Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Matrix ThePornDude
Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Live Stream VOD: Building a Config Extractor for ISFB (Patreon)

Published:
2022-10-16 22:54:41
Imported:
2022-12

Content

In this twitch stream we take a look at Gozi / ISFB / RM3 etc. and develop a config extractor which works on the latest variants. This is mostly a coding stream where we update an old extractor and make it work with modern samples.

Samples

33D6C2BF629E34D4F11F3C680A3EF60501769DBDAC658E3A4A119D5AC81BFF79 

Notes

ISFB / GOZI / RM3 Config Extraction 

Files

overlay

This is "Live Stream VOD: Building a Config Extractor for ISFB" by OALABS on Vimeo, the home for high quality videos and the people who love them.

Comments

Chaitanya Ghorpade

If you can share your old write-up on Gozi if its okay to make it public, it looked more in detailed so might help new guys looking into Gozi.

oalabs

The references in the note are much more comprehensive, this one specifically https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/

Al

Hi, I was trying to understand your code and what really drove me crazy are the parameters used in “get_section_table_end” because I think that something is missing. I tried to understand the +4 parameter in x32 configuration and I figured out that it was a reference to the PE header signature that is 4 bytes. Am I correct? However, I think you should also take into account the additional 20 bytes that go from Machines to Characteristics fields that are still related to the PE file. If you do so, your pointer should correctly points to the “dead zone” between the section table and the code. If I am wrong, would you please help to understand it better? BTW, thanks a lot for all your contents!

oalabs

You are correct! We are missing the File Header in the calculations, https://i.imgur.com/lFlVBJ3.png DOS header size = pe.DOS_HEADER.e_lfanew PE signature = 4 bytes File Header size = (missing) Optional Header size = pe.NT_HEADERS.FILE_HEADER.SizeOfOptionalHeader Section table size = number of sections * section size The File Header size should be static so we can just add the size as you suggested and it will fix the offset for us... for this config extractor it doesn't matter (which is why it works) because we just need to roughly get into the area to find the config signature, but this could really mess things up in other cases where we actually need the end of the header.

Al
>>101318941

Thanks a lot for you reply! Yes, your code works properly! It was just a clarification because it's the first time that I tried to create some automation and I wanted to be sure about what I'm doing! Still thanks!