/* CAT(1) */

Posted a new blog for $dayjob here. TL;DR it's an analysis of a new Hancitor VB dropper+shellcode. It's the first time I've seen macro code use Windows syscalls directly to try and evade the standard methods of executing shellcode. Pretty awesome capability to have within VB and it's lack of usage is probably a combination of people not even realizing it's capable and the fact that you're effectively writing a real program in VB. That adds a ton of complexity for managing memory and calls, etc...path of least resistance and all that jazz.

It'll be interesting to see if this technique makes its way into the standard set of tools for the other side.

Older posts...