Reverse Engineering
Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.
Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.
Our focus in malware research involves dissecting and understanding the operation of malicious software. By documenting their behavior and impact, we provide crucial insights that aid in devising effective defensive strategies, contributing to a better understanding and stronger defense against emerging cyber threats.
We offer penetration testing services, identifying vulnerabilities by simulating real-world attacks on your digital infrastructure. Our process uncovers potential threats, providing actionable insights for improved security measures, ensuring robust defense and resilience for your business operations.
Our involvement in open-source focuses on offensive security techniques and tools. We utilize and contribute to community-driven projects. This collaborative approach promotes innovative solutions, ultimately strengthening defense against evolving cyber threats.
I’m currently overwhelmed with commitments and unable to dedicate time to my public research and tools. Unfortunately, I can't predict when I’ll be more available. However, I’m still addressing bug fixes and urgent requests. I appreciate your understanding and continued support!
In this latest installment of our "Malware Retrospective" series, we shift our lens to PrjRAPTOR, a lesser-known Remote Access Trojan that made its mark around 2008-2009, closing out the golden era of Trojan development before the focus shifted to profit-driven cybercrime. Our exclusive interview with its creator, "Ryan," provides invaluable insights into the Trojan's unique interface, development, and impact on the scene. This exploration offers a rare chance to connect with key figures who laid the groundwork for modern malware, enriching our understanding of this intricate landscape.
1 week, 6 days ago
Introducing "The Malware Gallery" - Your interactive, living museum showcasing the most notorious trojans and malware from past decades. Now in its beta phase, this ever-evolving collection is set to expand, so stay tuned for updates!
There are two primary motivations behind the project: First, it serves as a homage to the ingenious, albeit malicious, software creations that inspired many of us, myself included, to pursue a career in cybersecurity. These "pieces of art" so to speak, have played a pivotal role in shaping the trajectory of my professional life.
Second, it's an educational resource for newcomers to the field. Understanding the history of malware is essential for comprehending the complexities of today's cybersecurity landscape. For those who didn't grow up exposed to these early examples, The Malware Gallery offers a rare glimpse into the origins of cyber threats, enriching your knowledge.
Additionally, this project complements my recent article series, "Malware Retrospective" adding a layer of depth and reciprocity to the topics covered.
2 weeks, 4 days ago
We are pleased to announce that our latest tool, SharpShellPipe, has been featured in Bad Sector Labs Blog's Last Week in Security (LWiS).
3 weeks, 6 days ago
New technique added: "Named Pipes / SMB," featuring two code snippets for demonstration purposes. The first snippet uses .NET (C#) to showcase Named Pipes usage, while the second employs WinAPI with Delphi. Both examples aim to illustrate the application of Named Pipes in different programming environments.
4 weeks ago
This lightweight C# application serves as a demonstration of how simple it is to interactively access a remote system's shell via named pipes using the SMB protocol. It includes an optional encryption layer leveraging AES GCM, utilizing a shared passphrase between both the server and the client.
1 month ago
New evasion technique and snippet added for file extension manipulation using the Right-to-Left Override (RLO) character (U+202E). Malicious actors exploit this Unicode control character in file names to alter the visual display of extensions, making dangerous executables appear harmless to users. For example, invoice.pdf
becomes invoiceexe.pdf
by strategically placing the RLO character. This deception aims to trick users into unwittingly executing potentially harmful files.
1 month, 3 weeks ago
Continuing our enlightening "Malware Retrospective" series, we delve back into the depths of cybersecurity history. Following our thorough examination of Beast RAT, the early 2000s' formidable malware, we now turn our focus to another significant entity of that period, SubSeven. Conceived by the mysterious figure, Mobman, this Remote Access Trojan, also known as Sub7, remains an iconic marker in the evolution of digital threats. Join us as we explore its intriguing chronicles, offering both a retrospective glance and vital lessons for today's cybersecurity landscape.
2 months, 1 week ago
We are excited to announce that a new Snippets resource category has been implemented on the website. This addition will gradually provide a wide range of code snippets covering various topics related to Microsoft Windows. These snippets will offer valuable insights and practical examples to enhance your understanding of different aspects of Windows programming. Stay tuned as we continue to expand this resource with more code snippets in the future.
2 months, 3 weeks ago
Attached please find the slides from my presentation on the Unprotect Project, delivered yesterday at the inaugural HackTheBox Meetup France, hosted by the ESGI School in Paris.
If you have any questions or need further clarification on any aspect of the presentation, please feel free to reach out.
2 months, 4 weeks ago
The release of version "3.0 Final" signifies the culmination of this project. I will not be adding any further features; the objective of this PoC was to demonstrate the creation of a reliable and secure C2 utilizing FTP(S). You're encouraged to develop your own version with tailored functionalities. As an exercise, you might consider implementing multi-threading tasking to prevent the application from hanging during long-duration tasks.
I will, however, continue to provide support for the project in terms of addressing potential bugs or opportunities for optimization.
3 months ago
3 months ago
3 months ago
Support for encryption has been introduced, utilizing RSA and AES-GCM 256-bit algorithms, to safeguard the integrity and confidentiality of communications between agents and the C2 server.
