Malware Reverse Engineering

WinRAR Vulnerability https://blog.malwarebytes.org/security-threat/2015/09/latest-winrar-vulnerability-has-yet-to-be-patched/ Ted.

Looks like I was infected by some virus, no idea where I got it. It's .NET You have to run it like this in order to run: adobe_flash_player.exe /00000017 Anyone can decompile this and find out what's doing? Looks like a custom obfuscator was used. De4Dot is cleaning it up but strings and other data is still encrypted. Thanks! adobe_flash_player.rar

Table of contents: All I can say is that I really enjoyed the book. Get your own copy from hxxp://ifreebooks.com/book/6295/ or your favorite torrent tracker.

Tutorials About Viruses Link download: http://www82.zippyshare.com/v/GFWYz9g2/file.html Tutorials list: (176 tutorials) 64-bit rugrats.pdf A Survey of Cryptologic Issues in Computer Virology.pdf Advanced Code Evolution Techniques and Computer Virus Generator Kits.pdf Advanced Metamorphic Techniques in Computer Viruses.pdf Advanced Polymorphic Techniques.pdf AGIS- Towards Automatic Generation of …

Reverse malware PDFs, Link: http://repo.hackerzvoice.net/depot_madchat/vxdevl/reverse/

VX Reversing I, the basics & VX Reversing II, Sasser.B: Tutorials about viruses. VX_Reversing_I&II.zip

Malware Forensics- Investigating and Analyzing Malicious Code Link download: http://www97.zippyshare.com/v/JZbv2iGo/file.html

Identifying Malicious Code Through Reverse Engineering Author: Sushil Jajodia Identifying Malicious Code Through Reverse Engineering.zip

.Net Malware Analyses Malicious download link: http://downloadcsoftware.blogspot.ro/2014/09/download-reaver-pro-wifi-hack-full-crack.html http://pasted.co/21439e76Do not execute the malware!private static void Main() { Running = Assembly.Load(Dew("Bctlx.pryor.resources")); // Dew method return bytes of assembly to be loaded Swagger("Scribe", new object[] { Dew("Myft.pryor.resources"), false, "winini.exe", true, 0 }); while (Threads.Count > 0) { Threads.Dequeue().Join(); } } On Swagger method: private static void Swagger(string name, params object[] values) { Thread item = new Thread(delegate { Type type = Running.GetType("Ax");…

Hi. Im about to try proof of concept process replacement technique. I got some questions tho. First of all, when i create process as suspended where it is actually halted? The sections are mapped right, but are improts resolved? (so what comes with it, do i have all the useless import dlls from old process loaded or not) ? Next question is pretty similar. If i create a process from system32, like svchost or lsass and then i replace it with anything from other folder will the improts be properly resolved? Because from what i see, if the replacement exe has some custom dll near it, then loader will look for it inside system32 instead of the replacement process directory, …

What is the best way for heuristic malware scan, what good AV should check?

http://www.theregister.co.uk/2015/08/06/emissary_panda_apt_group_dell/

Hello! I recently started doing some malware reversing and the second application I meet is an app called ohhai.exe As all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode, looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code. The problem is that there does not seem to be much information on how to unpack these, I found two />http://www.opensc.ws/tutorials-articles/11144-tutorial-unpacking-runpe.html />http://interestingmalware.blogspot.com/2010/07/unpacking-vbinjectvbcryptrunpe.html which both have easy steps but I don't seem to be able t…

Hello my friends Here my new version of our malware detector you can make your owns signatures! only 2 Cliks +Fast Scan engine +Include Heuristic Detection Signature Generator Scanner Engine Donwload: http://rdgsoft.net/Malware.Detector.php Thanks

https://github.com/RPISEC/MBE @moderators: I couldn't find a better section for posting this. If you feel like it belongs to some other place, please feel free to move.

Do Antivirus Companies Whitelist NSA Malware? http://www.informationweek.com/security/vulnerabilities-and-threats/do-antivirus-companies-whitelist-nsa-malware/d/d-id/1112911 Ted.

Hi ,When I unpack a software protected by VMProtect ,I reach OEP and dump it. I add two section to pass Anti-dump.But I did not fix IAT. Unfortunately,Unpack.exe did not work.So I debug Unpack.exe in ollydbg. OK,I found the reason about the problem. DWORD SizeofResource(HMODULE hModule，HRSRC hReslnfo) hModule and hReslnfo are valid,but the function return 0.I didn't know how to handle it.

CVE-2015-1701 Win32k Elevation of Privilege Vulnerability, POC from kernelmode.info http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3847'>>http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3847 https://github.com/hfiref0x/CVE-2015-1701 '>>https://github.com/hfiref0x/CVE-2015-1701

Hi all, I am new to exploit development. When I was going to practice stack based buffer overflow by following the tutorial from: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ I was tring to change the shellcode from popping up calc.exe to others. and i got success. shellcode 1: http://www.exploit-db.com/exploits/28996/ [my best option] shellcode 2: http://www.exploit-db.com/exploits/33836/ then i wrote a very simple program of string. #include<stdio.h> #include<conio.h> int main() { char str[10]; printf("Enter you name:"); scanf("%s",str); printf("Hello %s..",str); getch(); return 0; } By the…

.NET malware: De-obfuscation, decryption and debugging - tips and tricks: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/NET-malware-De-obfuscation-decryption-and-debugging-tips-and/ba-p/6463402#.VRMpDeHUcWE

Control Flow Obfuscations in Malwares Link: http://www.exploit-db.com/docs/30710.pdf

Hello guys! I found a very interesting encryption code. Its using Crypted resources, decrypting it with special byte key, and execute. Here is the source of crypted file: //KEY private static byte[] TSVCuLWZ = new byte[] { 0xb7, 0x61, 0xd7, 0x3d, 0x66, 0x5e, 0xa6, 0xe8, 40, 0x87, 0x19, 0x49, 0xce, 0x54, 0x68, 0x4c, 0xad, 0xa6, 0x2a, 0xf2, 160, 15, 210, 0xc6 };//Just a method to decrypt string (for more security) private static string FUJHE(string LSMFpfp, byte[] sQoPbDpAtuDXdRTcmnW) { string[] strArray = LSMFpfp.Split(new char[] { '#' }); byte[] buffer = new byte[strArray.Length]; for (int i = 0; i < strArray.Length; i++) { buffer[i] = byte.Parse…

Hi, I found a very useful library belongs to Malicious Software Research. I apologize in advance if this post is illegal for the forum rulls http://www.vxheaven.org/lib/pdf

Hey, I was playing with a simple UPX .exe. I found the OEP and I want to dump it using OllyDump, but its auto-detection fails and gives me errors: I suppose I'm just trying to dump the wrong address, but I don't really understand the options: Most tuts will just happily tell you to click OK without explaining anything, so that doesn't help me. I know the OEP address, but what should I put in the start address box? The first address Olly shows to me? What about the size and the Bases (code/data)? I'd be grateful if someone could explain it in detail.

i have the malware that unclear for me that is packed or not? the program like PEid shows that code writen with c++ but in addition sandbox shows that's packed with Armadilo and in string of malware there is Aspack. so how can i recognize the malware is packed or not? note:epilog of file is push ebp - mov ebp،esp - push -1 but it hasn't getversion phrase.i think that it is a fake epilog.