Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
360 topics in this forum
-
Unpacking RunPe Malware
by Phasip- 11 replies
- 13.6k views
Hello! I recently started doing some malware reversing and the second application I meet is an app called ohhai.exe As all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode, looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code. The problem is that there does not seem to be much information on how to unpack these, I found two />http://www.opensc.ws/tutorials-articles/11144-tutorial-unpacking-runpe.html />http://interestingmalware.blogspot.com/2010/07/unpacking-vbinjectvbcryptrunpe.html which both have easy steps but I don't seem to be able t…
-
RDG Malware Detector rev6 2015 (Beta)
by RDGMax- 1 follower
- 5 replies
- 7.8k views
Hello my friends Here my new version of our malware detector you can make your owns signatures! only 2 Cliks +Fast Scan engine +Include Heuristic Detection Signature Generator Scanner Engine Donwload: http://rdgsoft.net/Malware.Detector.php Thanks
-
- 3 replies
- 6.6k views
https://github.com/RPISEC/MBE @moderators: I couldn't find a better section for posting this. If you feel like it belongs to some other place, please feel free to move.
-
Do Antivirus Companies Whitelist NSA Malware?
by Teddy Rogers- 4 replies
- 6.2k views
Do Antivirus Companies Whitelist NSA Malware? http://www.informationweek.com/security/vulnerabilities-and-threats/do-antivirus-companies-whitelist-nsa-malware/d/d-id/1112911 Ted.
-
- 0 replies
- 6.2k views
Hi ,When I unpack a software protected by VMProtect ,I reach OEP and dump it. I add two section to pass Anti-dump.But I did not fix IAT. Unfortunately,Unpack.exe did not work.So I debug Unpack.exe in ollydbg. OK,I found the reason about the problem. DWORD SizeofResource(HMODULE hModule,HRSRC hReslnfo) hModule and hReslnfo are valid,but the function return 0.I didn't know how to handle it.
-
CVE-2015-1701
by Insid3Code- 0 replies
- 10.9k views
CVE-2015-1701 Win32k Elevation of Privilege Vulnerability, POC from kernelmode.info http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3847'>>http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3847 https://github.com/hfiref0x/CVE-2015-1701 '>>https://github.com/hfiref0x/CVE-2015-1701
-
Shellcode Misbehaved
by prasenjit- 1 reply
- 5.2k views
Hi all, I am new to exploit development. When I was going to practice stack based buffer overflow by following the tutorial from: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ I was tring to change the shellcode from popping up calc.exe to others. and i got success. shellcode 1: http://www.exploit-db.com/exploits/28996/ [my best option] shellcode 2: http://www.exploit-db.com/exploits/33836/ then i wrote a very simple program of string. #include<stdio.h> #include<conio.h> int main() { char str[10]; printf("Enter you name:"); scanf("%s",str); printf("Hello %s..",str); getch(); return 0; } By the…
-
- 0 replies
- 6.6k views
.NET malware: De-obfuscation, decryption and debugging - tips and tricks: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/NET-malware-De-obfuscation-decryption-and-debugging-tips-and/ba-p/6463402#.VRMpDeHUcWE
-
Control Flow Obfuscations in Malwares
by CodeExplorer- 0 replies
- 4.7k views
Control Flow Obfuscations in Malwares Link: http://www.exploit-db.com/docs/30710.pdf
-
Multilayer-resource ecnryption in C#
by Meteor2142- 0 replies
- 4.5k views
Hello guys! I found a very interesting encryption code. Its using Crypted resources, decrypting it with special byte key, and execute. Here is the source of crypted file: //KEY private static byte[] TSVCuLWZ = new byte[] { 0xb7, 0x61, 0xd7, 0x3d, 0x66, 0x5e, 0xa6, 0xe8, 40, 0x87, 0x19, 0x49, 0xce, 0x54, 0x68, 0x4c, 0xad, 0xa6, 0x2a, 0xf2, 160, 15, 210, 0xc6 };//Just a method to decrypt string (for more security) private static string FUJHE(string LSMFpfp, byte[] sQoPbDpAtuDXdRTcmnW) { string[] strArray = LSMFpfp.Split(new char[] { '#' }); byte[] buffer = new byte[strArray.Length]; for (int i = 0; i < strArray.Length; i++) { buffer[i] = byte.Parse…
-
A Good Ebooks & Documents
by Amer- 2 replies
- 6.2k views
Hi, I found a very useful library belongs to Malicious Software Research. I apologize in advance if this post is illegal for the forum rulls http://www.vxheaven.org/lib/pdf
-
Need help with dumping an exe with OllyDump
by szczurcio- 4 replies
- 5.8k views
Hey, I was playing with a simple UPX .exe. I found the OEP and I want to dump it using OllyDump, but its auto-detection fails and gives me errors: I suppose I'm just trying to dump the wrong address, but I don't really understand the options: Most tuts will just happily tell you to click OK without explaining anything, so that doesn't help me. I know the OEP address, but what should I put in the start address box? The first address Olly shows to me? What about the size and the Bases (code/data)? I'd be grateful if someone could explain it in detail.
-
how can sure truly the exe file packed or not?
by rever_ser- 7 replies
- 7.1k views
i have the malware that unclear for me that is packed or not? the program like PEid shows that code writen with c++ but in addition sandbox shows that's packed with Armadilo and in string of malware there is Aspack. so how can i recognize the malware is packed or not? note:epilog of file is push ebp - mov ebp،esp - push -1 but it hasn't getversion phrase.i think that it is a fake epilog.
