Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
360 topics in this forum
-
Live Malware Samples...
by Teddy Rogers- 1 follower
- 18 replies
- 26k views
Thought I would start a topic with a list of places to find malware samples. Feel free to post other sources if you have any... and remember live samples will be harmful to your computer so if you don't know what your doing and/or how to work with malware don't read any further for the sake of your own sanity... Malware Domain List : http://www.malwaredomainlist.com/mdl.php Malware Blacklist : http://www.malwareblacklist.com/showMDL.php Ted.
-
Pass Debugger Check in VMprotect 2.x 1 2 3 4
by mojtaba- 1 follower
- 86 replies
- 9.4k views
I'm dealing with an app which is protected whit VMProtect 2.x (Checked by DIE). i checked some windows api like : CheckRemoteDebuggerPresent () IsDebuggerPresent () ... and use some ollydbg plugins like: Olly Advanced Hide Debugger StrongOD But it still get this error: Here is my log data:log-MyApp.txt what should i do to pass this error and open the app by debugger?
-
Which Virtual Machine Software do you prefer? 1 2 3
by deepzero- 1 follower
- 61 replies
- 34.3k views
Hi, I have been using Microsoft VirtualPC for years now. Which Virtualization Software do you prefer?
-
Shellcode+SYSENTER = CALC (SP3) 1 2 3
by JMC31337- 58 replies
- 23.5k views
#include <windows.h> //DEV-C++ //link with -masm=intel asm(".intel_syntax noprefix"); static long csx; static char* test; int main(void) { asm("pop ebp"); asm("pop ebp"); asm("pop ebp"); //asm("push 0x11111111"); //asm("push 0xEEEEEEEE"); //asm("push 0xAAAAAAAA"); //asm("push 0xCCCCCCCC"); //char *test = "\x31\xC9\x51\x68" //"\x63\x61\x6C\x63" //"\x54\xB8\xC7\x93" //"\xC2\x77\xFF\xD0"; asm("push 0xD0FF77C2"); asm("push 0x93C7B854"); asm("push 0x636C6163"); asm("push 0x6851C931"); asm("push 0x004012E6"); asm("mov ebp,0x33333333"); asm("mov edx, esp"); asm("SYSENTER"); asm("push 0"); asm("call _ExitProcess@4"); asm("call esp"); return 0; …
-
this is what a could find and rar up 2 tmp files 1 exe that is really a dll 1 lnk file 1 lnk file (suckme) 1 sys file 1 dll file (suckme) vidnux.com offensivecomputing 4shared it may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at... rar passwd: infected StuxNet.rar
-
(Help Request) .Net Protector Identification 1 2
by madskillz- 25 replies
- 21.3k views
Hi I tried die , peid , protecton id , rdg , but cannot detect protector. de4dot detected as deepsea , but deobfuscation ws not done. File attached FoxUserTools.zip File can be malware , etc , please use VM , protection. Need packer identification and unpack help. Regards
-
Reversing malware questions
by Downloading...- 23 replies
- 10.1k views
Hey there, I managed to get a sample of a "Ransomware" type of virus, which just locked the computer until one paid and got puts in a code to unlock (which I doubt would actually unlock it) Anyhow, I grabbed the virus.exe and it's getting detected by 22/40 AV's. I looked at it witrh PEiD which couldn't find anything, I assume the file is most likely packed. I also ran a string command on it, nothing came out (except assembly XML file, so even more chance it's packed) Then I disassembled the with IDA (all this in linux since it's risky :3 ) Here is a list of the imports: 10004000 RegOpenKeyExW ADVAPI32 10004008 GetSaveFileNameW …
-
WannaCrypt, WannaCry, WanaCrypt0r, WCrypt...
by Teddy Rogers- 18 replies
- 10.9k views
If your not sick and tired of hearing/reading about it yet and you are still interested in studying WannaCrypt you can find information and samples from the following links... https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 Samples https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168#malware-samples Ted.
-
need help to unpack .NET malware
by gundamfj- 17 replies
- 9.3k views
I have this malware(possibly Locky variant), which is packed by an unknown packer(de4dot -d). It looks like it's packed by customized ConfuserEx, but I am not 100% sure(newbie). I have tried using tools like NoFuserEx, de4dot, UnconfuserEx, without any luck. I have this idea: maybe I could pause on some memory management API, e.g. VirtualAlloc and monitor the memory region's size it allocates. If the memory region is enough large to hold the malware actual payload, keep an eye on it, maybe I could finally get the payload. So is there any .NET debugger allowing me to pause on System API like VirtualAlloc? I know I could use debugger like Olly, but if I open…
-
Rustock C The Beast
by evilcry- 16 replies
- 9.5k views
Hi, Rustock C is definitely the most powerful advanced rootkit for Windows ever seen, the Pure Evil Here some papers about it http://info.drweb.com/show/3342/en http://www.rootkit.com/newsread.php?newsid=879 http://blog.threatexpert.com/2008/05/rusto...ested-doll.html http://blog.threatexpert.com/2008/06/new-r...to-hotmail.html
-
Malware sample for practice
by GEEK- 13 replies
- 8.5k views
hey found this on my usb so i am guessing its not a very dangerous virus. i have sent it to any online AV checkers simply coz i am not bothered if anyone wants to practise i have zipped unedited binaries password: infected usb_malware_sample.rar
-
IEEE Software Taggant System For Exposing Malware Creators...
