Demystifying the Kerberos

Dear readers, how are you?

It is usual reading no such good words on the complex and hard understanding of the Kerberos. Although my area is Malware Analysis, Reverse Engineering and Software Exploitation, I’ve written two articles for Oracle trying to mitigate this undesirable impression about the Kerberos. I used Oracle Linux 7.2 for implementing the solution.

The first article deeply explains Kerberos concepts and showss how to implementing it. At end, I show how to integrate SSH with it.

The second article has a more practical approach. It explain how to implement an IdM (Identity Manager Server), integrating the Kerberos with Active Directory and Samba.

Both parts follow:

part 1: Kerberos concepts + implementation + SSH (32 pages):

part 2: Kerberos + IdM + Active Directory + Samba (44 pages):

In my opinion, Kerberos is an outstanding protocol and framework, and I hope this my small contribution to community helps professionals to see it from a different point of view.

Have a nice day.

Alexandre Borges

(LinkedIn: and Twitter: @ale_sp_brazil)

Lecture at UnG – Introduction to Malware Analysis

Dear readers, how are you?

Yesterday (APRIL/07/2016), I spoke at UnG (Universidade de Guarulhos – Guarulhos University) about Introduction to Malware Analysis. Honestly, I had a great time with many students and teachers attending the lecture. It follows the certificate which I earned from the UnG:

Once more, thank you to everybody from UnG for the generosity and kindness during my lecture.

I hope you have a nice day.

Alexandre Borges

(LinkedIn: and twitter: @ale_sp_brazil .

Reversing: few words about a trivial code

(this short write up can be read in pdf format:

Dear readers, how are you? During my classes and presentations, it is extremely common to hear students and professionals comparing different areas inside IT security, but honestly I think is neither possible nor feasible to do this “mental exercise”. Yesterday, I received one of this kind of message and, in the middle of the e-mail, I could read that “doubtless, hacking (pentest) is more difficult than reverse engineering and malware analysis”. I am not sure if it’s possible to state it. As an super easy educative example, I sent this code (I cleaned it a bit to make it clearer) below to my student and I asked him about two things: a) What’s the equivalent structure in C that the code is representing? b) How does it work?

.text:004028BC mov [ebp+var_C], eax

.text:004028BF mov ecx, [ebp+var_10]

.text:004028C2 movsx edx, byte ptr [ecx]

.text:004028C5 mov [ebp+var_14], edx

.text:004028C8 mov eax, [ebp+var_14]

.text:004028CB sub eax, 64h

.text:004028CE mov [ebp+var_14], eax

.text:004028D1 cmp [ebp+var_14], 0Fh ;

.text:004028D5 ja short loc_402923 ;

.text:004028D7 mov edx, [ebp+var_14]

.text:004028DA xor ecx, ecx

.text:004028DC mov cl, ds:byte_40293E[edx]

.text:004028E2 jmp ds:off_40292A[ecx*4] ; switch jump

.text:004028E9 ; —————————————————————————

.text:004028E9 loc_4028E9:

.text:004028E9        ; CODE XREF: sub_402884+5Ej

.text:004028E9 ; DATA XREF: .text:off_40292Ao

.text:004028E9 mov eax, [ebp+var_C] ;

.text:004028EC push eax ; char *

.text:004028ED call sub_401565

.text:004028F2 add esp, 4

.text:004028F5 jmp short loc_402923

.text:004028F7 ; —————————————————————————

.text:004028F7 loc_4028F7:

.text:004028F7         ; CODE XREF: sub_402884+5Ej

.text:004028F7 ; DATA XREF: .text:off_40292Ao

.text:004028F7 mov [ebp+var_4], 1 ;

.text:004028FE jmp short loc_402923 ;

.text:00402900 ; —————————————————————————

.text:00402900 loc_402900:

.text:00402900         ; CODE XREF: sub_402884+5Ej


.text:00402900 mov ecx, [ebp+var_C] ;

.text:00402903 push ecx ; char *

.text:00402904 call sub_402813

.text:00402909 add esp, 4

.text:0040290C jmp short loc_402923 ;

.text:0040290E ; —————————————————————————


.text:0040290E loc_40290E:


.text:0040290E mov edx, [ebp+var_C] ;

