had the following PDF attached: Checksums for Invoice 622476180 05_17_2017.PDF: MD5 (Invoice 622476180 05_17_2017.PDF): 14d05276125e70d43e710ef186261c95 SHA1 (Invoice 622476180 05_17_2017.PDF): 7d6606542484d7b50ccfdb1d4fa310f679bf6ba4 SHA256 (Invoice 622476180 05_17_2017.PDF): e60a621321fc670f0cac092a01281dd599a6f2fc20651ebc530c0a9912e666c6 Blake2s (Invoice 622476180 05_17_2017.PDF): 0fca6361af4c77031f79446a86bb1ed1646b85d80cae1f368d9a41fd2cd5d892 Blake2b2 (Invoice 622476180 05_17_2017.PDF): 6316fd526699ce342bd8a2ebae14d3275693e79ed244a787360d2089aa7c9885 VirusTotal told me it is malicious and known: 14d05276125e70d43e710ef186261c95 [11/55] IS KNOWN by VirusTotal Engine 'McAfee-GW-Edition' (Version v2015) detects as 'Artemis', since update 20170516 Engine 'ZoneAlarm' (Version 1. Wanna Cry - Anmerkungen https://0x41414141.de/blog/2017-05-15-wanna-cry-anmerkungen/ Mon, 15 May 2017 12:24:53 +0000 https://0x41414141.de/blog/2017-05-15-wanna-cry-anmerkungen/ Ich muss hier mal ein paar Anmerungen zur aktuellen Ransomware Welle durch Wanna Cry loswerden. der Killswitch der keiner ist Ich glaub ja nicht das der sog. Kill-Switch wirklich ein Killswitch ist. Ich glaube ja eher dass das eine Funktion ist die vom Urheber dafür gedacht war Analyseumgebungen zu detektieren. Wenn man die malware ohne Netzwerk aber mit einem Netzwerkemulator wie z.B. FakeNet startet dann führt diese Funktionalität dazu dass die Ransomware in einer solchen Analyseumgebung nicht aktiv wird. Trojan-Ransom.Win32.Foreign hides payload exe in gif file https://0x41414141.de/blog/2017-03-30-trojan-ransom.win32.foreign-hides-payload-exe-in-gif-file/ Thu, 30 Mar 2017 15:50:27 +0000 https://0x41414141.de/blog/2017-03-30-trojan-ransom.win32.foreign-hides-payload-exe-in-gif-file/ i have written a go commandline tool to extract the exe from the gif file as used by this malware. As a sample input file you can use SHA1:724fa6b4a6a9cff08cae34cc079ef70d80378b32 the resulting exe file should be SHA1:83f7ce3f6c0a7a92d9b225eb6a2953b761601c58. Both files are available from VirusTotal. You can download the sample gif with the hidden exe also locally. Use infected as a password for the zip file. publish octopress via FTPES https://0x41414141.de/blog/2016-11-18-publish-octopress-via-ftpes/ Fri, 18 Nov 2016 14:24:19 +0000 https://0x41414141.de/blog/2016-11-18-publish-octopress-via-ftpes/ Learing Bits has a detailed walk through how to patch your octopress in order to be able to publish via FTPES. converting docx to text https://0x41414141.de/blog/2016-10-13-converting-docx-to-text/ Thu, 13 Oct 2016 11:15:50 +0000 https://0x41414141.de/blog/2016-10-13-converting-docx-to-text/ Reading .docx files for the truly paranoid: unzip -p ./foo.docx | sed -e 's/<[^>]\{1,\}>//g; s/[^[:print:]]\{1,\}//g' — Halvar Flake (@halvarflake) September 30, 2016 Well, as a truely paranoid guy i would not use unzip, because the code base is not maintained anymore and probably kind of sketchy. Update I turned this into a go program, which is available from gitlab.com/scusi/paranoiddocx. malware unpacking quick reference https://0x41414141.de/blog/2016-08-27-malware-unpacking-quick-reference/ Sat, 27 Aug 2016 08:40:37 +0000 https://0x41414141.de/blog/2016-08-27-malware-unpacking-quick-reference/ A quick reference for manual unpacking of malware from Abhishek Singh from FireEye. It’s already from 2012, but still kind of usefull. Found via Florian Roth on twitter Offline copy SSL Fingerprints https://0x41414141.de/blog/2016-08-25-ssl-fingerprints/ Thu, 25 Aug 2016 21:04:01 +0000 https://0x41414141.de/blog/2016-08-25-ssl-fingerprints/ Die SSL Fingerabrücke für das aktuelle Zertifikat sind: MD5: 8D A3 0E AC 37 B1 70 6B E6 16 69 DF B1 07 C6 81 SHA1: 7A 0B A5 A0 B7 23 9F 5F EE 1B 86 FB 42 23 17 C2 2E B9 AE 1E TLSA Records im DNS für das Server Zertifikat werden dann (hoffentlich) auch noch kommen. Stay tuned. Diese Domain ist im DNS signiert und die Zertifikate für HTTPS und SMTP sind über DANE gesichert. baustelle https://0x41414141.de/blog/2016-08-25-baustelle/ Thu, 25 Aug 2016 20:59:50 +0000 https://0x41414141.de/blog/2016-08-25-baustelle/ This site is under construction. On 0x41414141.de i plan to collect all kind of things around the topics of reverse engineering, malware analysis, hacking and that kind of stuff. stay tuned. Hello World https://0x41414141.de/blog/2016-08-20-hello-world/ Sat, 20 Aug 2016 12:59:47 +0000 https://0x41414141.de/blog/2016-08-20-hello-world/ Hello World Archive page https://0x41414141.de/archive/ Mon, 01 Jan 0001 00:00:00 +0000 https://0x41414141.de/archive/ Blog archive