by Teddy Rogers- 12 replies
- 8.5k views
IEEE Software Taggant System For Exposing Malware Creators Well... I have been hearing and reading about this everywhere for a while now. Numerous packer and protector developers have already been trumping this up as the bee-all for software developers who use their packer/protector products as a means to stop false positives and at the same time be used to identify/flag stolen or bogus protector licences used on files. For those who do not know (yet) if it becomes standard we may see this being common place. />http://standards.ieee.org/news/2011/icsg_software.html How practical and to what purpose it will end up serving exactly I still have doubts to. Have a read and…
-
Win 10 64-bit MBR Bootkit
by JMC31337- 12 replies
- 7k views
Working on a bootkit rootkit for Win 10 64-bit MBR versions All checksums and digital sig verifications have been bypassed Dump all modifications as it goes along This is completed Stage 1: 1) access bootmgr (compressed) via volume mount WMI API avoiding mounts 2) decompress bootmgr -> obtaining bootmgr.exe 3) patch the digital sig verifier 4) sig the exe with This program cannot be ran in ZZZ mode 5) patch the PE header checksum location with proper checksum 6) re-compress the bootmgr.exe -> bootmgr 7) overwrite the OS default bootmgr ===== Ill explain more later, im tired File password: infected M…
-
Dr.mehdi.swensen PEiD v0.95
by Dr.mehdi.swensen.- 12 replies
- 8.3k views
I give this to all my friends in forum I hope to be accepted by all Crackers. tnx Mod edit; Removed attachment since it's both a rip and a virus. Explain or actions will be taken. Mod edit2; Uploaded attachment and moved topic to Malicious Software Research forum for discussion. User is banned from the board. Attachment password is: tuts4you Dr.mehdi.swensen PEiD v0.95.zip
-
- 12 replies
- 7.3k views
Hi everybody. My boss has told me to find out Binary code of stuxnet or any file that is suspicious that is Stuxnet. Anyone does it have or know where I can get it ? Tnx.
-
W32 USB Rootkit
by JMC31337- 12 replies
- 10.1k views
USB Rootkit (minus the extras) 2 sys files 1 Dll 1 Exe dropper
-
EMV Softwares
by Xyl2k- 4 followers
- 11 replies
- 26.9k views
Someone on telegram intrigued me by telling me about software to read credit card chips, so here are some files that I got from the net. The first software in question, on which I came across: "EMVStudio" belonging to emvstudio.com If I look for the files on VT, it communicates with auth.emvstudio.com, I come across these 3 archives: EMVStudio.rar - 1ba1fac55003d2c966f0071b2c126169254b35a38b4e2b913557c4fb0faadfdb Contains 8d6dacff8a098b8d02202e8c6a4a65bbe20b332ba58d6165cca6f958187864c4 also a file named 'gp' who seem a config file. emvstudio_v1.1.1.rar - 0bd11f024845c07e0df8fe2f080f4925dc44a289e4e59b079be0a68ed2fc42a6 Contains emvstudio_v1.1.2.exe - ce9187aa…
-
Course about reversing malware
by Aldhard Oswine- 11 replies
- 7.8k views
I found Dr.Fu RE malware helpful but little bit out-of-date, do you have any better options?
-
How do AV systems find packed Malicious Software
by GoJonnyGo- 11 replies
- 9.7k views
Hi there, i am wondering, how antivirus systems can find viruses in packed software. Do they know every unpacking routine and first look at with with protector it is packed and unpack it then to perform a search or do they wait till the exe unpacked itself and is on oep or how does this happen?
-
Malware music video
by Xyl2k- 11 replies
- 11.6k views
Hello, I'm doing reverse videos since some time now about exotic malwares and fun things. My videos aren't about detailing specific threats, just small overview of what they do (i try to do my video small in length) So if you like reversing, assembly and electronic/dubstep here you go. Chinese adware and steganography Having a look on Win32/Kawpfuni.A (Military-espionage malware) Having a look on Trojan/Win32.Shifu (Shifu) Having fun with Tyupkin (ATM Malware) Having a look on CryptoFortress config Having fun with Dyre and API's Having a look on Win32/Modputty.A Having a look on Dridex config Having a look on GreenDispenser (ATM Malware) Having a look on DarkC…
-
Unpacking RunPe Malware
by Phasip- 11 replies
- 13.6k views
Hello! I recently started doing some malware reversing and the second application I meet is an app called ohhai.exe As all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode, looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code. The problem is that there does not seem to be much information on how to unpack these, I found two />http://www.opensc.ws/tutorials-articles/11144-tutorial-unpacking-runpe.html />http://interestingmalware.blogspot.com/2010/07/unpacking-vbinjectvbcryptrunpe.html which both have easy steps but I don't seem to be able t…
-
Nimda
by Nieylana- 10 replies
- 6.9k views
Hey, My windows xp installation recently has created a random Nimda user on my computer, i'm aware that the Nimda.A virus is supposed to do this by enabling the guest account and then renaming it and adding to the Administrator group. What concerns me the most is that i have run multiple Nimda virus scanners/removers and also NOD32, but none have detected the Nimda virus on my computer.... what am i supposed to do? Also, i've done some looking online about the nimda virus, and it says to look for specific files in certain locations, these files also are not present on my XP Installation, but the account keeps re-appearing... any help would be appreciated EDIT: Also…
-
fake crack sites
by Xyl2k- 2 followers
- 10 replies
- 14.5k views
So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only…
-
W32.Duqu a.k.a. Stuxnet II
by PaperBall- 10 replies
- 7.9k views
Anyone have a copy of this new malware that was discovered last week?
-
A worm virus
by as1- 10 replies
- 7.3k views
As you can understand I have a worm virus on my computer, iI have used Ad-Aware,Malware Bytes,Security Task Manager and Windows Defender and non of them can effectively remove the virus entirely. There's one file that I know exists but have no way of deleting it (my version of Security Task Manager isnt registered so I can't remove drivers and DLLs....can't find a registered one). The file I cant delete is called afmain0.dll and I its the reason why i keep getting other worm-like viruses for a week now... is there anything I can do besides formating the hard-drive?