.text:00402911 push edx ; char *

.text:00402912 call sub_402851

.text:00402929 add esp, 4

.text:0040291A mov eax, [ebp+arg_4]

.text:0040291D mov dword ptr [eax], 1


.text:00402923 loc_402923:


.text:00402923 mov eax, [ebp+var_4] ; jumptable 004028E2 default case

.text:00402926 mov esp, ebp

.text:00402928 pop ebp

.text:00402929 retn

.text:00402929 sub_402884 endp


.text:00402929 ; —————————————————————————

.text:0040292A        dd offset loc_4028E9 ; DATA XREF: sub_402884+5Er

.text:0040292A        dd offset loc_4028F7 ; jump table for switch statement

.text:0040292A        dd offset loc_40290E

.text:0040292A        dd offset loc_402900

.text:0040292A         dd offset loc_402923

.text:0040293E        db 0, 4, 4, 4 ; DATA XREF: sub_402884+58r

.text:0040293E        db 4, 4, 4, 4 ; indirect table for switch statement

.text:0040293E        db 4, 4, 1, 4

.text:0040293E        db 4, 4, 2, 3



As I stated previously, the code above is trivial and, in a nutshell, although this code have been extracted from a malware, there is only reverse engineering here. Few comments follow:

  • The represented structure is a simple “switch case” statement (it is easily identified by IDA Pro).
  • There’re 16 possible cases (you should pay attention in the comparison at 0x004028D1 and remember that 0x0F is equal to 16).
  • The variable which is defining the cases is var_16 (look at 0x004028D7). It is will be loaded to edx and it will be acting as an index (more details below).
  • A jump table (0x0040292A) is being used to represent the switch case statements.
  • Looking at the jump table pointers (0x0040293E), we notice that there’re only five different indexes (0 to 4), so we have only five different statements in a nutshell. Therefore, the instruction mov cl, ds:byte_40293E[edx] (at 0x004028DC) servers as an index to jump table pointers. Depending on this index (0 to 15 – you remember that there are 16 possible cases in this example), the program chooses a pointer. For example, if the index is A(0x10) then the index in the jump table pointer is “1” (check this information by counting the values at 0x0040293E lines). Looking at jump table(0x0040292A), the second switch statement (remember, the range is from 0 to 4) is the address 0x004028F7
    (dd offset loc_4028F7).
  • Thus, the “switch jump” instruction jmp ds:off_40292A[ecx*4] at address 0x004028E2 finally jumps the code flow to the mentioned address above (0x004028F7).

As I said previously, this is an super easy and basic construction, but most time while I am analyzing malwares I see pieces of code like that. In fact, it is suitable to tell that malware analysis is much more difficult than a simple switch case statement. Sure, I could explain several kind of hooking, injections, hijacking , and so on, but I chose this example to prove to my student that is not possible to compare different areas before having a better knowledge about both them (in time: my student wasn’t able to answer my questions at beginning of this write up).

Personally, my life is IT Security and I have a strong preference by malware analysis, so I am available to help you when necessary. If you want, I will be teaching few courses this year (more at and I hope see you there.

Have a nice day.

Alexandre Borges.

(LinkedIn: and twitter: @ale_sp_brazil).

Oracle 12c Transportable Tablespace on OTN (Oracle Technology Network)

Dear readers, how are you? It follows my article about Oracle 12c Transportable Tablespace on OTN (Oracle Technology Network):

I hope you have a nice day.

Alexandre Borges.

(LinkedIn: and Twitter: @ale_sp_brazil)

Speaking about IT Security at UNISA

Dear readers, what have you been doing? Continuing my project of talking about IT Security in universities, it follows below the certificate that I earned for my speak at UNISA:

Once more, I am available to talk about IT Security (Hacking, Malware Detection, Malware Analysis, Digital Forensics and Software Exploitation) in universities and companies without charging any fee. If you are interested, send me an e-mail to alexandreborges [at] alexandreborges [dot] org.

I hope you have a nice week.

Alexandre Borges.

(LinkedIn: and Twitter: @ale_sp_brazil).

Speaking about security aspects in the Software Engineering at PUC University

Dear readers, how are you? Few weeks ago, I spoke about “Security Aspects in the Software Engineering” to excellent postgraduate students from Software Engineering course at PUC (Pontifícia Universidade Católica) University in Sao Paulo. It follows my certificate:

I keep my mission which is to talk about modern security topics to universities and companies without charging anything. If you are interested, send me an e-mail: alexandreborges [at] alexandreborges [dot] org.

Have a nice day.

Alexandre Borges.

(LinkedIn: and Twitter: @ale_sp_brazil)

Speaking at Security Congress Latin America 2015

Dear friends, how are you? Today I spoke about Memory Forensic Analysis in the Security Congress Latin America 2015 (#isc2congresslatam). Fortunately, I had a great audience who were attending my speak:

This year, I have been focusing on speaking about malwares detection by using Memory Analysis. Next year, I will focus on a harder topic: Malware Analysis. Most people believe that’s accessible topic. They are wrong. Certainly, it’s the most difficult and brutal topic in IT Security area. Stay tunned!

I hope you have a nice day.

Alexandre Borges.

(LinkedIn: and twitter: @ale_sp_brazil).

Administering Oracle Linux 7: Part 3 – The systemd journal

Dear readers, how are you? It follows the third part of my series about Oracle Linux 7 on GPO (Oracle Professional Group):

I hope you enjoy it. Have a nice day.

Alexandre Borges

(LinkedIn: and Twitter: @ale_sp_brazil)

Administering Oracle Linux 7: Part 2 – Network Management

Dear readers, I hope you are fine! It follows my second article (always in English, sure) about Oracle Linux 7 on GPO (Oracle Professional Group):

Personally, I recommend signing the GPO mailing list because there are many articles from excellent authors. More information on: (this is a Portuguese website).

Have a nice day.

Alexandre Borges

(LinkedIn: and Twitter: @ale_sp_brazil)

Administering Oracle Linux 7: Part 1—Service Management

Hello readers, how are you? This week I became an author on GPO (Grupo de Profissionais Oracle, in Portuguese) / OPG (Oracle Professional Group) site, where I’ll be publishing some articles about Oracle technologies. The first one (in English) about Oracle Linux 7 was published today:

I hope you enjoy the article.

Have a nice day.

Alexandre Borges

(LinkedIn: — Twitter: @ale_sp_brazil)

Hacker to Hackers Conference (H2HC) University 2015

Dear readers, how are you? Yesterday (OCT/24/2015), I spoke about “Memory and Malware Analysis” at Hacker to Hackers Conference (H2HC) University in Sao Paulo. All attendees were great, they interacted so much and asked very interesting questions. Links for H2HC University follow:

I would like to thank you Rodrigo Branco and Filipe Balestra by the invite to speak at biggest hacker conference in the Latin America.

Additionally, in special, I would like to thank my friend Cleiton Alves for his help during all time. Sincerely, thank you so much.

Have a nice day.

Alexandre Borges.


Introduction to Malware Detection at BandTec

Dear readers, how are you? Yesterday night (OCT/24/2015), I spoke about “Introduction to Malware Detection” for students at VI TechWeek at Faculdade deTecnologia Bandeirantes (BandTec) in Sao Paulo:

I want to thank to the teachers Carlos Gimenes, Bianka Gonçalves and Sandro Melo for having given me the opportunity to talk to their students.

Honestly, I hope I can have contributed for improving the student’s knowledge.

Have a nice day.

Alexandre Borges


Windows Malware and Memory Forensic Training with Volatility Developers

Hello readers, how are you? This week I am attending the Windows Malware and Memory Forensics
Training with Volatility developers (Michael Ligh, Jamie Levy and Andrew Case) in Reston (Virginia – USA). There is only one way to summary the course: PERFECT! It is extremely organized, includes theory and many practical exercises. Furthermore, all explanations are clear, concise and very informative. Another bonus is that all exercises come with well-explained answers.

Is it all? No, it is not. The volatility developers know everything about Windows Internals, Malware and Digital Forensics. Personally, Michael Ligh is the one of two most impressive and smarter guys who I know (the another one is Michael Sikorski) and Jamie Levy is, certainly, the most intelligent girl (by far). Furthermore, Michael and Jamie are very humble, polite and lovely humans being. Certainly, it is only possible to talk good words about them.

Some pictures follow below:

Figure 1:
Michael Ligh (one of two more outstanding and intelligent professionals that I have ever met in my life) and I

Figure 2: Jamie Levy (the most intelligent girl of the world and a very lovely person) and I

Figure 3: Andrew Case and I during a happy hour

Honestly, I am having a perfect course during a perfect week.

