Archive for the ‘Defense’ Category

GREM test-taking guide

Posted: January 7, 2018 in Defense, Misc
Tags: , , ,

When I decided to take this course, I signed up for the one OnDemand. What I like about these OnDemand courses is that the course is available for 4 months. Not just that, but you will have access to a group of great mentors available at the tip of your fingers. Those mentors will try to answer your questions and help you understand any point you face that you can’t figure out. I strongly urge you to use their services to ask any question or discuss any related topic that crosses your mind as you are going through the course.

Now, remember, if you intend to take the course, you need to know that this course is a bit dense and requires technical “understanding” of programming languages, computer architecture, and software engineering in general. Though, you don’t need to be a developer to bloom in this field, but the more knowledge you have in these different areas, the easier it is to absorb the material and apply it to your future investigations. By taking this course you will be able to do the following:

  • Set up a Malware Analysis Lab
  • Learn how to use debuggers and disassemblers
  • Perform behavior analysis of a malware sample
  • Perform static analysis of a malware sample
  • Learn the fundamentals of Assembly language
  • Analyze Microsoft Office files with Macros (doc, xl, ppt), PDF files, Win32 samples, memory analysis with Volatility
  • Analyze unpacked and packed malware
  • Learn about common malware obfuscation and de-obfuscation methods

Note that the list above is not an exhaustive list. There are more topics, tips, and tricks in the course. Always remember the course itself is not your only resource to learn the material. In often instances, I’ve found myself on YouTube searching for multiple explanations for technical terms or further details on assembly instructions. It’s part of the course to pause the SANS video and do some searching to better understand the material. You should find yourself repeating video segments multiple times to ensure you understand that point, otherwise, you won’t be able to apply it in real life.

On the other hand, you need to complete 2 tasks as you go through the study material:

  1. Create your own summary of concepts, principles, how-to, and your understanding of any methodology learned throughout the course. This becomes handy as your play-book and as your future reference. Personally, I keep a notebook with hand written notes. Future plan is to digitize my notes so that it’s accessible and available with higher retention period.
  2. Create your index for the test. My strategy was having an Excel spreadsheet open. Any term, command, or concept that I feel is of importance, I highlight on the book with a highlighter and type that word in my excel file along with the book number and page number.

I can’t stress enough that I found myself still using my notes and index. It’s not for passing the test, it’s your reference when you need it.

The key to any technical course is practicing. Find a good reverse engineering CTF to hone your skills and remember, “Practice makes Perfect!”

1. Check the hash of the downloaded file before you get started to ensure the file isn’t corrupt. If you’re having issues with downloading large files, try using Firefox or a download manger.

2. Download (VMware OVF tool)

3. From your Windows machine, run CMD.exe and execute the following commands:

– >>>> cd “C:\Program Files\VMware\VMware OVF Tool\”

– Note:This step should take up to 5 minutes. If you get error messages in this step, go back to step 1 and download the OVA file and make sure it’s not corrupt by comparing the hash of the downloaded file with the hash posted from the file owner >>>> ovftool.exe “D:\HoneyDrive_3_Royal_Jelly.ova” “D:\HoneyDrive_3_Royal_Jelly.ovf”

– Open VMware, From the Home Screen, Choose Open Virtual Machine, select the file with the OVF extention, and click open.

—> If you get an error message, click Retry. If you get another error message, then the file HoneyDrive file you downloaded must be corrupt.


HOW TO: Track what changes are made on your computer during a program installation.

Ever wanted to know exactly what changes (file and registry) that program you are installing is making on your computer? Ya I have too. Well this guide is intended to teach you how to do that.

What you need


  • Very Easy

Advance Notice

  • Be warned that this method can be a bit slow – 2-3 mins per install, depending on your computer.


Zsoft Uninstaller is a program that improves upon the normal Windows uninstallation methods; it helps you remove all traces of the installed program, including registry changes and left over files. However, I am not telling you to download Zsoft Uninstaller for its ability to uninstall programs. I am telling you to download Zsoft Uninstaller because of its feature to analyze installations.

You see how Zsoft Uninstaller works is that to ensure full removal of a program, you have the ability to ‘analyze’ and record the changes that the installer makes on your computer. Zsoft tracks not only file changes, but also registry changes; it will tell you exactly where a new file is added, or from where a file was deleted. Samething with registry. All you do is scan your computer before you install the program and scan your computer after you install the program. Zsoft will compare the changes and store them, giving you the ability to view them whenever you want. It is this analyzing feature that we are interested in.


First download and install Zsoft Uninstaller. This is a ‘no duh’ step, but as my C++ teacher said – never underestimate the power of human stupidity. Not saying that whoever is reading this is stupid – far from it. In fact whoever is reading this is an enlightened genius. But you get the point right? 😀

All the steps from now onwards you have to repeat everytime you want to track the changes made by a particular program during installation.

Run/start Zsoft uninstaller. Click on the ‘Analyze’ button up top:

In the window that pops up, make sure “Analyze an installation” is selected and hit “Next”:

At the next screen, select which hard drives will be effected by the installation of you program (C drive + the one you are going to install into). If you don’t know which drive to check, chances you are going to install into your C drive so leave just C drive checked. Hit “Before installation”:

This will start a scan of your computer. Wait for the scan to finish. How long it takes will depend on your computer. Yes I know it is kind of slow. After the scan is finished leave this window open and normally install your program. After you have installed your program, run it once for good measure. After that, open up the Zsoft window and hit “After installation”:

You will then be prompted with a window to enter a name for the software you installed:

The name can be anything you want, but make sure to make it meaningful so you will be able to recognize what software it was that you installed by looking at the name. Hit “OK” after you are done. Zsoft will again start to scan your computer. Wait for the scan to finish. After the scan is finished, Zsoft will automatically compare the two scans and try to find the differences. Wait until you see this window:

Hit “OK” and you will be brought back to the main program window. From that window, click on the “Analyzed Programs” tab:

You should now see the program you just analyzed. I had analyzed CHM Editor and named it CHM Editor, therefore you will see CHM Editor in my screenshot. Right click on this program and click on “Show Recorded Info”:

A window will open up that will list all the changes that were made to your computer during the installation of that program you have selected. The changes include file changes and registry changes both. However, from this window you are unable to search the changes to find any specific one you are looking for (I am talking about Ctrl + F search). So, what you need to do is click on the blue button that is located in the top left corner:

This will allow you to save all the changes made into a .txt file. Name the .txt file whatever you want and save it. After you have saved the .txt file, browse to the .txt file and open it. You will now be able to search all the changes with Ctrl + F.

That is it. As I said earlier, you will have to do this process everytime you want to track the changes made by an installation.

Before I end this post, I would like to say you are welcome to use Zsoft Uninstaller to uninstall your programs also – Zsoft is pretty decent in that area although I found it to be rather annoying. However, my recommendation would be to use RevoUninstaller to uninstall programs and just keep Zsoft for its analyzing abilities.