crystalboy Posted January 24, 2018 Share Posted January 24, 2018 There you can find awesome articles on how to face FinSpy VM: http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf Credits to Rolf Rolles and Filip Kafka 9 Link to comment Share on other sites More sharing options...
Zasz Posted January 25, 2018 Share Posted January 25, 2018 This is so interesting, thanks for posting. Quote Next we see the directive "db 5 dup(0CCh)" followed by "mov edi, edi". Reverse engineers will recognize these sequences as the Microsoft Visual C compiler's implementation of hot-patching support. So that's what that thing was. Link to comment Share on other sites More sharing options...
null_endian Posted January 30, 2018 Share Posted January 30, 2018 https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf Enjoy :) 1 Link to comment Share on other sites More sharing options...
yano65bis Posted January 30, 2018 Share Posted January 30, 2018 Good info thanks 1 Link to comment Share on other sites More sharing options...
crystalboy Posted February 1, 2018 Author Share Posted February 1, 2018 Rolf Rolles part 2 available here: http://www.msreverseengineering.com/blog/2018/1/31/finspy-vm-part-2-vm-analysis-and-bytecode-disassembly 1 Link to comment Share on other sites More sharing options...
Etor Madiv Posted February 21, 2018 Share Posted February 21, 2018 I was waiting for the 3rd part for long time, Rolf Rolles part 3: http://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization 2 Link to comment Share on other sites More sharing options...
whoknows Posted February 22, 2018 Share Posted February 22, 2018 Devirtualizing Finspy Phase #1 http://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye Link to comment Share on other sites More sharing options...
plutos Posted March 8, 2018 Share Posted March 8, 2018 (edited) Greetings! Could somebody share FinSpy sample? I registered at Hybrid-Analysis, but when it came to downloading the sample, they turned me down because I did not have any publications, research papers, etc. I am mostly interested in VM analysis and do not really do much malware research. Thanks in advance! Edited March 8, 2018 by plutos Link to comment Share on other sites More sharing options...
evilcry Posted March 23, 2018 Share Posted March 23, 2018 This is another pretty interesting one on FinSpy: FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now