Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
{MProtect - Share knowledge
by only me- 2 replies
- 14.4k views
Hi All , most of malware analyst gets a pain from VMProtect packing as I hear:), I am new to this area and I was starting my search about this packing. Could you please share your method to dial with this packing.
-
- 0 replies
- 6.3k views
I thought all you reverse engineers out there might enjoy this since it talks about the calls use in late malware https://blogs.technet.microsoft.com/mmpc/2017/03/08/uncovering-cross-process-injection-with-windows-defender-atp/
-
third-party library in IDA pro
by Aldhard Oswine- 0 replies
- 7k views
What ways are to analyze unnamed third-party library functions in IDA Pro, such as OpenSSL, Boost, etc.
-
Reversing the petya ransomware with constraint solvers
by Extreme Coders- 5 replies
- 8.1k views
Ransomware is very common these days. Once it installs on a user machine it begins encrypting files. When the user comes to know about the ransomware attack it is already too late. Unless the user has a backup, he/she must must pay the ransom to recover the files. Luckily there has been cases where due to a faulty implementation of cryptography breaking such malware becomes feasible. The recently discovered petya ransomware is an example. This blog post is a short walk through on breaking the petya ransomware with a constraint solvers. Hope you like it & find useful. http://0xec.blogspot.com/2016/04/reversing-petya-ransomware-with.html
-
Set Virtualbox port fowarding 2 adpaters
by opc0d3- 0 replies
- 4.6k views
Hello! I'm trying to make a lab to analyze malware grant to it internet connection, but with certain rules. I was thinking to make 2 vms, windows lab to do analysis and the middle server linux remnux. I thought to isolate my windows from host network creating a internal network between remnux and windows. On remnux i would port fowarding (when i grant it) from internal network adpater to nat adapter, so the windows couldn't see my host. My goal it's to avoid infected machine contacting my host, and on remnux i would set up iptables to block any request but http from windows directly to remote, blocking any lan interaction. Can anyone help me think in way to…
-
WannaCrypt, WannaCry, WanaCrypt0r, WCrypt...
by Teddy Rogers- 18 replies
- 11.7k views
If your not sick and tired of hearing/reading about it yet and you are still interested in studying WannaCrypt you can find information and samples from the following links... https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 Samples https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168#malware-samples Ted.
-
Process Hollowing in Windows 10
by Aldhard Oswine- 1 reply
- 6.7k views
I'm trying to implement process hollowing in Win10 for x64 processes. Which is almost same as in this code: https://github.com/m0n0ph1/Process-Hollowing/blob/master/sourcecode/ProcessHollowing/ProcessHollowing.cpp, but for x64. and for an entry point, I'm using "Rcx" register. It works for apps if target and victim process is same, otherwise, it causes the error: "the application was unable to start correctly 0xc00000142". It also works apps, which are created by me for the test. What are possible mistakes in my implementation?
-
DLL injection on Windows 10
by Aldhard Oswine- 2 replies
- 6.7k views
I'm trying to implement dll injection technique from PMA book. It works for third-party applications, such as notepad++.exe, chrome.exe, FoxitReader.exe, etc. But don't work for windows applications, such as notepad.exe, explorer.exe, etc. With third-party app "CreateRemoteThread" returns threadId, with windows app returns 0. Can you help me to understand what happens?
-
Passionate Beginner with some questions
by FormosaTBM- 0 replies
- 5.3k views
Hey guys, I know there's probably a post like this everyday asking how to become a Virus/Malware, ReverseEngineer Analyst, so if nobody replies I wont be too offended. I have done some researches on redit, and If anyone have the time to read through this and can help steer me in the right direction or perhaps let me know of something I may have missed while researching, please let me know! My Background: Not really a Programmer, but have learned a ltitle bit of Java back in the days in college. Have studied a little bit of Python through the book Automate the Boring Stuff (first half of the book) Have attempted to study some C++ a whi…
-
Analyze rootkit malware
by Aldhard Oswine- 1 reply
- 6.1k views
When I read PMA, Kernel debugging and rootkit analysis were most difficult topics/Labs for me, now I want to return those topics and fill holes in my knowledge. Do you know good books/posts/papers/videos about rootkit analysis?
-
COM malware
by Aldhard Oswine- 5 replies
- 11.6k views
I found that using COM is a powerful technique from a malware perspective. Are there any good paper/post about COM usage in details?
-
How do you transfer FROM Lab?
by null_endian- 1 reply
- 5.2k views
I keep finding myself in this situation where I analyze malware on my lab computer... But Now I need to get the analysis work uploaded or onto a "safe" computer... But for example, I never want to login to any accounts on my lab computer once I've ran samples, and I also don't want to open up any link to my main box.... So how do you guys get files or other work from the lab computer onto safe computers or online?
-
IDA Questions
by null_endian- 3 replies
- 8.6k views
I have 2 questions: 1. Is anybody familiar with a way to zoom in and out in IDA Pro Graph View without a scroll wheel? I use a special mouse which does not have one. The only ways I've found is hit "w" to zoom WAY OUT and 1 to zoom WAY IN. However, I lost the gradual zoom capability with this mouse :(. 2. What are some ways to handle locating the below function calls in code? When I xref these API calls, I'm brought to a series of jmps and the API calls themselves never actually appear in the code. Interestingly, I also cannot find references to the memory addresses of the jmps themselves in code either, so the code must use some offsets to access these jumps. Effec…
-
Course about reversing malware
by Aldhard Oswine- 11 replies
- 8.5k views
I found Dr.Fu RE malware helpful but little bit out-of-date, do you have any better options?