I hope you have a nice day.

Alexandre Borges.


Meeting Michael Sikorski in NYC (SEP/2015)

Dear readers, how are you? Today I have an amazing and unforgettable day lunching with Michael Sikorski in NYC. For people who do not know Michael, he is author of Practical Malware Analysis book and director of FLARE (FireEye Labs Advanced Reverse Engineering) at FireEye. Certainly I can tell you that Michael is very polite, friendly, an extremely humble person and so different from other professionals who I know that do not have (even close) the same knowledge.There are not enough good words to praise Michael. Follow below a picture with Michael in a restaurant:

I’ve been learning with top minds such as Michael Sikorski for being able to share the knowledge. Honestly, I hope I am successful.

In this world, we meet few relevant and remarkable people. Michael is one of them.

Have a nice day.

Alexandre Borges.


DerbyCon 2015 – first update

Dear readers, how are you? This is a quick post about the fantastic DerbyCon 2015 in Louisville / Kentucky (USA). I have attendend the outstanding Corelan Advanced Software Exploitation course with Peter van Eeckhoutte (corelanc0d3r). Some draft pictures follow below:

Figure 1: Peter van Eeckhoutte (Corelan) and I in DerbyCon 2015

Figure 2: DerbyCon 2015 flag

Figure 3: DerbyCon 2015 badge

Figure 4: HD Moore (Metasploit creator) and I in DerbyCon 2015

Have a nice day and soon I’ll post news about DerbyCon 2015

Alexandre Borges


Speaking at “FATEC Baixada Santista”

Dear readers, how are you? Yesterday I spoke about “IT Security: challenges and best practices” at Fatec Baixada Santista (Santos/SP). Honestly, I enjoyed each minute there by helping all students to understand a bit more about security. Furthermore, I would like to thank teachers Eliana Rodrigues, Rosana Cammarosano and Marco Simões. It follows below the certificate that I earned. Certainly, I am glad and very proud for it:

If you want I speak at your university or company about Malware, Forensic Analysis, Sofware Exploitation, Hacking and Memory Forensic Analysis, send me an e-mail to alexandreborges [at] alexandreborges [dot] com. It is a pro-bono (volunteering) work.

I hope you have a nice.

Alexandre Borges


Speaking about Hacking, Malware and Career at FATEC

Dear readers, what have you been doing? I am speaking about Information Security on SEP/12 at FATEC Rubens Lara, in Santos/SP. Honestly, I am honored by opportunity to help and incentivate students to track this interesting area. The topics which I am speaking are:

  • Hacking Attacks
  • Malwares and Best Practices
  • Certification and Career

I want to thank teachers Marco Simões, Eliana Rodrigues and Rosemeire Vidal by the invitation.

Have a nice day.

Alexandre Borges


MindTheSec 2015 Forum Brazil – GPU Malware presentation

Dear readers, how are you? It follows the slides of my simple presentation on MindTheSec 2015 Forum Brazil ( about GPU Malwares:

Enjoy it!

I hope you have a nice day and feel free to comment about the slides.

Alexandre Borges


Windows: Dispatching and Scheduling (a short explanation)

Last week a student asked about the correct difference between Dispatching and Scheduling on Windows systems. Of course, this a long topic to talk and write, mainly when the time is very tight, but I will try to summarize the topic below.

Fundamentally, Dispatching is the the process (or action) of switching from a thread executing to another one, while Scheduling is the action of determining the next thread to be executed on the processor. Additionally, there are typical and main states for a thread such as Wait (blocked, waiting any related event occurs), Running (thread is active and running on CPU) and Ready (thread is eligible to run, but it needs to receive an authorization from OS for doing it). A thread can be in Waiting status because a system call (such as an execution of KeWaitSingleObject() by a device driver) and its state is controlled by KTHREAD structure (which is embedded inside the ETHREAD structure and holds information about thread stack, system calls, scheduling, priorities, and so on). A thread can be also in Running status that is determined by KPCR (Kernel Processor Control Region) structure (it can be accessed by functions such as KsGetCurrentThread() and PsGetCurrentProcess()) that holds information about the CPU (if the system has many CPUs, so there’re many KPCRs and each one holds CPU information that is shared by HAL and kernel). During a dispatching, the kernel saves the entire context from the current thread then it executes either the KiSwapThread() or KiSwitchToThread() for loading the context from the new thread.

