A couple of months ago, I was chatting with a friend about new security technologies. He asked me if I know about any previous work to use eBPF to prevent malicious activities (ergo malware) or at least to detect them.
I heard about eBPF before (as a replacement for Netfilter and such) but never spent a reasonable amount of time studying it. As such, I went down through the rabbit hole to learn a little more.
I was amazed by its capabilities. Below, I'll try to explain as simple as possible what eBPF is and what it can do, along with solid references for those that want to learn more. There's a lot of good information on the internet but I intended to be more generalist and give a light introduction to it.
This post will be updated with more information as soon as possible.
The following topics will be discussed:
1. eBPF brief history
2. eBPF Virtual Machine
3. eBPF program overview
4. eBPF types of programs
4. What are helpers functions?
5. How eBPF is loaded?
6. How can userspace programs interact with eBPF programs
6. eBPF Maps
7. References
The purpose of this blog is to store my study notes about security, malware and reversing engineering.
Also, I will write some random stuff about random thoughts. Some of them will be in english but, sometimes, I'll drop something in portuguese.
I'm currently a Security Analyst. I have a bachelor and MSc. degree on Electrical Engineering. Also, along the way, I got a specialization on “Information Security Technology Management” and on an Integrated Circuit Design program (CI-Brasil) sponsored by the Ministry of Science and Technology of Brazil.
Sidenote:
Bythos referes to Monad, “the beginning of all things”.
As such, this blog may contain some “philosophy” between technical posts.
Unfortunately, as part of their policy, HTB does not allow public write-ups of their active machines and challenges. As such, this step-by-step guide will be released as soon as the challenge got retired.
Following my studies on Reverse Engineering (RE) and Malware, I decided to step back and start over with the very basic concepts of reversing. For this purpose, I took my old books, articles and references about RE (listed below). In addition, I'll use the HTB reversing challenges as warm up exercises. As soon as possible, I'll write here my notes on every challenge.
Recently I won a VIP subscription to HTB . As such I headed to hack every retired machine, from easier to hardest. Unfortunately, most of the easy ones are (so far) too easy.
Post originally published on my old blog. It was automatically translated and as such may be poorly translated.
Continuing our analysis of malicious documents, we will now address the step that is known as static analysis . However, before entering this phase, we need to understand which format is used by the documents.
Post originally published on my old blog. It was automatically translated and as such may be poorly translated.
I recently had the opportunity to get my hands on a .doc file that was sent to me and that had been categorized using an antivirus heuristic as an infected file.
After being informed of the possible infection, the person who gave me the file simply said that other AVs did not identify it as being a malicious file and questioned the first analysis, implying that he believed that the file would not actually be infected.
As a way to study and relearn most of the skills required to pentest real environments I started, a couple of weeks ago, to crack (or trying to) some Hackthebox virtual machines (VM). At first, I was wondering if this was the right way to learn something new.
I must say that I'm not disappointed since most of the box is setuped in such a way that you need an overall knowledge of the Operating System/Technology that you're targeting. In addition, after you exaustly enumerated the box you “must” know a little bit about the service, protocol or whatever you want to attack.
I've started working, officially, with Information Security back in 2012 but my personal interest began earlier while studying Linux and OS stuff. Since most of the time I spent trying to make my US Robotics soft-modem works on Linux (a lot earlier than 2012) and learning a lot about sysadmin stuff, I consider myself a “started late on internet” guy.
But this is not THAT relevant. What was most relevant were the little hiatus on my InfoSec career and studies (I'll explain another time).
But now, since I'm back (for a while), I'll return from where I stopped: vulnerability assessment (VulnAs), pentest, reverse engineering, forensic and incident response.