-
Debug VBA
by Aldhard Oswine- 3 replies
- 10.6k views
I've VBA script extracted from a .doc document, it's obfuscated, how can I debug this script?
-
- 2 replies
- 11.3k views
I found a malware sample (1) that is packed using Safengine Shielden v2.3.9.0, I'm not able to debug it because it is detecting that it is under debugging, after that I tried ScyllaHide plugin for Olly2 but it is still detected. The packer reads the files: KernelBase.dll, kernel32.dll, user32.dll, msvcrt.dll, ... and puts them in a random Memory locations, replaces some addresses, so it will be able to use its own copy of those DLL files instead of the original ones, and make debugging more harder (no symbols will be availabe to identify system functions). Dynamically running the file, I'm able to identify that the file drops a .bat in a randomly created folder …
-
Deobfuscating JavaScript shellcode
by justcrypto- 2 replies
- 5.9k views
Hello Folks, I don't do reversing for a living so the questions may be noobish. Trying to convert the shellcode in the attached html file to an executable. Its unicode, so I converted to HEX and then used the shellcode2exe.py tool to convert it to executable. When I run the shellcode in a debugger it terminates. Although strings shows it has LoadLibrary(). I see that there are two eval functions calling two different shellcodes. Are these two shellcodes interconnected. Do I need to combine them to analyze. Any other pointers to run it successfully in a debugger. Any help would be great!! Sign-in.zip
-
Lab Question
by null_endian- 4 replies
- 12k views
Hello, So I am new to this and reading several books, including Practical Malware Analysis. I only have 2 usable computers: 1 is my main machine which is a brand new i7 with 16 GB of RAM expandable to 32GB and a GPU with Win 10, the other is my old Core 2 Duo T6600 machine with 4GB of RAM from 2009 that I have Linux on. My initial thought for creating a malware analysis lab was to use the Linux box with a virtual machine running Windows... However, last night I quickly discovered that was not going to happen because the computer is frankly too old to run a VM smoothly, especially since the processor doesn't have virtualization. So that means I gotta do it on m…
-
Malware Analysis vs. Reversing
by null_endian- 1 reply
- 8.6k views
Hello, I'm new to the field so wanted to ask this. How closely related are malware analysis and reversing from a professional standpoint? What I mean by this is, I assume the goals of reverse engineering a system are to fully document that system... So go module-by-module through it, figure out what it ALL does, figure out which compiler was used, which version of which language, etc... Whereas malware analysis, I'm not sure to which "extent" is commonly used. For example, as a malware analyst at an antivirus firm, do they do the entire reverse engineering process with each sample or is the goal here to just observe and document all of its BEHAVIORs and then get far…
-
Where to download this Malware sample ?
by Cyberwarfare- 3 replies
- 8.7k views
where can I download GameOver Zeus Malware sample for research purpose? Any Help appreciated !
-
malware with a weird packer
by Hacktreides- 3 replies
- 8.2k views
Hello, I find this malware in the wild, anyone know his family, and his packer type? There is a lot of junk code and a lot of selfextraded code, if someone have a quick way to unpack it. https://www.virustotal.com/en/file/86e6be6c7e474b2115aef450724ee1a6464b43888d45bdf48d0a404c7dd03b88/analysis/ Thank iphone_video.exe
-
- 1 reply
- 8.9k views
I would like to have some statistics about What percentage of malware use custom packer/cryptor to protect itself? I have been googling for a while but could only find technical study of some custom packers. Any help?
-
Collection of Anti-Malware Analysis Tricks.
by Noteworthy- 4 replies
- 15.3k views
Hi SnD, This is a small tool I wrote while reversing some malwares. It performs a bunch of nowadays malwares tricks and the goal is to see if you stay under the radar. That could be useful if: You are making an anti-debug plugin and you want to check its effectiveness. You want to ensure that your sandbox solution is hidden enough.. You want to write behavior rules to detect any attempt to use these tricks. Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute. List of features supported: Anti-debugging attacks IsDebuggerPresent CheckRemoteDebuggerPresent …
-
- 10 replies
- 20.2k views
Hello, i've a question. Ive a DLL (yes, i know the source) which is confused using ConfuserEx 0.5 with .NET Framework 4.52. Now i've tried to to open the DLL using several disassembler but no result. I found several tutorials how to unconfuse the DLL in this forum but all of them are not successfully in this case. Ive tried ConfuserExFixer, MethodsDecrypter, ... and so on. could anyone tell me HOW it's possible and a decrypted result? Attached is the DLL. Its nothing special. Thanks. CGBfunctions.zip
-
- 1 reply
- 9.5k views
Hi guys, I'm learning about malware and I remember stumbling upon this cool forum some time ago. I recently downloaded a pdf of a book, because I wanted to look up some pages in the book since it was used as a source in an article I was reading. It's a pretty obscure book and since I couldn't find a legitimate source for it, I thought what the hell why not try one of the risky fake-looking torrent links. To my surprise the torrent downloaded immediately and I got a .rar file. Normally with these things the rar file is either encrypted with a password or the pdf itself is fake and only contains instructions on how to complete a CPA offer to get access to the most…