How does the kernel choose the next thread to be activated and run? It uses the Scheduling feature to pick the next thread to run based on its priority given by Priority field (it can be changed by KeSetPriorityThread(), for example) from KPROCESS structure and respects the BasePriority attribute (the value can changed by using the KeSetBasePriorityThread()) that is the minimum value of Priority attribute. About priorities, there are two valid ranges such as “Dynamic Priority” (from 1 to 15) and “Real Time” (from 16 to 31), where the OS varies the thread’s priority of the former range, but it doesn’t vary the thread’s priority from the latter one. Therefore, real time thread can cause CPU starvation.

The Dynamic Priority value can be changed by operating system when events such as quantum exhaustion (the thread used its time slice), not running (not running threads gain a priority boots for having a chance to run), I/O completion (a driver has finished its I/O job and the current related thread needs of a chance to return to CPU) and KeSetEvent function that helps by bursting the the current thread’s priority to run on CPU.

Changing to a practical approach, examine the colors of the following WinDbg’s output:

lkd> !thread

THREAD fffff80002e58cc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap fffff8a000008aa0
Owning Process fffff80002e59180 Image: Idle
Attached Process fffffa800a2e6b10 Image: System
Wait Start TickCount 430911 Ticks: 9 (0:00:00:00.140)
Context Switch Count 8568683
UserTime 00:00:00.000
KernelTime 01:45:09.008
Win32 Start Address nt!KiIdleLoop (0xfffff80002cc3570)
Stack Init fffff8000410adb0 Current fffff8000410ad40
Base fffff8000410b000 Limit fffff80004105000 Call 0
Priority 16 BasePriority 0 UnusualBoost 0 ForegroundBoost 0 IoPriority 0 PagePriority 0
Unable to get context for thread running on processor 0, HRESULT 0x80004001

lkd> !pcr

KPCR for Processor 0 at fffff80002e4ad00:

Major 1 Minor 1

    NtTib.ExceptionList: fffff80004103000
     NtTib.StackBase: fffff80004104080
     NtTib.StackLimit: 000000000020e448
     NtTib.SubSystemTib: fffff80002e4ad00
     NtTib.Version: 0000000002e4ae80
     NtTib.UserPointer: fffff80002e4b4f0
     NtTib.SelfTib: 000007fffff82000
     SelfPcr: 0000000000000000
     Prcb: fffff80002e4ae80
     Irql: 0000000000000000
     IRR: 0000000000000000
     IDR: 0000000000000000
     InterruptMode: 0000000000000000
     IDT: 0000000000000000
     GDT: 0000000000000000
     TSS: 0000000000000000
     CurrentThread: fffff80002e58cc0
     NextThread: 0000000000000000
     IdleThread: fffff80002e58cc0

lkd> !ready

Processor 0: No threads in READY state
Processor 1: No threads in READY state
Processor 2: No threads in READY state
Processor 3: No threads in READY state
Processor 4: No threads in READY state
Processor 5: No threads in READY state
Processor 6: No threads in READY state
Processor 7: No threads in READY state

My system is completely idle, but you are able to realize the Current Thread, NextThread (none) and the IdleThread values from the output above. Unfortunately, the WinDbg shows the partial contents of the PCR by using !pcr command.

I know that’s a basic explanation (without digging into excessive details) , but it can helps when you are studying and leaning the internal structures of Windows.

Have a nice day.

Alexandre Borges


Pivoting in Metaploit – Part 9 (Portuguese)

Hello people, what have you been up to ? It follows my new column in Linux Magazine Brazil. This time I explain about Metasploit pivoting:

If you want to know more about this series of articles, I suggest reading this previous post:

Have a nice day.

Alexandre Borges.

Metasploit (part 1 to 8) – Columns on Linux Magazine (portuguese language)

Hello everybody, how are you ? It follows the newest column (portuguese language) on Linux Magazine Brazil about Metaploit:

Please, remember: there’re other parts from this simple tutorial:

(part 1):

(part 2):

(part 3):

(part 4):

(part 5):

(part 6):

(part 7):

Have a nice day.

Alexandre Borges