Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
- 8 replies
- 6.3k views
I have a win32 app which is c++ programmed with qt . I tried to decompile it with boomerang but boomerang soddenly get closed when it reaches to 99% of decompilation progress. Now I am trying to look in parameters that this program sends over SSL/TLS connection to its own server. I found some articles about this and I found that actually the program stores Some valuable data in the memory in order to decrypting the SSL/TLS traffic using wire-shark witch is Session-id and Master-secret . As i read , I found that actually there is a way to extract master-secret from the memory but I don't know how to do that. Is there any one that can direct me to a right di…
-
Exploiting CVE-2013-6282 vulnerability
by sherl0ck- 0 replies
- 5.3k views
On October 25, 2013, a Linux kernel bug CVE-2013-6282 was published. It was largely exploited around that time to get root access on existing Android devices. After reading tons of user review, I also applied the rootkit to get root access on my Sony Xperia - L handeset successfully. It was quite surprising that even the latest firmware update, too, didn't fix the vulnerability. What the flaw basically says is, The rootkit has its source code attached. /* getroot 2013/12/07 */ /* * Copyright (C) 2013 CUBE * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software…
-
Revealed: POS Malware Used in Target Attack
by News Feeder- 5 replies
- 6.6k views
Security journalist Brian Krebs revealed details yesterday surrounding the malware sample used in the Target cyber-attacks, which originally took place November 27 – December 15, 2013. On Sunday, Target CEO and President Gregg Steinhafel conducted an interview with CNBC over the recent Target security breach. During that interview, he mentioned that a malware infection was involved, but no specific samples were identified. According to Krebs, a report of the malware used during the breach was uploaded to ThreatExpert, an automated analysis system run by Symantec. The report has since been removed, but Krebs managed to save a copy of the cached report (found here on h…
-
Memory Sniffing
by JMC31337- 4 replies
- 16.9k views
working on doing a lil phishing expedition (yea its for the birds but i gotta write a good one in C# before i move on) Grabbed CheatEngine to scan through some memory (cheat engine is not bad, but i dont like the crap it tries to install with it - GOT A BETTER ONE LEMME KNOW-) using Chrome to login in to GMAIL I put a fake password as 16 A's: GALX=p_COcLCigQk&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&rm=false<mpl=default&hl=en&scc=1&ss=1&_utf8=%E2%98%83&bgresponse=%21A0I0ITH9HDNvS0R6sejAokAPWwIAAADsUgAAAA0qAQ54RhVt-Qu2LVKb4J23WkCZueD1ffB8V_ZSE_jIE04XOzOSUwm16rZ2suDsEJH9riKKR60AWqjQpirqHTN-qJ64hB7Rl61SZaj_8K…
-
Anybody want to check this file?
by Blah- 3 replies
- 8.3k views
Hello all.. i ran into this file "out there" and it looks sketchy... anybody here want to check it out and see if its legit or a virus?? it says its a SKIDROW rar password unlocker..(yeah i know sounds sketchy as hell lol) supossedly written by there group..theres a pdf in the file that i opened that says something like that.. http://www30.zippyshare.com/d/99176948/18810/RAR%20Password%20Unlocker%20v4.3.146_by%20SKIDROW_updated%2001-01-2014.zip if this post is bad please dump it teddy...not sure... but i figured id ask if anybody wants to check it out and see what the hell it is...if it was a rar password dycrypter it would be neat but if not it…
-
Windows Process Hider
by JMC31337- 0 replies
- 6.2k views
in no way is this my code at all: simply added/modify 2 lines to make it work correctly for Dev-C++ 1) LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*); 2) *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #include <shlwapi.h> #include <iostream> using namespace std; typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) //ivanlef0u's code //xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument typedef enum _DEBUG_CONTROL_CODE { Deb…
-
90$ XSS Worm Project
by tibe87- 4 replies
- 31k views
Introduction This is a school project (educational purpose), so I don't care about hacking any website. Its a bit over my head so thats why I am posting this project.Basically I need to reproduce the ''Samy worm'' known also as "myspace worm" in a controlled environment. Requierements For starters I need a "mini" myspace/facebook to test the worm. To make it simpler , there are some free social networks available like Ellg, Oxwall that you can use. (I have an old version of Oxwall already vulnerable to basic XSS) Or you can make it vulnerable yourself by editing it. (I know for sure that this is possible) Or maybe its easier for you to build it from scratch implementin…
-
FBI: Pirated Software May Contain Malware...
by Teddy Rogers- 3 replies
- 5.6k views
A news story direct from the FBI on some of the pitfalls of pirated software... http://www.fbi.gov/news/stories/2013/august/pirated-software-may-contain-malware Ted.
