Karsten Hahn

@struppigel

Malware Analyst at G DATA. Ransomware hunter. Author of PortEx. he/him 🦔🌈

Germany
Joined May 2014

Tweets

You blocked @struppigel

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @struppigel

  1. Pinned Tweet
    Sep 13
    Show this thread
    Undo
  2. Retweeted
    Dec 26

    Any ideas for Masters/Bachelors thesis topics around malware analysis, reverse engineering, low-level security or other infosec topics? Please RT too - I get this question a lot and I always struggle to answer. So I hope to use our community's wisdom and send folks here :)

    Undo
  3. Retweeted
    Dec 25

    and the last but not least: “How to become a great malware analyst” according to the AI:

    Show this thread
    Undo
  4. Retweeted
    Dec 25

    Friends, I am very pleased to announce that I have managed to re-assemble the original 29a archives in totality. All zines are now present in what was once their original form. 1luv -smelly__vx

    Undo
  5. Retweeted
    Dec 25

    Let's unearth my 'old' unpacking knowledge... IIRC the only doc I publicly made on the topic was Which doc/tool would you recommend checking nowadays?

    Undo
  6. Dec 25

    Btw, the person who asks such a question has kind of a hacker's mindset.

    Show this thread
    Undo
  7. Dec 25

    That means the answer is no. It won't work. Unless the ransomware doesn't actually use the ID and it is just there for show. I don't know of any ransomware where that's the case.

    Show this thread
    Undo
  8. Dec 25

    Posting this from because it is a smart question to ask. Usually, ransomware uses a unique key for every infected system. The user ID is a way to determine which one is the right key. If you change the ID, the attackers won't be able to find the right key for you.

    Show this thread
    Undo
  9. Dec 25

    Most of the time I see really badly infected systems (e.g. by old file infectors like Ramnit), it stems from pirated software. Not to mention that this may spread to other systems as well (via network, USB, ...) Don't do this, for your own sake.

    Undo
  10. Retweeted
    Dec 23

    Just published a new blog-post >> 5 ways to patch binaries with Cutter 🚀 Yes, you can patch from the decompiler! It's not a long article but it feels great to write again! I missed it. Check it out @

    Undo
  11. Retweeted
    Dec 21

    Peep this work I've been doing for the last 6 months. I' sure there are errors, but it's at the point where I think it's ready for the world. Enjoy my work on

    Undo
  12. Dec 20

    This is especially relevant for shellcode analysis, if you don't know the bit-ness.

    Show this thread
    Undo
  13. Dec 20

    The other way around, 32 bit code interpeted as 64 bit code, is harder to notice. The code is mostly the same, but it mixes 64 operands with 32 bits operands. See ebx and rbx in this picture. Certain commands implicitly use 64 bit operands whereas others need 0x48.

    Show this thread
    Undo
  14. Dec 20

    Good tip of my colleague: This is how you can recognize 64 bit code wrongly interpreted as 32 bit code. It has lots of dec eax instructions because 0x48 is also used to signify 64 bit operand size. (32 bit interpretation is first picture, 64 bit second)

    Show this thread
    Undo
  15. Retweeted
    Dec 19

    I was today years old when I learned has an amazing site, with the best Windows cleaning/optimizing guide I've read in a over a decade

    Undo
  16. Dec 20

    I just found a collection of tools that you can use, e.g., for troubleshooting or disinfecting Windows. 👏 Scripts overview: One example is the Regrecent Powershell script that shows registry changes in a certain time frame. 👍

    Undo
  17. Dec 19

    There are strings tools that unexpectedly parse the file format like GNU binutils strings for Linux. (Thanks for the hint )

    Undo
  18. Retweeted
    Dec 18

    So, and I are hosting a webinar today about ransomware prevention and incident response. If you enjoy German accents or always wanted to ask me something about ransomware, join us!

    Undo
  19. Retweeted
    Dec 19

    We are releasing a free decryption tool for the (a GarrantyDecrypt/Outsider variant). Detailed instructions are available on our blog: Special thanks to for collaboration

    Undo
  20. Dec 18

    If you jump right into decompiling or debugging without checking those first, you will---with some samples---miss the obvious stuff. You will also have more work than necessary. Do yourself a favour. <3

    Show this thread
    Undo
  21. Dec 18

    The advantage of hex editors and strings tools: They don't parse any file format. They show what is really there. They cannot be fooled. They don't need to rely on data structures to be pointing to the interesting stuff.

    Show this thread
    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·