Reverse Engineering

Signaturing an Authenticode anomaly with YARA

This is a local mirror of a blog written by me and originally published by NCC Group.
David Cannings
Sep 1, 2017 5 min read Computing
Sakula - an adventure in DLL planting

This is a local mirror of a blog written by me and originally published by NCC Group.

You can also read the related publication: Sakula DLL planting analysis.

David Cannings
Jun 16, 2016 3 min read Computing
sdelete - when secure delete fails
This is a local mirror of a blog written by me and originally published by NCC Group. Note: there are now better ways of wiping modern SSDs, as many will be self encrypting or support ATA commands for secure erase.
David Cannings
Mar 7, 2016 8 min read Computing
Analysis of the Linux backdoor used in freenode IRC network compromise
This is a local mirror of a blog written by me and originally published by NCC Group. This project was a highlight of my time at NCC Group, and I enjoyed collaborating with Pete Beck during analysis.
David Cannings
Oct 17, 2014 8 min read Computing
Automating IOC extraction from malware

This presentation was given at 44CON 2014. It provides an introduction to automated extraction of useful indicators of compromise …
David Cannings
Project Slides
Extracting the Payload from a CVE-2014-1761 RTF Document
This is a local mirror of a blog written by me and originally published by NCC Group. Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761).
David Cannings
Jun 8, 2014 6 min read Computing