Dailydave mailing list archives
Re: VPC
From: Jared DeMott <demottja () msu edu>
Date: Thu, 21 Feb 2008 10:01:04 -0500
Dave Aitel wrote:
So in the Microsoft/Immunity/iSec Defend the Flag class here at BlackHat Federal, I learned the hard way that VPC moves memory all around and your previously great universal addresses don't work. So you'll end up trying really hard to find an address that defeats SafeSEH on 2003 SP0 in 15 minutes or less. Also I notice there are a lot of companies doing automated Incident Response or malware analysis now. Zynamic's VxClass is obviously one of my favorites. HBGary has retooled Inspector into a tool ("Responder") that can read and analyze physical memory dumps. Mandiant has their new tool out. Norman had a softice-looking sandbox-like thing on display. There's another one called CWSandbox that has a free web form you can send exe's to.
Actually Norman and CW both have a web interface. However, I believe CW to be a bit better -- based on one case study of newer malware. I just did some research and wrote a paper/created slides for a talk I'm giving at a local west Michigan sec group. I put the slides up on my site if anyone would like to take a peek: http://www.vdalabs.com/tools/malware.html I'm relatively new to the malware scene, so I'd appreciate constructive feedback. Cheers, Jared _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave