Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
W32/Sharp-A
by Programmdude- 0 replies
- 4.4k views
Hey, I was wondering if anyone had a copy of W32/Sharp-A. I would like it for researching it.http://www.sophos.com/security/analyses/viruses-and-spyware/w32sharpa.html
-
Reversinglabs - NyxEngine
by Loki- 0 replies
- 3.8k views
More nice work from ap0x and deroko. />http://blog.reversinglabs.com/2010/04/introducing-nyxengine/
-
Clever tricks against antiviruses...
by Teddy Rogers- 2 replies
- 4k views
I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. No imports! Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions). The steps you need to do are: Get the kernel32 module base address. (…
-
Excellent video
by cyb3rl0rd1867- 5 replies
- 11.4k views
Here's an excellent video on malware removal by Mark Russinovich, author of many tools in the sysinternals suite. Very good for semi-beginners into the world of malware exploration and analysis.
-
Beginning Malware analysis
by cyb3rl0rd1867- 4 replies
- 4.3k views
I want to get more into malware analysis but there are a few barriers to my getting started. Hopefully someone here can help me out. 1. I use VmWare, when I plug in a flash drive or ipod it sometimes automatically connects to the VM. Not a good thing if you have malware hanging around. How do you make it so they won't(preferably can't) connect to my VM? 2. If the network is unchecked is there anything to worry about? I can't remember for sure but I think there were times when it woke up and it was connected to the network. Any ideas on how to fix that? 3. Is the copying from a host to a guest a security risk? 4. Is it safe to download the malware on your regular comp…
-
Malware trying to detect analysis tools?
by nxanxa- 0 replies
- 3.5k views
Hi, Are you aware of any malware that refuses to run, or tryies to kill analysis tools if it detect their presence at run-time? (Some analysis tools come to mind are: RegMon, FileMon, ...) Please name some malwares do such kind of thing. The more famous, the better ... Thanks a lot, N
-
hacks4sale.com - Trojan dropper
by JesusSpork- 3 replies
- 11.8k views
I downloaded the demo software at www.hacks4sale.com b/c I was going to try & crack it. While installing it dropped ods.exe, stm.exe, msn.exe, iexplorer.exe, and ICSharpCode.SharpZipLib.dll into the Internet Explorer directory and had the attributes of being System files and were hidden. Also, the demo doesn't do anything, I opened it in Reflector after unpacking, here's a bit of it: box.Text = (box.Text & "Activated" & ChrW(13) & ChrW(10)) Thread.Sleep(2000) box = Me.TextBox7 box.Text = (box.Text & "Connected to database!" & ChrW(13) & ChrW(10)) box = Me.TextBox7 box.Text = (box.Text & "Database dropped connection, retry in 2#" &…
-
I don't know happened with this file
by h3201n3- 6 replies
- 6.7k views
hi..can I ask for your help plz? before i ask for your help, sorry for my bad english cos i'm from indonesia. this file not an original from the author, cos it was infected from my computer. lot's my file in harddrive has been infected by this. thx 4 your help and time. devilz's KeyGen-me N
-
An Insight into the Aurora Communication Protocol
by Teddy Rogers- 3 replies
- 5.7k views
/>http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/ Ted.
-
What hell has happend?
by BOSCH- 5 replies
- 7.4k views
My friends i have a problem!There are some days,which i try to reversing with olly and in every aplication the start assembly code is: 0049596E > $- E9 8DA6B07F JMP 7FFA0000 00495973 . 68 20 7B 4A 0>ASCII "h {J",0 00495978 . 68 78 5D 49 0>ASCII "hx]I",0... When i recovery the windows everything it is ok,and in my reversing application the code is: PUSH EBP MOV EBP,ESP... I can't find which aplication causes it!Perhaps it is a virus?I check my pc with avast and malwarebytes,but everything it is ok! Thanks in advance!
-
nvwractive97.dll
by hypa- 2 replies
- 5.9k views
VirusTotal Results Just thought I'd share this. Renaming this DLL throws a RUNDLL error on startup, it's in CurrentVersion\Run and ran with RUNDLL. Analysis in ollydbg with phantom shows the same thing as virus total in abstract, I didn't look at it further. Seems to start a thread with native API and collect system data. Removing the startup placement in registry just causes it to be replaced by something on next reboot. Survives only on 32bit kernel. There is no packer or anti-debug..it's just there and backed by some rootkit witch the latest builds of GMER and RKU doesn't detect. McAfee heuristics picked it up as an injector. The most interesting thing is, renaming it …
-
DLL debugging
by straylight- 4 replies
- 9.7k views
Hello All, this is my first post to tuts4you! Hopefully my question is a simple one. I'm trying to load a DLL (dropped by malware) into Olly. I have made the changes to the characteristics section of binary so that olly sees the DLL as a .exe to bypass loaddll. The following is the EP of the malicious dll when opening in olly: 100037A1 >/$ 8BFF MOV EDI,EDI ; ntdll.7C910228 100037A3 |. 55 PUSH EBP 100037A4 |. 8BEC MOV EBP,ESP 100037A6 |. 33C0 XOR EAX,EAX 100037A8 |. 40 INC EAX 100037A9 |. 3945 0C CMP DWORD PTR SS:[EBP+C],EAX 100037AC |. 75 09 JNZ SHORT Copy…
-
Malware
by ~karthikeyanck~- 6 replies
- 7.2k views
Hi All I found the attached malware in one of my test machine. It looks like it drops itself to the system32 directory with some random name and adds entries to the registry so that it can start as a service every time the machine boots. I don't seem to go further after, can you look into this. Seems like it does do some damage so analyzing this in a virtual environment is recommended. Attached is a malware so pls exercise care!!! password - infected EDIT: Nobody looked at this yet? MNR8TTI7OP.zip
-
Driver Rootkit Analysis
by R3lly- 5 replies
- 4.8k views
Hello, I'm trying to analyze a ring 0 driver which can completely lock my computer except one software, VM(Ware) player. In fact, this driver communicates with the Virtual Machine to allow access to a software installed in the VM. It can't run without this driver. As it's a 32 bit driver, my goal is to recreate a program which would emulate the presence of this driver so I could use my VM on Seven. I'm focusing on the communication between the VM and the host machine. As I'm a complete newbie, disassembling the driver with IDA didn't help me much. Many of the calls made by the driver are a part of the "locking host system" routine. Then I made some analysis with Wireshack…
-
A worm virus
by as1- 10 replies
- 7.7k views
As you can understand I have a worm virus on my computer, iI have used Ad-Aware,Malware Bytes,Security Task Manager and Windows Defender and non of them can effectively remove the virus entirely. There's one file that I know exists but have no way of deleting it (my version of Security Task Manager isnt registered so I can't remove drivers and DLLs....can't find a registered one). The file I cant delete is called afmain0.dll and I its the reason why i keep getting other worm-like viruses for a week now... is there anything I can do besides formating the hard-drive?
-
Malware packed Xenocode 2009
by Od1no4ka- 2 replies
- 5.9k views
Hi guys. I decide to revers one malware, which I found on my PC. But I have some problems with unpacking of this malware, because it is packed with Xenocode (2009). I try unpack it as a previous version Xenocode (2007 & 2008), but it's does not work. If somebody has experience how to unpack this protection, please help me. Thank you. !!!WARNING!!! !!!Attached ACTIVE MALWARE!!! pass:tuts4you.com malware.7z
-
VM aware malware + Custom protection?
by Fizban- 2 replies
- 7.3k views
Hi everyone! I have received a file from a friend asking me if i could maybe help him analyze this file. Since i'm still new to this, i thought of maybe asking you guys before i endanger my PC I have tried to firstly run this sample in VM but it seem to detect the VM. Secondly, i have tried running it with Olly, but it uses some kind of VB protection that is WAY out of my league.. Third, since i saw VB (and PEiD also said it's Microsoft Visual Basic 5.0 & 6.0) i tried running it with SmartCheck but run into a wall of errors saying something about the program is using p-code... Anyway, since this file is really out of my league, i thought i would ask the expert…
-
Malwares Archive
by xsp!d3r- 0 replies
- 4.7k views
This is a malware archive that i found on a cyber i've been in if someone is interested to give it a try password: vrs be carefull have fun Malwares Archive.zip
-
Something Advanced
by hypa- 2 replies
- 4.7k views
I've already took apart the dropper, but I just want to see if anyone here can unpack what it drops. I wont say anything else, interested in feedback. zip pass = infected GodLike.zip
-
Win32.Polip.a
by Teddy Rogers- 3 replies
- 9.6k views
Win32.Polip.a I have included in the archive; the original untouched executable, infected executable, section dump of the target and some information about it from McAfee (http://vil.nai.com/vil/content/v_139296.htm). />http://www.tuts4you.com/download.php?view.2795 Ted.
-
import address resolution through loadlibrary
by abhijit mohanta- 2 replies
- 6k views
Hi, I am quite new to malware analysis.I want to know do we need to fix imports that that are resolved dynamically using loadLibary() and getProcAddress() as we do case of import Resolved by IAT If so how to do it?
-
Potential Trojan - Seeking assistance
by Ksbunker- 1 reply
- 5.7k views
In an effort to keep my system safe from hidden modules (i.e. modules that have been manually unlinked from PEB->LDR_MODULE), I coded up a little tool that scans the memory of my process and attempts to identify any dll's that do not resolve using normal toolhelp API. See below (apologies for large image); This immediately aroused my suspicions, so I checked out the code section of this phantom module. See attachment. Here's my plea. I'm confident this is some kind of trojan periodically sending off critical information pertaining to my browsing. Suffice to say, this is of gross concern. How can I permanently delete this omnipresent module. Regards, Ksb NB: If …
-
Conficker "eye chart"
by What- 1 reply
- 4.7k views
Original Post: http://www.nsaneforums.com/?showtopic=18612Eye Chart: http://anonym.to/?http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
-
Reversing worm
by ~karthikeyanck~- 2 replies
- 22.5k views
Hi All I'm not sure if these kind-a requests are welcome'd. Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source. I understood the behavior of the worm, but trying to dig deep into the code to understand things better. Thanks for your assistance in advance, Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable
-
Can't identify packer
by Fizban- 2 replies
- 7.2k views
Hi everyone I'm trying to unpack a certain malware file which has some sort of protector on it and i can't seem to manually unpack it. I'm pretty new to the trade and maybe i "over shot" a little here but is there anyone who can help me? I'd appreciate some pointers on how to solve this. I'm uploading the sample here. Password: malware Thanks in advance! p.s: needless to say, this is Malware, so use a Virtual Machine malware.zip