-
malware unpacking
by rever_ser- 3 replies
- 5.5k views
hi guys does anyone is a malware unpacker to reply me? as you know Malware unpacking != legal commercial software unpacking. so does anyone have experience of malware unpacking that introduce me tutorial about this? Do the unpackme exercises in this site suitable for increase of malware unpacking skill or not? Regards!!!
-
- 8 replies
- 6.3k views
Hi! I have a PECompact protected target from 2010. I have succesfully unpacked the exe but it's sames that some codes are virtualized. I succesfully identifed the main VM handler routine, the VM Image base, the number of VM handlers, the address of hanlders, but I can not identify which code virtualizer is used. The big mistyc for me that the VM is located inside the main Code section and not in different section. I tried to devirtualize it with VMSweeper and Oreans Unvirtualizer but without success. (It's seems it's that is not VMSweeper or Oreans Codevirtualizer is used) I tried several packer detectors (die, exeinfo pe, peid, protection id), but none of tha…
-
Identifying Malicious Code Through Reverse Engineering
by CodeExplorer- 1 reply
- 5.7k views
Identifying Malicious Code Through Reverse Engineering Link: http://download.adamas.ai/dlbase/ebooks/VX_related/Identifying%20Malicious%20Code%20Through%20Reverse%20Engineering.pdf
-
Why We Need Import Reconstruction After Dump?
by rever_ser- 1 reply
- 4.9k views
hi everyone! as you know after dumping from a process we must rebuild import table to execute the dump file but why? another questions related to this: is address of system dlls (e.g kernell32.dll) changes after each execution of program or after each system reboot? (if the anwer is "yes" is loader reconstruct import table after each execution?) is system dlls loads in the process address range or they have a uniqe address and all of processes access to the dll by that address? i know there are alot of reasons for import reconstruction after dump. but i want to know about in mentioned reason in detail. thanks in advance!!!
-
- 3 replies
- 4.9k views
http://recode.net/2014/11/23/symantec-uncovers-sophisticated-stealthy-computer-spying-tool/
-
Some recent virusbtn papers
by SkyProud- 0 replies
- 4.3k views
https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-optimized-mal-ops https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Bootkits https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm
-
[Opinion] Way to understand computer virus.
by Edieneo- 5 replies
- 6.7k views
Since I'm Taking Programming Course , I'm Interested With Virus Stuff. I Hope You Guys Have Any Introduction Or Reference That I Can Follow To Successful My Point.?
-
How to remove and identify virus
by REAP- 8 replies
- 5.2k views
Hello I have a Win 7 computer that has been infected with a bruteforce password virus. When the computer is able to connect to a DC the computer constantly tries to determine the password for some user account that it has chosen. I've tried scanning the computer with a number of AV's without success: MBAM MBAR TDSKiller Gmer Vipre After doing some analysis on the computer I've been able to determine that the infected process on the computer is the Windows System process. Worked this out by identifying which ports the virus was using from the server logs and then using CurrPorts (from Nirsoft) and Process Monitor (SysInternals) to monitor the deskto…
-
- 8 replies
- 6.1k views
I have a win32 app which is c++ programmed with qt . I tried to decompile it with boomerang but boomerang soddenly get closed when it reaches to 99% of decompilation progress. Now I am trying to look in parameters that this program sends over SSL/TLS connection to its own server. I found some articles about this and I found that actually the program stores Some valuable data in the memory in order to decrypting the SSL/TLS traffic using wire-shark witch is Session-id and Master-secret . As i read , I found that actually there is a way to extract master-secret from the memory but I don't know how to do that. Is there any one that can direct me to a right di…
-
Exploiting CVE-2013-6282 vulnerability
by sherl0ck- 0 replies
- 5.1k views
On October 25, 2013, a Linux kernel bug CVE-2013-6282 was published. It was largely exploited around that time to get root access on existing Android devices. After reading tons of user review, I also applied the rootkit to get root access on my Sony Xperia - L handeset successfully. It was quite surprising that even the latest firmware update, too, didn't fix the vulnerability. What the flaw basically says is, The rootkit has its source code attached. /* getroot 2013/12/07 */ /* * Copyright (C) 2013 CUBE * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software…
-
Revealed: POS Malware Used in Target Attack
by News Feeder- 5 replies
- 6.2k views
Security journalist Brian Krebs revealed details yesterday surrounding the malware sample used in the Target cyber-attacks, which originally took place November 27 – December 15, 2013. On Sunday, Target CEO and President Gregg Steinhafel conducted an interview with CNBC over the recent Target security breach. During that interview, he mentioned that a malware infection was involved, but no specific samples were identified. According to Krebs, a report of the malware used during the breach was uploaded to ThreatExpert, an automated analysis system run by Symantec. The report has since been removed, but Krebs managed to save a copy of the cached report (found here on h…
-
Memory Sniffing
by JMC31337- 4 replies
- 12.3k views
working on doing a lil phishing expedition (yea its for the birds but i gotta write a good one in C# before i move on) Grabbed CheatEngine to scan through some memory (cheat engine is not bad, but i dont like the crap it tries to install with it - GOT A BETTER ONE LEMME KNOW-) using Chrome to login in to GMAIL I put a fake password as 16 A's: GALX=p_COcLCigQk&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&rm=false<mpl=default&hl=en&scc=1&ss=1&_utf8=%E2%98%83&bgresponse=%21A0I0ITH9HDNvS0R6sejAokAPWwIAAADsUgAAAA0qAQ54RhVt-Qu2LVKb4J23WkCZueD1ffB8V_ZSE_jIE04XOzOSUwm16rZ2suDsEJH9riKKR60AWqjQpirqHTN-qJ64hB7Rl61SZaj_8K…
