| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <MAILFIREWALL2srwk9700000075@mailfirewall2.csis.dk> Date: Fri Aug 5 11:00:38 2005 From: kruse at krusesecurity.dk (Peter Kruse) Subject: Malicious Code Analysis Hey, > These were not submitted to any AV vendors since Norton did flag them. > In the past I have submitted unknown trojans/ viruses like these to > Symantec when clients have been owned, but what can I say they are > hardly 0day more like 300 day. 8-) > http://www.bitsum.com/pec2.asp Yes, I already have this tool in my box. Pretty useful for first glance. > Could you share your methodology on how you go about reverse > engineering/ disassembling a malicious piece of code that has had a > packer ran on it? There are many off-the self unpackers out there that will do the job just fine, but lately malware writers rather modify or use enhanced/hacked version of popular PE-packers. Either way, a compressed binary will have to uncompress itself using the compressor stub in order to run. To unpack the code look for the call that jumps from the stub to the unpacked code. When the jmp address is located you should modify, so the jmp goes to esi. This will put the code in a loop. Next up procdump. There are plenty of good tutorials. One of these are associated with IDA: http://www.datarescue.com/idabase/unpack_pe/ I hope this helps you getting started. Regards Peter Kruse
Powered by blists - more mailing lists