Intro

Welcome to pnx.tf, the phoenix testing facility.

This page is centered around work on the topics binary analysis and reverse engineering on x86 / x64, with a special focus on Windows. There might be something about malware analysis here and there, too.

 

Check out my blog for more articles on the listed projects and unrelated news!

About

Hi, my name is Daniel and I work as a security researcher at Fraunhofer FKIE with a healthy interest in above topics.

PNX.TF has opened its doors on June 3rd, 2012 and shall become a place where I share some of the tools I create over time and where I publish or reference my findings. Tools will be most likely written in Python or Assembler because these are the languages I like the most at this time :). The page is updated only occasionally and intended as a personal archive.

Above illustration of a phoenix has been published as freeware on openclipart by mabroox and I liked it a lot as an avatar. The font used in the banner is "Bandung Hardcore GP" by Gilang P. Jaya and freeware as well.

You can contact me via

Releases

In this section, I list a selection of my own creations and projects I have contributed to. This includes both tools as well as documents.

Tools

2012 - IDAscope: An IDA Pro extension with the goal to ease the task of (malware) reverse engineering

The idea for IDAscope was born at RECON 2012, when Alex and I sat in Nicolas Brulez great unpacking class. At some day, I showed him a proof of concept for the identification of function semantics by evaluating the Windows API calls present in that function. I talked him into developing the plugin together with me as I thought it would be a good motivation to always have someone to tell about your progress. Soon thereafter, I had a pretty functional version of the widget for Function Inspection finished. We talked about other ideas that could be covered by such a plugin. Seamless WinAPI integration was logical as we both find ourselves reguarly looking up documentation while reversing. Crypto identification was an idea I had for a while and just needed to cover up with some proper code. Somewhere on the way developing, the idea for submitting to Hex-Rays contest came up. We knew there was Aaron Portnoy's Toolbag, that I already considered as the prospected winner for the contest due to its maturity and features.
After some beta-testing, IDAscope 1.0 was finally released on September 17th, 2012, and entered Hex-Rays plugin-contest, where it took second place. The plugin will be actively developed, as there are still some more ideas that will likely help with the thrilling task of reversing engineering.

2012 - AntiRE: An Executable Collection of Anti-Reversing Techniques

When teaching Reverse Engineering at university, there is always a point where the concepts of packers and protectors are explained. Many of these tools contain techniques that exploit properties of analysis tools, mostly driven by the goal to detect or defeat them. Studying packers and protectors can be a very demanding task. The techniques are often used in a covert way and combined with each other, which makes it hard to understand their mechanics. Apart from dedicated packers and protectors, these techniques also appear occasionally in malware samples.
To ease practical studies on such techniques, AntiRE was build. The intention of this tool is bringing together referenced documentation and annotated proof of concept code snippets, bundled together in a single benign executable. Techniques are implemented as one function each, thus allowing to inspect their behaviour isolated from side-effects. The tool is best used in a debugger, where you can directly jump around the code and proceed to the techniques you are interested in.
First and foremost, I would like to thank Christopher Kannen for his efforts in extending the set of tests integrated in the initial release of AntiRE. I would also like to thank Peter Ferrie and Ange Albertini for their feedback on the tool and their great work on publicly documenting such techniques and binary oddities. Many of the tests integrated in AntiRE are based on their work.
AntiRE is open source and welcomes contributions! In future, the project hosting will probably be moved to GitHub or BitBucket in order to make code contributions easier.

2011 - PyBox: A Python Approach to Sandboxing

PyBox (short for "Python Sandbox") is a flexible and light-weight process and system analysis framework.
Originally, we started this project with the intention to create a sandbox toolkit for semi-automated malware analysis, which is both easy to understand and extend. Using Python as main programming language allows dynamic and even runtime modifications to the scripts containing monitoring settings and functionality. This removes the need for frequent re-compilation of source code when tailoring the application to special cases and benefits the idea of rapid prototyping. It's comparable to cuckoobox with less features and more tailored towards adapting single samples and families than being an automated analysis platform.

Documents

2012 - Case Study of the Miner Botnet

I spent some time investigating the so-called "Miner Botnet" during Sep. 2011 - Feb. 2012. The research was initially motivated because the botnet DDoS'ed about 500 German websites in August/September 2011, earning it some major media attention in Germany. Furthermore, it had an interesting P2P architecture and was one of the first botnets abusing infected machines to generate bitcoins, hence the name. As a result of my work, I wrote a paper about my findings, which was accepted at the 4th International Conference on Cyber Conflict (CyCon) in Tallinn, Estonia. After talking back to the conference committee, I am happy to be able to publish the paper here, making it available to a larger audience.

2012 - Translation of corkami's PE 101

Ange Albertini did great work summarizing the binary structure and loading process of a simple PE Windows exectuable, reduced to a single sheet of paper. On twitter he asked for volunteers to translate the document and I happily did this.

2011 - x86 Opcode Structure and Instruction Overview

My first contact with the corkami project were the different cheat sheets. One of them featured an instruction overview of x86 opcodes that I liked much. I felt like using this representation as a basis and extended it by adding some more instructions as documented by Intel as well as grouping the opcodes semantically with colors. The result is a comprehensive and appealing diagram, ready to be printed as desktop cheat sheet or in poster-size and useful in daily work.

2011 - ENISA Botnet Study

The ENISA botnet study "Botnets: Detection, Measurement, Disinfection and Defense" was my first major publication, a 150 pages writeup giving a comprehensive introduction in the topic. It is accompanied by a smaller, high-level version focussing on central aspects in botnet mitigation that reflects opionions of several experts in the field.