Reverse Engineering

Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.

Malware Research

Our focus in malware research involves dissecting and understanding the operation of malicious software. By documenting their behavior and impact, we provide crucial insights that aid in devising effective defensive strategies, contributing to a better understanding and stronger defense against emerging cyber threats.

Penetration Testing

We offer penetration testing services, identifying vulnerabilities by simulating real-world attacks on your digital infrastructure. Our process uncovers potential threats, providing actionable insights for improved security measures, ensuring robust defense and resilience for your business operations.

Open-Source

Our involvement in open-source focuses on offensive security techniques and tools. We utilize and contribute to community-driven projects. This collaborative approach promotes innovative solutions, ultimately strengthening defense against evolving cyber threats.

I’m currently overwhelmed with commitments and unable to dedicate time to my public research and tools. Unfortunately, I can't predict when I’ll be more available. However, I’m still addressing bug fixes and urgent requests. I appreciate your understanding and continued support!

A new version of the unprotect portal has been released with updates including:

  • Migration from Bootstrap 4.x to the latest 5.x
  • A complete rewrite of the style using SASS
  • Multiple improvements, optimizations and refactoring
  • Implementation of the first version of FeaturedAPI.

FeaturedAPI is a new feature that allows for the mapping of common Microsoft Windows API's used by specific evasion techniques, with the ability to consult the most commonly used API's for each technique and their associated caution level (Low, Medium, High) as well as access to official and unofficial documentation.

The team is also making progress on the sample scanner to match scanned samples to potential fitting techniques.

1 year, 1 month ago

Paper

Happy New Year 2023

Happy New Year!

As we ring in the new year, we at PHROZEN would like to extend our warmest wishes to all of our clients, partners, and friends. We hope that the coming year brings you health, happiness, and prosperity.

As we look ahead to the year ahead, we are excited to announce that we will be focusing our efforts on the Unprotect project contribution, as well as working towards in passing new offensive-security certifications. While we have always been committed to delivering top-quality work to our clients, we believe that these efforts will allow us to better serve you and stay at the forefront of our industry.

We understand that this may mean that we will not be able to take on as many public projects as we have in the past, but we hope that you will understand and continue to support us as we work towards these important goals.

Thank you for your continued trust and support. Here's to a successful and fulfilling new year!

Sincerely,

1 year, 1 month ago

We are thrilled that our new tool, DLest, was featured on the Qualys blog in the "New Tools & Techniques" section for December 2022. Keep an eye out for more exciting updates from us in the future!

1 year, 2 months ago

DLest is a Microsoft Windows application that helps developers and malware analysts analyze and manipulate exported functions in Portable Executable (PE) files, especially DLLs. It allows you to enumerate exported functions using various methods and supports the analysis of memory-loaded modules in real time. It also has the ability to dump a reconstructed version of any module for further analysis. DLest is fully multithreaded and efficient for processing large numbers of PE files. It is useful for developers and malware analysts and streamlines their tasks.

1 year, 2 months ago

Tiny code snippet that demonstrate how to open a new Windows Explorer window with pre-selected files.

1 year, 3 months ago

Tiny Python code snippet to extract ASCII / Unicode strings from any file. This is a very simplified equivalent of UNIX strings command.

Supports:

  • ASCII string extraction
  • Unicode string extraction
  • Show extracted string offset
  • Define minimum extracted string length.

1 year, 3 months ago

  • Introduction of an option to keep certain information when process debug stops.
  • Program title is now dynamic (display debugged process id and elevation status).
  • Introduction of worker internal thread handling system.
  • Possibility to enumerate loaded modules.
  • Possibility to support child process inspection.
  • Memory map now support child process inspection.
  • Possibility to dump and partially reconstruct a portable executable image from memory (main and loaded modules).
  • Several code improvements.

1 year, 3 months ago

  • Possibility to view debugged process memory map.
  • Possibility to dump debugged process memory region(s).
  • Exception handling system added (beta).
  • Logging system added.
  • UX Theme support.

1 year, 4 months ago

We are excited to announce that our latest tool, PsyloDbg, has been featured in the "Tools & Exploits" section of Bad Sector Labs Blog's Last Week in Security. Stay tuned for more updates and improvements to come from us at PsyloDbg!

1 year, 4 months ago

PsyloDbg is a versatile, user-friendly, and open-source debugger for the Windows platform. It is entirely written in Delphi, and its purpose is to assist malware analysts in their work by providing them with a fast and effective tool. As a result, analysts can save time and improve their response to malware threats.

1 year, 4 months ago

New Unprotect C# Code Snippet added for technique Timestomp.

This tiny code snippet demonstrate the principle of file time stomping.

Steps:

  • Enumerate files in current directory (excluding the target file).
  • Sort enumerated files by modification date.
  • Takes the most recent file and apply its File Creation Date, File Last Modification and File Last Access to our target file.

Additional information:

  • Supports relative target file.
  • If no files lives inside the current directory, then current directory (parent folder) date information are used.
  • If no files lives inside the current directory and current directory is a root path, then timestomp procedure fails.

1 year, 6 months ago

New Unprotect Delphi code snippet added for technique Process Hollowing, RunPE with support of both x86-32 and x86-64 in a single code.

1 year, 8 months ago

New Unprotect Delphi Code Snippet added for technique Checking Mouse Activity

1 year, 8 months ago

New Unprotect Delphi Code Snippet added for technique DLL Injection via CreateRemoteThread and LoadLibrary with both support of x86-32 and x86-64.

1 year, 8 months ago

New Unprotect Delphi Code Snippet added for technique ProcEnvInjection - Remote code injection by abusing process environment strings for both x86-32 and x86-64.

1 year, 8 months ago

New code snippet that demonstrate how Malware authors create self-deleting application. This technique rely on an external command line interpreter process that attempt to delete malware sample when sample process is terminated.

1 year, 8 months ago

  • Streaming performance considerably increased. FPS rate increased by 65% and can be optimised further by tweaking available options.
  • Streaming desktop resolution is now controlled by the viewer.
  • FastResize option was removed.
  • Code optimisation.
  • Windows key is now supported.
  • Virtual Desktop window will show above terminal window.
  • Beta support of LogonUI (Winlogon Protected Desktop).

1 year, 11 months ago