rootkall's blog

 Introduction EDR vendors solve the same problems, they just do it differently. This causes logical pitfalls to occur. This is a work in progress article about an EDR. A formal representation of my notes. A static ( not dynamic)  analysis of different parts of an EDR. I'll highlight some remarks on the usermode components. Kernel mode part might come later. I'll try to be concise and on point. Of course, everything I mention here needs dynamic analysis to verify. Hook Installation The EDR installs hooks on a set of API functions in ntdll.dll to log telemetry into ETW by injecting a dll into all processes. Each function meant to be hooked is represented by a 4-part structure whose elements are in order:  The name of the DLL where it resides. The name of the API function A pointer to the original function The "hook" The "hook" is a function that calls the original one and logs telemetry.  The next figure is an example: After calling the original API function b...

 Introduction This is not going to be a long article. I wrote some article before about blunders in malware infrastractures. Some threat actors make some bad mistakes and that could cost them their infrastructures or logs in case of stealers. - This article shows an example of a simple bug that could cost the threat actors their entire infrastructure https://www.rootkall.com/2025/03/hacking-website-used-to-deliver-malware.html - This one is about a Stealer called Gremlin, the logs were accessible via an "Index Of" page :p https://www.rootkall.com/2025/04/gremlin-stealer-strings-decryption.html I wasn't really sure if I should write about this case but sharing knowledge is always good. As you can see in the screenshot, someone shared a C2 panel, and I love these in the sense that I try to compromise them. I pointed out in an answer to the tweet the blunder error that is made. The C2 Panel is Open source: A quick search of "C2WebServer" in a search engine would yi...

 Introduction This is a quick static analysis blog post.  @solostalking  shared with me on twitter a sample of a new stealer this morning. I decided to take a quick a look at it. Found how it decrypts the strings. It can be automated. I'll just showcase the algorithm. sample: https://app.any.run/tasks/69325fa1-b37e-41dc-a1f8-bb0038345a3d Decrypting the strings Since it's a .NET sample. Let's open it in DnSpy. Skimming through the methods of the main module, I found this one Obviously, seeing a loaded resource and some obfuscation + it returns a string, you think it's a string decryption method. It loads an encrypted resource. Uses the first and second parameters to calculate an offset. And finally a decryption routine. Notice how all the elements of the array are xored with the SAME INTEGER which is the third parameter.  We can make use of Cyberchef's XOR bruteforce and bulk decrypt everything in resource. We can recognize some strings such as chrome.exe etc......