Author Archives: jellever

StreamDivert: Relaying (specific) network connections

The first part of this blog will be the story of how this tool found it’s way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and how it works.

Storytime

About 1½ half years ago I did an awesome Red Team like project. The project boils down to the following: Continue reading

DominantColor: Calculating the dominant color in an image

win7-taskbar-icon-highlight

Taskbaricon mouseover highlight

First things first: Happy new year! I am sure 2016 will be a great year! Next up: DominantColor. It’s a project for calculating the dominant (hue) color in an image.This is something that took some research as I was building JeS Multi-Monitor Suite. The taskbar in Windows 7, 8 and 8.1 implemented a similar feature showing the dominant color as a highlight when you mouseover the taskbar icon. Continue reading

DevOps! And the road towards it…

DevOps! A must for modern software development, right?! You would expect most companies are already moving towards this new way of working. Why? Because software development needs to be more agile. Say you have a new customer, he wants a demo of your application but he also wants to see that one new feature. The software release that contains that feature is scheduled to be released in 2 months. Though, that specific feature is already “done and ready”. You ask the developers/administrators if they can put together a demo of that feature.. At that moment the devs and administrators are getting nervous. Everyone checks in their code to one single code branch so how are they going to demo that specific feature? Maybe on a laptop of a dev that still has a stable (*kuch* compiling) revision? This is where we have to change the way we develop software. 
Continue reading

Yara.NET – A .NET wrapper around Yara

Today I publish Yara.NET – A C++/CLI .NET wrapper around the Yara 3.4.0 library. It enables you to use all the Yara functionality that the native C lib exposes in .NET! Yara.NET API was inspired by the Python API and has thus a somewhat similar API. Why is it built in C++/CLI and not C#? Because building a wrapper library in C# around a native library is a pain compared to using C++/CLI. Using C++/CLI you can link directly against the native lib and use all of the existing header files without the need to redefine every function using PInvoke..

Continue reading

.NET, PInvoke and memory corruption

Screenshot 2013-10-26 11.23.38

Figure 1, .NET Pinvoke memory corruption

Today I ran into some old screenshots of a problem I was having in 2013. Interesting problem! I was trying retrieve a piece of data that was located in another process memory space using the ReadProcessMemory API. I defined the API using PInvoke(Platform Invoke), a technique used to call native functions from .NET. The issue I was having was that only under Windows 8 I was getting a NullReferenceException and initially I had no clue why. Continue reading

Pandora’s Box – Level 4

Level4, time for some crypto and reverse engineering.. Level 4 is a binary which decrypts encrypted files with a password, and of course an example binary and password are given. Putting some random data in a file and trying to decrypt that results in a message that the file is invalid or corrupt. This suggests that the binary has some kind of checksum algorithm to detect if the file is valid. Let’s take a closer look at the binary..  Continue reading