Activities:

1. Info - identify the package of App.

   a) CFF Explore

   b) Detect It Easy(DIE)

       identified-> Library: Electron package
   
   

2. sigcheck (signature verification)

       sigcheck.exe -d "C:\\Program Files\\test.exe"
   
        check the result: `Application is signed`
   
   

3. String check (extracting strings for sensitive info)

      strings.exe "C:\\Program Files\\test.exe" > strings.txt
   

4. Memory Analysis:

   Find Usernames,Passwords, Connection strings, Hard-coded database credentials

   a. Process Hacker:

      Extract the strings for the running application from Memory(Properties option of process )
   

   b. Winhex

     - Create a memory dump file(Dmp) for the process in task manager
     - Analyse the file in Winhex
   

5. Process Monitoring

   a. Process monitor
   
    Analyze registry,file system activity to identify vulns like  insecure file or registry permissions, improper handling of sensitive data ,etc,
   
        Insecure Logs:
   
            C:\\\\Users\\<user>\\AppData\\Roaming\\test\\log\\log1.json
   

6. Sensitive data stored on registry

    a. using regshot
   
       - take the `1stshort`
   
       - do some action like login
   
       - do 'compare' in regshot
   
       - Analyze the html file
   
     b. regedit
   
           manually check for registry values
   

7 . Check App's file storage for sensitive info:

       cache,log,sqlite ,etc

       >dir /s *bape* - to find files

    Main dirs:

       C:\\Program Files\\\\Test

       C:\\Users\\<username>\\AppData\\Roaming\\Test

  Files:
   -----
      - C:/Program Files/Test/resources/TestUpdateTask.xml

      - C:\\Users\\sahad\\AppData\\Roaming\\Test\\Network

  Sensitive info:

       C:\\ProgramData\\Test\\app-config.json

1. App De-compilation/Reverse Engineering:

a. Decompiling an electron app
   
   The details are given in the following link::
    
           [**Decompiling Electron App**](<https://sahadmk.notion.site/Decompiling-an-Electron-App-5df283463ef74448ad4f7c338de99099>)                        
                      
b. Find URLs in source code:

    find . -type f -exec grep -o --color=always 'http[s]*://[^"]*' {} + | sort -u > source.html
        
    grep -r -oE 'https?://[^[:space:]]+' . > urls.txt        
    
c. Code Scan with Bearer

           ./bin/bearer scan <source_code_dir>

           ./bin/bearer scan '/home/we45/Desktop/thixk client/bs_client'          

1. Binary Analysis

Through the disassembled code for sensitive information, such as:
Hard-coded credentials,API Keys,API Endpoints,Comments & Hidden functions.

a. x64 dbg
- To search for strings, right click anywhere in the disassembled code:
-> Search for -> All Modules -> String References

9. DLL Hijacking

 Tools: ImpulsiveDllHijack , procmon.exex

Steps: 
  
i) Identify Missing DLLs using procmon.exe\\\\\\\\

            use filters: Process Name contains 'app_name'
                         PATH contains dll
                         Result contains NOT FOUND
   and run the application and analyze the results for missing dll names in 'proc mon'.

ii)Create a malicious dll and rename with the missing dll name foud in the previous step

iii) Place the dll file in the app directory

iii) Run the app/process.

DLL hijacking on Test.exe:

C:\\Program Files\\Test\\Secur32.dll is Missing
Rename calc.dll to Secur32.dll
Place this file into the path 'C:\\Program Files\\Test\\'

  ImpulsiveDLLHijack.exe -path "C:\\\\Program Files\\Test\\Test.exe

10. Intercepting Traffic

  - View traffic through HTTPToolkit (free version)

  - Fiddler with Burpsuite (configure 'gateway' settings in fiddler)
    
    a. Burp Vulnerability scanning:
           
            run vuln scans on captured APIs   

1. Checking for Clear-text transmission using Wireshark

> string check in the 'info' tab

   edit->find packet->string(password)  

Reference: