Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
x86 Linux Parasite
by JMC31337- 0 replies
- 4.3k views
//./gcc -m32 -masm=intel -o file file.c //https://www.cs.bgu.ac.il/~caspl152/wiki.files/ps05_152.pdf\ //One-oh-one on Linux Virii written by herm1t (x) VxHeavens.com, June 2010 //Since Ive now written a parasite in both x86 formats (Win & Lin) //Things need to be said about this knowledge and power //When I 1st began writing viruses (or virii for all those correctedness types //I strove to be as a good as 29A - still i fall short of such titles //I owe my mentor herm1t (and other VXRs) a ton of respect //for putting up with my constant annoyances of every line and piece of new code //added - thanks herm1t for not holding my hand (in facf youre tutorial insists upon …
-
X86 PE Parasite
by JMC31337- 1 follower
- 3 replies
- 10.3k views
//./gcc -masm=intel -mwindows -m32 -o file.exe xfile.c //Run the virus under a debugger (the jmp orig EP only works //after first infection is completed - afterwards all files //will infect and run as normal //it will infect 1 exe file per run in current dir //x86 PE Parasite //WARNING! //For educational purposes and virology analysis ONLY! //The author is not responsible for any damage caused //by this code //NOTE: I took some cheap tactics and tricks to get this //to work and its some real convoluted coding //============virt mem array========= //virtallocAPI* [ebp+0x00] (win7) //findfirstfileAPI [ebp+0x0…
-
Obfuscated Malware Sample
by hex4d0r- 1 reply
- 5.5k views
Hi all, RDG says It's DotWall Obfuscator but I think its somehow different or I'm too sh*tty to deobfuscate it. I couldn't deobfuscate fully. Could you help about it and tell me how it is different or what i did wrong? Btw It's a malware sample. Thanks in advance. infected.zip
-
How to make a file with a ReverseEngineering
by nimaarek- 1 reply
- 5.2k views
Using Fuzz, I found a vulnerability that was a problem in the file format structure. But because I'm in the test environment I patch the file responsible for checking CRC32 so I can not use exploit outside the test environment. To fix this, I need to create a file in standard file format But there is no documentation of this file extension The only way I have to do is, of course, I think I'll reverse engineer the program that makes this file and create a new file as an exploit. Is this a logical solution? Do you have a better idea?
-
which Malware is expensive
by malware- 5 replies
- 10.8k views
which malware is expensive ? price like 500M or 1B worth malware source code ? I need suggestion i wanna build a career as malware author for govt parties. I will appreciate your suggestion.
-
Recognizing Junk code?
by malware- 6 replies
- 5.6k views
I am looking for and want to learn reverse engineering and recognizing junk code? and cleaning junk code? (reverse engineering binary to C code) Any example?
-
Resources for analyzing malware
by malware- 1 reply
- 4.5k views
I am looking for websites to read malware analysis paper (white paper) or articles? resources to learn and study malware analysis day to day basis. I will appreciate your suggestion and recommendation.
-
- 6 replies
- 5.3k views
Reverse engineering a keylogger (Email based logger) is it possible to to get the email address and Password which is set to get key logs.
-
Where to start malware analysis
by malware- 0 replies
- 4.1k views
how do i start my career as malware analyst? where should i begin?
-
PLC infection malware
by malware- 5 replies
- 5.7k views
Can anyone help me figure out PLC infection worm work. I am looking for to analyze such malware which infect PLC. How PLC infection mlaware work such as stuxnet. I will appreciate you concern.
-
How much "Stuxnet" malware would costs?
by malware- 0 replies
- 7.9k views
how much "Stuxnet" malware source code would cost ? https://en.wikipedia.org/wiki/Stuxnet Is it worth 1 Billion USD ? how much would it costs sophisticated malware like stuxnet? Thanks
-
svchost rootkit
by jolin wong- 1 reply
- 10.9k views
I have ten svchost.exe process running in the computer, process explorer shows all of them coming from c:\windows\system32 directory, so looks like no malware, but is there any chance that rootkit can do process injection to svchost, any tool can detect it? thanks
-
latest Malware analysis and threat intel
by jolin wong- 1 reply
- 5k views
Dear Expert, I want to know is there any threat intelligence forum which share the latest month malware and threat analysis report (in PDF)? thanks
-
Backup (offline version) of vxheaven website
by malware- 1 reply
- 5.1k views
To check my skill set i am looking for virus source code written using assembly. I know a website name vxheaven which is offline now. Can anybody tell me where can i find exe and com infection tutorial perhaps backup of vxheaven website. Thanks
-
malware database with api access
by jolin wong- 0 replies
- 4.4k views
we want to know any commercial/free malware database besides virustotal which can provide api access, we want to pull from them the malware list into our system on a daily basis, thanks
-
malware download possibility
by jolin wong- 0 replies
- 4.3k views
in my previous company, we use arcsight siem, so malware ticket is generated after siem get log from various resouce, in the log we can see malware name (for example name of *.exe, *.pdf, *.doc file), also malware can be downloaded from siem, my current company facing a problem, the arcsight siem can't sow malware name, also attachment does not have malware executable file. it is very difficult to analyze malware, is there anything need to be configured from siem, so malware name will appear and dowloadable. or we have to set up a ftp folder for user to upload the suspected exe file, then we analyze from there?
-
How to determine md5 algorithm
by malware- 0 replies
- 5.3k views
I am analyzing carberp malware. there is a md5 hash algorithm in that malware. how do i locate and dissemble the algorithm? not only md5 other encryption like aes to name a few.
-
Help me understand the source code?
by malware- 3 replies
- 5.7k views
can you explain the following code of a known malware ? Thanks
-
unknown malware detection
by alialiali- 2 replies
- 6.8k views
hi Does anyone have a list of sequences or number of repetitive malicious api functions for identifying unknown malware? For example, a list of the api functions sequence used in virus worms and .etc If not how can it be reached ?
-
Any IDA Pro Tutorials ?
by megam- 2 replies
- 5.9k views
Hello , i am new in Reverse Engineering and i want to learn how to patch files like cracking hardware id's or vmware check inside .dll files can someone help me with tutorials on where can i learn IDA Pro i cannot find any tutorial online . Also why my IDA Pro Debugger is missing in toolbar (if someone knows) . Thanks :)
-
Malware VMProtect
by ONDragon- 5 replies
- 15.7k views
When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways. The Questions: If I encounter the MALWARE , what shound I do? PS: How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!! Please help ME . THANKS!!!
-
bypassing anti-vm inside protected samples
by zixkhalid- 0 replies
- 5k views
this is a good starting point as you know: Sandboxes and virtual environments are full of artefacts that betray their analysis environment. Malware can protect itself against these by running some checks to detect such environments before performing any malicious actions. i'm looking for bypass that use by malware analyst to overcome this anti-vm stuff?
-
Unknown RAT/Keylogger
by Asentrix- 7 replies
- 7.3k views
Unsure of the protection, just want it reversed I checked it in Hxd and it looks like a 3 is just added to every byte I also ran it in a debugger and themida popped up. Checked on virustotal and it says packed with: BobSoft Mini Delphi -> BoB / BobSoft Included are 3 files. 1. The original, which isn't an exe file 2. Renamed exe but not fixed 3. Fixed exe with digital signature Thats as far as we got! DEOB.zip
-
VMProtect malware
by NeoNCoding- 2 replies
- 5.5k views
Hello, can somebody tell me what this Malware(Application) contains and what it does ? BE CAREFUL! I don't know what it does.. Test it only on VM ! svchos2t.exe
-
Setting hook without calling SetWindowsHookEx
by Aldhard Oswine- 2 replies
- 12.2k views
Is this possible to set hook without calling SetWindowsHookEx?
