Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
.Net Malware Analyses
by CodeExplorer- 0 replies
- 7.2k views
.Net Malware Analyses Malicious download link: http://downloadcsoftware.blogspot.ro/2014/09/download-reaver-pro-wifi-hack-full-crack.html http://pasted.co/21439e76Do not execute the malware!private static void Main() { Running = Assembly.Load(Dew("Bctlx.pryor.resources")); // Dew method return bytes of assembly to be loaded Swagger("Scribe", new object[] { Dew("Myft.pryor.resources"), false, "winini.exe", true, 0 }); while (Threads.Count > 0) { Threads.Dequeue().Join(); } } On Swagger method: private static void Swagger(string name, params object[] values) { Thread item = new Thread(delegate { Type type = Running.GetType("Ax");…
-
Process replacement question
by Pancake- 1 reply
- 5.6k views
Hi. Im about to try proof of concept process replacement technique. I got some questions tho. First of all, when i create process as suspended where it is actually halted? The sections are mapped right, but are improts resolved? (so what comes with it, do i have all the useless import dlls from old process loaded or not) ? Next question is pretty similar. If i create a process from system32, like svchost or lsass and then i replace it with anything from other folder will the improts be properly resolved? Because from what i see, if the replacement exe has some custom dll near it, then loader will look for it inside system32 instead of the replacement process directory, …
-
- 6 replies
- 6.3k views
What is the best way for heuristic malware scan, what good AV should check?
-
- 0 replies
- 4.8k views
http://www.theregister.co.uk/2015/08/06/emissary_panda_apt_group_dell/
-
Unpacking RunPe Malware
by Phasip- 11 replies
- 14.1k views
Hello! I recently started doing some malware reversing and the second application I meet is an app called ohhai.exe As all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode, looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code. The problem is that there does not seem to be much information on how to unpack these, I found two />http://www.opensc.ws/tutorials-articles/11144-tutorial-unpacking-runpe.html />http://interestingmalware.blogspot.com/2010/07/unpacking-vbinjectvbcryptrunpe.html which both have easy steps but I don't seem to be able t…
-
RDG Malware Detector rev6 2015 (Beta)
by RDGMax- 1 follower
- 5 replies
- 8.5k views
Hello my friends Here my new version of our malware detector you can make your owns signatures! only 2 Cliks +Fast Scan engine +Include Heuristic Detection Signature Generator Scanner Engine Donwload: http://rdgsoft.net/Malware.Detector.php Thanks
-
- 3 replies
- 7k views
https://github.com/RPISEC/MBE @moderators: I couldn't find a better section for posting this. If you feel like it belongs to some other place, please feel free to move.
-
Do Antivirus Companies Whitelist NSA Malware?
by Teddy Rogers- 4 replies
- 6.6k views
Do Antivirus Companies Whitelist NSA Malware? http://www.informationweek.com/security/vulnerabilities-and-threats/do-antivirus-companies-whitelist-nsa-malware/d/d-id/1112911 Ted.
-
- 0 replies
- 6.4k views
Hi ,When I unpack a software protected by VMProtect ,I reach OEP and dump it. I add two section to pass Anti-dump.But I did not fix IAT. Unfortunately,Unpack.exe did not work.So I debug Unpack.exe in ollydbg. OK,I found the reason about the problem. DWORD SizeofResource(HMODULE hModule,HRSRC hReslnfo) hModule and hReslnfo are valid,but the function return 0.I didn't know how to handle it.
-
CVE-2015-1701
by Insid3Code- 0 replies
- 14.4k views
CVE-2015-1701 Win32k Elevation of Privilege Vulnerability, POC from kernelmode.info http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3847'>>http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3847 https://github.com/hfiref0x/CVE-2015-1701 '>>https://github.com/hfiref0x/CVE-2015-1701
-
Shellcode Misbehaved
by prasenjit- 1 reply
- 5.3k views
Hi all, I am new to exploit development. When I was going to practice stack based buffer overflow by following the tutorial from: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ I was tring to change the shellcode from popping up calc.exe to others. and i got success. shellcode 1: http://www.exploit-db.com/exploits/28996/ [my best option] shellcode 2: http://www.exploit-db.com/exploits/33836/ then i wrote a very simple program of string. #include<stdio.h> #include<conio.h> int main() { char str[10]; printf("Enter you name:"); scanf("%s",str); printf("Hello %s..",str); getch(); return 0; } By the…
-
- 0 replies
- 6.8k views
.NET malware: De-obfuscation, decryption and debugging - tips and tricks: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/NET-malware-De-obfuscation-decryption-and-debugging-tips-and/ba-p/6463402#.VRMpDeHUcWE
-
Control Flow Obfuscations in Malwares
by CodeExplorer- 0 replies
- 4.9k views
Control Flow Obfuscations in Malwares Link: http://www.exploit-db.com/docs/30710.pdf
-
Multilayer-resource ecnryption in C#
by Meteor2142- 0 replies
- 5.4k views
