Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
360 topics in this forum
-
PLC infection malware
by malware- 5 replies
- 5.3k views
Can anyone help me figure out PLC infection worm work. I am looking for to analyze such malware which infect PLC. How PLC infection mlaware work such as stuxnet. I will appreciate you concern.
-
How much "Stuxnet" malware would costs?
by malware- 0 replies
- 3.9k views
how much "Stuxnet" malware source code would cost ? https://en.wikipedia.org/wiki/Stuxnet Is it worth 1 Billion USD ? how much would it costs sophisticated malware like stuxnet? Thanks
-
svchost rootkit
by jolin wong- 1 reply
- 10k views
I have ten svchost.exe process running in the computer, process explorer shows all of them coming from c:\windows\system32 directory, so looks like no malware, but is there any chance that rootkit can do process injection to svchost, any tool can detect it? thanks
-
latest Malware analysis and threat intel
by jolin wong- 1 reply
- 4.4k views
Dear Expert, I want to know is there any threat intelligence forum which share the latest month malware and threat analysis report (in PDF)? thanks
-
Backup (offline version) of vxheaven website
by malware- 1 reply
- 4.7k views
To check my skill set i am looking for virus source code written using assembly. I know a website name vxheaven which is offline now. Can anybody tell me where can i find exe and com infection tutorial perhaps backup of vxheaven website. Thanks
-
malware database with api access
by jolin wong- 0 replies
- 3.9k views
we want to know any commercial/free malware database besides virustotal which can provide api access, we want to pull from them the malware list into our system on a daily basis, thanks
-
malware download possibility
by jolin wong- 0 replies
- 3.8k views
in my previous company, we use arcsight siem, so malware ticket is generated after siem get log from various resouce, in the log we can see malware name (for example name of *.exe, *.pdf, *.doc file), also malware can be downloaded from siem, my current company facing a problem, the arcsight siem can't sow malware name, also attachment does not have malware executable file. it is very difficult to analyze malware, is there anything need to be configured from siem, so malware name will appear and dowloadable. or we have to set up a ftp folder for user to upload the suspected exe file, then we analyze from there?
-
How to determine md5 algorithm
by malware- 0 replies
- 4.8k views
I am analyzing carberp malware. there is a md5 hash algorithm in that malware. how do i locate and dissemble the algorithm? not only md5 other encryption like aes to name a few.
-
Help me understand the source code?
by malware- 3 replies
- 4.8k views
can you explain the following code of a known malware ? Thanks
-
unknown malware detection
by alialiali- 2 replies
- 6.3k views
hi Does anyone have a list of sequences or number of repetitive malicious api functions for identifying unknown malware? For example, a list of the api functions sequence used in virus worms and .etc If not how can it be reached ?
-
Any IDA Pro Tutorials ?
by megam- 2 replies
- 5.5k views
Hello , i am new in Reverse Engineering and i want to learn how to patch files like cracking hardware id's or vmware check inside .dll files can someone help me with tutorials on where can i learn IDA Pro i cannot find any tutorial online . Also why my IDA Pro Debugger is missing in toolbar (if someone knows) . Thanks :)
-
Malware VMProtect
by ONDragon- 5 replies
- 14.9k views
When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways. The Questions: If I encounter the MALWARE , what shound I do? PS: How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!! Please help ME . THANKS!!!
-
bypassing anti-vm inside protected samples
by zixkhalid- 0 replies
- 4.6k views
this is a good starting point as you know: Sandboxes and virtual environments are full of artefacts that betray their analysis environment. Malware can protect itself against these by running some checks to detect such environments before performing any malicious actions. i'm looking for bypass that use by malware analyst to overcome this anti-vm stuff?
-
Unknown RAT/Keylogger
by Asentrix- 7 replies
- 6.6k views
Unsure of the protection, just want it reversed I checked it in Hxd and it looks like a 3 is just added to every byte I also ran it in a debugger and themida popped up. Checked on virustotal and it says packed with: BobSoft Mini Delphi -> BoB / BobSoft Included are 3 files. 1. The original, which isn't an exe file 2. Renamed exe but not fixed 3. Fixed exe with digital signature Thats as far as we got! DEOB.zip
-
VMProtect malware
by NeoNCoding- 2 replies
- 4.9k views
Hello, can somebody tell me what this Malware(Application) contains and what it does ? BE CAREFUL! I don't know what it does.. Test it only on VM ! svchos2t.exe
-
Setting hook without calling SetWindowsHookEx
by Aldhard Oswine- 2 replies
- 11.5k views
Is this possible to set hook without calling SetWindowsHookEx?