3 months, 1 week ago
SharpFtpC2 is a small, experimental project aimed at exploring the possibility of using FTP(S) for relaying commands and responses between two remote computers. It employs the FTP protocol as a makeshift tunnel through which the computers, both acting as clients connected to an FTP server, can communicate. A simple session management scheme is used to keep track of the exchange of requests and responses.
3 months, 2 weeks ago
An alternative version of the code snippet, crafted in Delphi, has been introduced for the "C2 via FTP(S)" technique. This variant expertly demonstrates the employment of the Windows API's from Windows Internet (WinInet) library.
3 months, 2 weeks ago
A freshly added Unprotect C# code snippet elucidates the implementation of the "C2 via FTP(S)" technique. This example adeptly showcases the utilisation of the .NET Framework's WebRequest and FtpWebRequest classes, illustrating the steps to effectively execute tasks, handle requests, and manage responses through FTP (File Transfer Protocol).
3 months, 2 weeks ago
It's an immense honor to have been recognized by Microsoft as a Microsoft MVP (Most Valuable Professional) in Security. This achievement fuels my motivation to elevate my contributions even further.
3 months, 3 weeks ago
In this inaugural instalment of the Malware Retrospective series, we take a trip down memory lane to revisit the Beast RAT, a notorious Windows RAT (Remote Access Trojan) developed by the elusive “Tataye.” This groundbreaking malware left an indelible mark on a whole generation of enthusiasts, including myself, who were captivated by its ingenuity and influence the whole scene back in it’s time.
5 months ago
The complete project is now fully open-source! This includes the previously withheld SubSeven Server Service.
5 months, 3 weeks ago
A new version of the unprotect portal has been released with updates including:
FeaturedAPI is a new feature that allows for the mapping of common Microsoft Windows API's used by specific evasion techniques, with the ability to consult the most commonly used API's for each technique and their associated caution level (Low, Medium, High) as well as access to official and unofficial documentation.
The team is also making progress on the sample scanner to match scanned samples to potential fitting techniques.
8 months ago
Happy New Year 2023
Happy New Year!
As we ring in the new year, we at PHROZEN would like to extend our warmest wishes to all of our clients, partners, and friends. We hope that the coming year brings you health, happiness, and prosperity.
As we look ahead to the year ahead, we are excited to announce that we will be focusing our efforts on the Unprotect project contribution, as well as working towards in passing new offensive-security certifications. While we have always been committed to delivering top-quality work to our clients, we believe that these efforts will allow us to better serve you and stay at the forefront of our industry.
We understand that this may mean that we will not be able to take on as many public projects as we have in the past, but we hope that you will understand and continue to support us as we work towards these important goals.
Thank you for your continued trust and support. Here's to a successful and fulfilling new year!
Sincerely,
8 months, 3 weeks ago
We are thrilled that our new tool, DLest, was featured on the Qualys blog in the "New Tools & Techniques" section for December 2022. Keep an eye out for more exciting updates from us in the future!
9 months ago
DLest is a Microsoft Windows application that helps developers and malware analysts analyze and manipulate exported functions in Portable Executable (PE) files, especially DLLs. It allows you to enumerate exported functions using various methods and supports the analysis of memory-loaded modules in real time. It also has the ability to dump a reconstructed version of any module for further analysis. DLest is fully multithreaded and efficient for processing large numbers of PE files. It is useful for developers and malware analysts and streamlines their tasks.
9 months, 1 week ago
Tiny code snippet that demonstrate how to open a new Windows Explorer window with pre-selected files.
10 months, 1 week ago
Tiny Python code snippet to extract ASCII / Unicode strings from any file. This is a very simplified equivalent of UNIX strings
command.
Supports:
10 months, 1 week ago
10 months, 2 weeks ago
11 months, 1 week ago
We are excited to announce that our latest tool, PsyloDbg, has been featured in the "Tools & Exploits" section of Bad Sector Labs Blog's Last Week in Security. Stay tuned for more updates and improvements to come from us at PsyloDbg!
11 months, 2 weeks ago
PsyloDbg is a versatile, user-friendly, and open-source debugger for the Windows platform. It is entirely written in Delphi, and its purpose is to assist malware analysts in their work by providing them with a fast and effective tool. As a result, analysts can save time and improve their response to malware threats.
11 months, 2 weeks ago
I'm excited to announce that SubSeven Legacy, the remake of the iconic SubSeven 2.2, is now open-source! This is a great opportunity for enthusiasts and developers alike to dive deep into the intricate code that defined an era in InfoSec history. Please note, however, that only the SubSeven Server Service remains closed for the time being. Stay tuned for further updates and happy exploring!
1 year ago
New Unprotect C# Code Snippet added for technique Timestomp
.
This tiny code snippet demonstrate the principle of file time stomping.
Steps:
Additional information:
1 year, 1 month ago
New Unprotect Delphi code snippet added for technique Process Hollowing, RunPE with support of both x86-32 and x86-64 in a single code.
1 year, 3 months ago
New Unprotect Delphi Code Snippet added for technique Checking Mouse Activity
1 year, 3 months ago
New Unprotect Delphi Code Snippet added for technique DLL Injection via CreateRemoteThread and LoadLibrary
with both support of x86-32 and x86-64.
1 year, 3 months ago
New Unprotect Delphi Code Snippet added for technique ProcEnvInjection - Remote code injection by abusing process environment strings
for both x86-32 and x86-64.
1 year, 3 months ago