Hello guys! I found a very interesting encryption code. Its using Crypted resources, decrypting it with special byte key, and execute. Here is the source of crypted file: //KEY private static byte[] TSVCuLWZ = new byte[] { 0xb7, 0x61, 0xd7, 0x3d, 0x66, 0x5e, 0xa6, 0xe8, 40, 0x87, 0x19, 0x49, 0xce, 0x54, 0x68, 0x4c, 0xad, 0xa6, 0x2a, 0xf2, 160, 15, 210, 0xc6 };//Just a method to decrypt string (for more security) private static string FUJHE(string LSMFpfp, byte[] sQoPbDpAtuDXdRTcmnW) { string[] strArray = LSMFpfp.Split(new char[] { '#' }); byte[] buffer = new byte[strArray.Length]; for (int i = 0; i < strArray.Length; i++) { buffer[i] = byte.Parse…
-
A Good Ebooks & Documents
by Amer- 2 replies
- 6.4k views
Hi, I found a very useful library belongs to Malicious Software Research. I apologize in advance if this post is illegal for the forum rulls http://www.vxheaven.org/lib/pdf
-
Need help with dumping an exe with OllyDump
by szczurcio- 4 replies
- 6.2k views
Hey, I was playing with a simple UPX .exe. I found the OEP and I want to dump it using OllyDump, but its auto-detection fails and gives me errors: I suppose I'm just trying to dump the wrong address, but I don't really understand the options: Most tuts will just happily tell you to click OK without explaining anything, so that doesn't help me. I know the OEP address, but what should I put in the start address box? The first address Olly shows to me? What about the size and the Bases (code/data)? I'd be grateful if someone could explain it in detail.
-
how can sure truly the exe file packed or not?
by rever_ser- 7 replies
- 7.6k views
i have the malware that unclear for me that is packed or not? the program like PEid shows that code writen with c++ but in addition sandbox shows that's packed with Armadilo and in string of malware there is Aspack. so how can i recognize the malware is packed or not? note:epilog of file is push ebp - mov ebp،esp - push -1 but it hasn't getversion phrase.i think that it is a fake epilog.
-
malware unpacking
by rever_ser- 3 replies
- 6.6k views
hi guys does anyone is a malware unpacker to reply me? as you know Malware unpacking != legal commercial software unpacking. so does anyone have experience of malware unpacking that introduce me tutorial about this? Do the unpackme exercises in this site suitable for increase of malware unpacking skill or not? Regards!!!
-
- 8 replies
- 6.7k views
Hi! I have a PECompact protected target from 2010. I have succesfully unpacked the exe but it's sames that some codes are virtualized. I succesfully identifed the main VM handler routine, the VM Image base, the number of VM handlers, the address of hanlders, but I can not identify which code virtualizer is used. The big mistyc for me that the VM is located inside the main Code section and not in different section. I tried to devirtualize it with VMSweeper and Oreans Unvirtualizer but without success. (It's seems it's that is not VMSweeper or Oreans Codevirtualizer is used) I tried several packer detectors (die, exeinfo pe, peid, protection id), but none of tha…
-
Identifying Malicious Code Through Reverse Engineering
by CodeExplorer- 1 reply
- 6k views
Identifying Malicious Code Through Reverse Engineering Link: http://download.adamas.ai/dlbase/ebooks/VX_related/Identifying%20Malicious%20Code%20Through%20Reverse%20Engineering.pdf
-
Why We Need Import Reconstruction After Dump?
by rever_ser- 1 reply
- 5.4k views
hi everyone! as you know after dumping from a process we must rebuild import table to execute the dump file but why? another questions related to this: is address of system dlls (e.g kernell32.dll) changes after each execution of program or after each system reboot? (if the anwer is "yes" is loader reconstruct import table after each execution?) is system dlls loads in the process address range or they have a uniqe address and all of processes access to the dll by that address? i know there are alot of reasons for import reconstruction after dump. but i want to know about in mentioned reason in detail. thanks in advance!!!
-
- 3 replies
- 5.2k views
http://recode.net/2014/11/23/symantec-uncovers-sophisticated-stealthy-computer-spying-tool/
-
Some recent virusbtn papers
by SkyProud- 0 replies
- 4.4k views
https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-optimized-mal-ops https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Bootkits https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm
-
[Opinion] Way to understand computer virus.
by Edieneo- 5 replies
- 7.1k views
Since I'm Taking Programming Course , I'm Interested With Virus Stuff. I Hope You Guys Have Any Introduction Or Reference That I Can Follow To Successful My Point.?
-
How to remove and identify virus
by REAP- 8 replies
- 5.6k views
Hello I have a Win 7 computer that has been infected with a bruteforce password virus. When the computer is able to connect to a DC the computer constantly tries to determine the password for some user account that it has chosen. I've tried scanning the computer with a number of AV's without success: MBAM MBAR TDSKiller Gmer Vipre After doing some analysis on the computer I've been able to determine that the infected process on the computer is the Windows System process. Worked this out by identifying which ports the virus was using from the server logs and then using CurrPorts (from Nirsoft) and Process Monitor (SysInternals) to monitor the deskto…