-
{MProtect - Share knowledge
by only me- 2 replies
- 10.2k views
Hi All , most of malware analyst gets a pain from VMProtect packing as I hear:), I am new to this area and I was starting my search about this packing. Could you please share your method to dial with this packing.
-
- 0 replies
- 5.8k views
I thought all you reverse engineers out there might enjoy this since it talks about the calls use in late malware https://blogs.technet.microsoft.com/mmpc/2017/03/08/uncovering-cross-process-injection-with-windows-defender-atp/
-
third-party library in IDA pro
by Aldhard Oswine- 0 replies
- 6.6k views
What ways are to analyze unnamed third-party library functions in IDA Pro, such as OpenSSL, Boost, etc.
-
Reversing the petya ransomware with constraint solvers
by Extreme Coders- 5 replies
- 7.6k views
Ransomware is very common these days. Once it installs on a user machine it begins encrypting files. When the user comes to know about the ransomware attack it is already too late. Unless the user has a backup, he/she must must pay the ransom to recover the files. Luckily there has been cases where due to a faulty implementation of cryptography breaking such malware becomes feasible. The recently discovered petya ransomware is an example. This blog post is a short walk through on breaking the petya ransomware with a constraint solvers. Hope you like it & find useful. http://0xec.blogspot.com/2016/04/reversing-petya-ransomware-with.html
-
Set Virtualbox port fowarding 2 adpaters
by opc0d3- 0 replies
- 4.3k views
Hello! I'm trying to make a lab to analyze malware grant to it internet connection, but with certain rules. I was thinking to make 2 vms, windows lab to do analysis and the middle server linux remnux. I thought to isolate my windows from host network creating a internal network between remnux and windows. On remnux i would port fowarding (when i grant it) from internal network adpater to nat adapter, so the windows couldn't see my host. My goal it's to avoid infected machine contacting my host, and on remnux i would set up iptables to block any request but http from windows directly to remote, blocking any lan interaction. Can anyone help me think in way to…
-
WannaCrypt, WannaCry, WanaCrypt0r, WCrypt...
by Teddy Rogers- 18 replies
- 10.9k views
If your not sick and tired of hearing/reading about it yet and you are still interested in studying WannaCrypt you can find information and samples from the following links... https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 Samples https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168#malware-samples Ted.
-
Process Hollowing in Windows 10
by Aldhard Oswine- 1 reply
- 6.2k views
I'm trying to implement process hollowing in Win10 for x64 processes. Which is almost same as in this code: https://github.com/m0n0ph1/Process-Hollowing/blob/master/sourcecode/ProcessHollowing/ProcessHollowing.cpp, but for x64. and for an entry point, I'm using "Rcx" register. It works for apps if target and victim process is same, otherwise, it causes the error: "the application was unable to start correctly 0xc00000142". It also works apps, which are created by me for the test. What are possible mistakes in my implementation?
-
DLL injection on Windows 10
by Aldhard Oswine- 2 replies
- 6.3k views
I'm trying to implement dll injection technique from PMA book. It works for third-party applications, such as notepad++.exe, chrome.exe, FoxitReader.exe, etc. But don't work for windows applications, such as notepad.exe, explorer.exe, etc. With third-party app "CreateRemoteThread" returns threadId, with windows app returns 0. Can you help me to understand what happens?
-
Passionate Beginner with some questions
by FormosaTBM- 0 replies
- 4.7k views
Hey guys, I know there's probably a post like this everyday asking how to become a Virus/Malware, ReverseEngineer Analyst, so if nobody replies I wont be too offended. I have done some researches on redit, and If anyone have the time to read through this and can help steer me in the right direction or perhaps let me know of something I may have missed while researching, please let me know! My Background: Not really a Programmer, but have learned a ltitle bit of Java back in the days in college. Have studied a little bit of Python through the book Automate the Boring Stuff (first half of the book) Have attempted to study some C++ a whi…