-
Shellcode+SYSENTER = CALC (SP3) 1 2 3
by JMC31337- 58 replies
- 24.8k views
#include <windows.h> //DEV-C++ //link with -masm=intel asm(".intel_syntax noprefix"); static long csx; static char* test; int main(void) { asm("pop ebp"); asm("pop ebp"); asm("pop ebp"); //asm("push 0x11111111"); //asm("push 0xEEEEEEEE"); //asm("push 0xAAAAAAAA"); //asm("push 0xCCCCCCCC"); //char *test = "\x31\xC9\x51\x68" //"\x63\x61\x6C\x63" //"\x54\xB8\xC7\x93" //"\xC2\x77\xFF\xD0"; asm("push 0xD0FF77C2"); asm("push 0x93C7B854"); asm("push 0x636C6163"); asm("push 0x6851C931"); asm("push 0x004012E6"); asm("mov ebp,0x33333333"); asm("mov edx, esp"); asm("SYSENTER"); asm("push 0"); asm("call _ExitProcess@4"); asm("call esp"); return 0; …
-
Malware Analysis Tutorials: a Reverse Engineering Approach
by CodeExplorer- 1 reply
- 6.7k views
Malware Analysis Tutorials: a Reverse Engineering Approach Author: Dr. Xiang Fu Roadmap: You need to first follow Tutorials 1 to 4 to set up the lab configuration. Then each tutorial addresses an independent topic and can be completed separately (each one will have its own lab configuration instructions). link: http://fumalwareanalysis.blogspot.ro/p/malware-analysis-tutorials-reverse.html
-
Chinese Fake AV
by JMC31337- 1 reply
- 10.9k views
while cruising around China (looking for setcsum.exe to reset the tcpip.sys checksum), enjoying the scenery and attractions, (damn those chinese women are sexy ) i was redirected to a web site saying YOUR PC IS INFECTED! In Chinese... even the download exe under chrome was in Chinese.. we all know the one: Your redirected to a site and it scrolls through about a 1000 list of trojans and the number increases by the second syaing your PC is infected with 100's of malware and you need this program to remove them so i downloaded the exe and rar'd it up pass:infected Havent had the time to really go through this exe.... and it may not even be a virus (they…
-
Spy-ware check - list of antyspyware tools
by CodeExplorer- 6 replies
- 6.6k views
Spy-ware check - list of antyspyware tools />http://www.alken.nl/spy.htm Anti-Spyware: Reviews />http://www.consumersearch.com/anti-spyware-reviews
-
0day Wednesday – Newish Malware That Came Across My Desk...
by Teddy Rogers- 1 reply
- 5.8k views
0day Wednesday – Newish Malware That Came Across My Desk... http://www.gironsec.com/blog/2013/12/0day-wednesday-newish-malware-that-came-across-my-desk/ Malware sample can be found here: http://www.gironsec.com/blog/wp-content/uploads/2013/12/0daywednesday.7z Ted.
-
- 7 replies
- 9.4k views
The situation: I have a malicious Word document from which I have extracted the shellcode and loaded it in Ollydbg. The shellcode assumes it executes within a copy of Microsoft Word which has the malicious DOC file open. The Shellcode will search for the DOC file by going over the list of open open file handles. When it finds a possible match, it (or a part of it) is loaded into memory. The shellcode then proceeds to decrypt the payload in memory etc etc ... My question: While debugging a program in Ollydbg, can I manually open a file so that the file handle becomes available to the debugged process? also, is there a way to have the deb…
-
Windows XP 32 Bit Policy Exploit
by JMC31337- 8 replies
- 6.1k views
Short of it is: I was working on long pointer strings and found this This exception may be expected and handled. eax=0022fc54 ebx=00000000 ecx=0022fca7 edx=7c90e514 esi=80000003 edi=00000000 eip=80000003 esp=0022fc5c ebp=0022fca4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 80000003 ?? ??? 0:000> gh (1650.139c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0022fc54 ebx=00000000 ecx=0022fca7 edx=7c90e514 esi=80000003 edi=00000000 eip=80000003 esp=0022fc5c e…
-
Kernel Driver Fuzzing
by JMC31337- 0 replies
- 5.5k views
Came across a cool little prog called ioctlbf... Its used to try and BSOD the system via DeviceIOControl IRQ's which is how user talks to kernel via its sys drivers For a quick example: C:\ioctlbf_0.4\bin>ioctlbf -d IP -r 120040-120050 _ _ _ ___ (_) _ | || | / __) _ ___ ____ _| |_| || |__ _| |__ | |/ _ \ / ___|_ _) || _ (_ __) | | |_| ( (___ | |_| || |_) )| | |_|\___/ \____) \__)\_)____/ |_| v0.4[~] Open handle to the device \\.\IP ... OK Summary ------- IOCTL scanning mode : Range mode 0x00120040 - 0x00120050 Filter mode : Filter disabled Symbolic Device Name : \\.\IP Device han…
-
ZeuS Source Code Leaked...
