Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The NSA created a virtual machine within BPF to backdoor machines. The device binary dewdrop uses a technique known as Port Knocking for communication. Instead of having a listening port, which is easily spotable by many netstat and other commands, it is a libpcap that looks for magic packets.

The tool is extremely quite. Output is redirected to /dev/null, signal handlers are removed, cores files are disabled... To make reversing harder, strings are XOR obfuscated, with an off the shelf tool, making them easy to decode.

The author dives into the weeds of the binary. They find out that BPF is being used to sniff the traffic and for the VM. To view the BPF bytecode, the Cloudflare tool bpf_tools can be used and there is even a bpf debugger that can be found as well.

The bytecode is completely reverse engineered to figure out what is going on. From looking at the instruction set (similar to assembly), we can figure it out. The BPF is mainly used for port knocking but supports DNS, HTTP, TCP, ICMP and many other types of information being sent to it.

Interesting post into how a highly sophiscated attacker recieves commands to the system. The author is looking for a Linx developer with great understanding of the Kernel as well; could be a fun opportunity!