by Teddy Rogers- 5 replies
- 13.3k views
The source code for ZeuS has been leaked for weeks, so what is known? />http://blog.trendmicro.com/the-zeus-source-code-leaked-now-what/ Sophos Technical Paper />http://www.sophos.com/medialibrary/PDFs/technical%20papers/Sophos%20what%20is%20zeus%20tp.pdf?dl=true ZeuS 2.0.8.9.rar Ted.
-
- 3 replies
- 6.4k views
Hi, I'm new to tuts4you, I found all other posts are UnpackMe, and I want to analyze a virus to see what it does but I don't know unpack it. It's packed with VMProtect 2.07. Anyone could shed some light on this? A tutorial would be great:) again, it a virus, don't run it directly. the virus deletes itself after running, so the unpacking would be successful if it's disappeared when executed. Thanks. virus.rar
-
- 0 replies
- 5.1k views
-
iRemova [Visual Removal Tool Builder]
by Ahmed18- 1 reply
- 6.8k views
iRemova [Visual Removal Tool Builder] A tool to help you on creating virus removal tools. For more information watch the Demo tut. By in4matics | AT4RE Download: http://www.at4re.com/download.php?view.161
-
- 1 reply
- 6.1k views
Nice little article. Not a particularly complex packer but it describes a nice way of injecting into a process without using the WriteProcessMemory API (potentially avoiding malware scanners that hook WriteProcessMemory) Article: http://resources.infosecinstitute.com/deep-dive-into-a-custom-malware-packer/
-
Carberp source leaked
by deepzero- 3 replies
- 6.1k views
Source of Cerberp Bot was leaked as pw protected zip a while back, and is now available : https://github.com/hzeroo/Carberp more info: https://threatpost.com/carberp-source-code-leaked/ http://touchmymalware.blogspot.de/2013/06/carberp-source-code-now-leaked.html About 750K LOCs. Guess everyone will find something interesting inside...
-
Crypter overview
by cipher- 6 replies
- 12.5k views
hello i am here today with the executable that can obfuscate the virus and makes it fully undetectable from anti-viruses.This executable uses runPE techniques to inject into other process and to dump the crypted code into memory and hence the executable's code remain undetected by Anti-viruses. These crypters are programmed by individuals and hence remains undetected most of the time .Mostly they are coded in VB or .Net and hence you will find most of the viruses showing vb attributes during PE Scans ,but mostly the viruses/RATs/Stealers/Bots/Worms are coded in borland Delphi. Examples : 1) RATS : cybergate,Blackshades,pixel,spynet,darkcomet etc 2) STEALERS …
-
Unpack malware
by difazabi- 0 replies
- 22.3k views
Hi, I would like to ask for my help. I can't unpack this malware. My result is only crash. (OEP: 0047FDB0) Protection: Autoit Cryptor + UPX Someone can help me? Thanks! pass: infected* http://rghost.net/private/44963997/cb94ba6b77c6b5e619bf2468de56e0f1 or attach BF76F84A49E53133E6FEAD862114DB56_.zip
-
Decompile perl2exe ?
by Cyb3rHack3r- 5 replies
- 8.7k views
Hay, Guys So i need little help, I am new to malaware reverse engineering but i really love to learn more Now i am trying to Decompile a malware which is complied using perl2exe Now like i said i am new i tried my best but because i have never Decompiled a perl2exe file before So i am not fully sure how i should do it, I tried to search on the net and found some really Interesting information like the exe contains encrypted perl code but its decrypted during runtime So can any one tell me how i can decompile the file and get the decrypted source code By the way i tried this tool called exe2perl which is suppose to be decompiler but i g…
